@vm0/runner 3.12.1 → 3.12.3

package/index.js

@@ -48,7 +48,9 @@ var runnerPaths = {
   /** Check if a directory name is a VM workspace */
   isVmWorkspace: (dirname) => dirname.startsWith(VM_WORKSPACE_PREFIX),
   /** Extract vmId from workspace directory name */
-  extractVmId: (dirname) => createVmId(dirname.replace(VM_WORKSPACE_PREFIX, ""))
+  extractVmId: (dirname) => createVmId(dirname.replace(VM_WORKSPACE_PREFIX, "")),
+  /** VM registry file for proxy IP → run mapping */
+  vmRegistry: (baseDir) => path.join(baseDir, "vm-registry.json")
 };
 var vmPaths = {
   /** Firecracker config file (used with --config-file) */
@@ -73,8 +75,6 @@ var snapshotOutputPaths = {
 var tempPaths = {
   /** Default proxy CA directory */
   proxyDir: `${VM0_TMP_PREFIX}-proxy`,
-  /** VM registry for proxy */
-  vmRegistry: `${VM0_TMP_PREFIX}-vm-registry.json`,
   /** Network log file for a run */
   networkLog: (runId) => `${VM0_TMP_PREFIX}-network-${runId}.jsonl`
 };
@@ -7896,10 +7896,109 @@ var secretsByNameContract = c11.router({
   }
 });
 
-// ../../packages/core/src/contracts/model-providers.ts
+// ../../packages/core/src/contracts/variables.ts
 import { z as z19 } from "zod";
 var c12 = initContract();
-var modelProviderTypeSchema = z19.enum([
+var variableNameSchema = z19.string().min(1, "Variable name is required").max(255, "Variable name must be at most 255 characters").regex(
+  /^[A-Z][A-Z0-9_]*$/,
+  "Variable name must contain only uppercase letters, numbers, and underscores, and must start with a letter (e.g., MY_VAR)"
+);
+var variableResponseSchema = z19.object({
+  id: z19.string().uuid(),
+  name: z19.string(),
+  value: z19.string(),
+  description: z19.string().nullable(),
+  createdAt: z19.string(),
+  updatedAt: z19.string()
+});
+var variableListResponseSchema = z19.object({
+  variables: z19.array(variableResponseSchema)
+});
+var setVariableRequestSchema = z19.object({
+  name: variableNameSchema,
+  value: z19.string().min(1, "Variable value is required"),
+  description: z19.string().max(1e3).optional()
+});
+var variablesMainContract = c12.router({
+  /**
+   * GET /api/variables
+   * List all variables for the current user's scope (includes values)
+   */
+  list: {
+    method: "GET",
+    path: "/api/variables",
+    headers: authHeadersSchema,
+    responses: {
+      200: variableListResponseSchema,
+      401: apiErrorSchema,
+      500: apiErrorSchema
+    },
+    summary: "List all variables (includes values)"
+  },
+  /**
+   * PUT /api/variables
+   * Create or update a variable
+   */
+  set: {
+    method: "PUT",
+    path: "/api/variables",
+    headers: authHeadersSchema,
+    body: setVariableRequestSchema,
+    responses: {
+      200: variableResponseSchema,
+      201: variableResponseSchema,
+      400: apiErrorSchema,
+      401: apiErrorSchema,
+      500: apiErrorSchema
+    },
+    summary: "Create or update a variable"
+  }
+});
+var variablesByNameContract = c12.router({
+  /**
+   * GET /api/variables/:name
+   * Get a variable by name (includes value)
+   */
+  get: {
+    method: "GET",
+    path: "/api/variables/:name",
+    headers: authHeadersSchema,
+    pathParams: z19.object({
+      name: variableNameSchema
+    }),
+    responses: {
+      200: variableResponseSchema,
+      401: apiErrorSchema,
+      404: apiErrorSchema,
+      500: apiErrorSchema
+    },
+    summary: "Get variable by name"
+  },
+  /**
+   * DELETE /api/variables/:name
+   * Delete a variable by name
+   */
+  delete: {
+    method: "DELETE",
+    path: "/api/variables/:name",
+    headers: authHeadersSchema,
+    pathParams: z19.object({
+      name: variableNameSchema
+    }),
+    responses: {
+      204: c12.noBody(),
+      401: apiErrorSchema,
+      404: apiErrorSchema,
+      500: apiErrorSchema
+    },
+    summary: "Delete a variable"
+  }
+});
+
+// ../../packages/core/src/contracts/model-providers.ts
+import { z as z20 } from "zod";
+var c13 = initContract();
+var modelProviderTypeSchema = z20.enum([
   "claude-code-oauth-token",
   "anthropic-api-key",
   "openrouter-api-key",
@@ -7910,46 +8009,46 @@ var modelProviderTypeSchema = z19.enum([
   "azure-foundry",
   "aws-bedrock"
 ]);
-var modelProviderFrameworkSchema = z19.enum(["claude-code", "codex"]);
-var modelProviderResponseSchema = z19.object({
-  id: z19.string().uuid(),
+var modelProviderFrameworkSchema = z20.enum(["claude-code", "codex"]);
+var modelProviderResponseSchema = z20.object({
+  id: z20.string().uuid(),
   type: modelProviderTypeSchema,
   framework: modelProviderFrameworkSchema,
-  credentialName: z19.string().nullable(),
+  credentialName: z20.string().nullable(),
   // Legacy single-credential (deprecated for multi-auth)
-  authMethod: z19.string().nullable(),
+  authMethod: z20.string().nullable(),
   // For multi-auth providers
-  credentialNames: z19.array(z19.string()).nullable(),
+  credentialNames: z20.array(z20.string()).nullable(),
   // For multi-auth providers
-  isDefault: z19.boolean(),
-  selectedModel: z19.string().nullable(),
-  createdAt: z19.string(),
-  updatedAt: z19.string()
+  isDefault: z20.boolean(),
+  selectedModel: z20.string().nullable(),
+  createdAt: z20.string(),
+  updatedAt: z20.string()
 });
-var modelProviderListResponseSchema = z19.object({
-  modelProviders: z19.array(modelProviderResponseSchema)
+var modelProviderListResponseSchema = z20.object({
+  modelProviders: z20.array(modelProviderResponseSchema)
 });
-var upsertModelProviderRequestSchema = z19.object({
+var upsertModelProviderRequestSchema = z20.object({
   type: modelProviderTypeSchema,
-  credential: z19.string().min(1).optional(),
+  credential: z20.string().min(1).optional(),
   // Legacy single credential
-  authMethod: z19.string().optional(),
+  authMethod: z20.string().optional(),
   // For multi-auth providers
-  credentials: z19.record(z19.string(), z19.string()).optional(),
+  credentials: z20.record(z20.string(), z20.string()).optional(),
   // For multi-auth providers
-  convert: z19.boolean().optional(),
-  selectedModel: z19.string().optional()
+  convert: z20.boolean().optional(),
+  selectedModel: z20.string().optional()
 });
-var upsertModelProviderResponseSchema = z19.object({
+var upsertModelProviderResponseSchema = z20.object({
   provider: modelProviderResponseSchema,
-  created: z19.boolean()
+  created: z20.boolean()
 });
-var checkCredentialResponseSchema = z19.object({
-  exists: z19.boolean(),
-  credentialName: z19.string(),
-  currentType: z19.enum(["user", "model-provider"]).optional()
+var checkCredentialResponseSchema = z20.object({
+  exists: z20.boolean(),
+  credentialName: z20.string(),
+  currentType: z20.enum(["user", "model-provider"]).optional()
 });
-var modelProvidersMainContract = c12.router({
+var modelProvidersMainContract = c13.router({
   list: {
     method: "GET",
     path: "/api/model-providers",
@@ -7977,12 +8076,12 @@ var modelProvidersMainContract = c12.router({
     summary: "Create or update a model provider"
   }
 });
-var modelProvidersCheckContract = c12.router({
+var modelProvidersCheckContract = c13.router({
   check: {
     method: "GET",
     path: "/api/model-providers/check/:type",
     headers: authHeadersSchema,
-    pathParams: z19.object({
+    pathParams: z20.object({
       type: modelProviderTypeSchema
     }),
     responses: {
@@ -7993,16 +8092,16 @@ var modelProvidersCheckContract = c12.router({
     summary: "Check if credential exists for a model provider type"
   }
 });
-var modelProvidersByTypeContract = c12.router({
+var modelProvidersByTypeContract = c13.router({
   delete: {
     method: "DELETE",
     path: "/api/model-providers/:type",
     headers: authHeadersSchema,
-    pathParams: z19.object({
+    pathParams: z20.object({
       type: modelProviderTypeSchema
     }),
     responses: {
-      204: c12.noBody(),
+      204: c13.noBody(),
       401: apiErrorSchema,
       404: apiErrorSchema,
       500: apiErrorSchema
@@ -8010,15 +8109,15 @@ var modelProvidersByTypeContract = c12.router({
     summary: "Delete a model provider"
   }
 });
-var modelProvidersConvertContract = c12.router({
+var modelProvidersConvertContract = c13.router({
   convert: {
     method: "POST",
     path: "/api/model-providers/:type/convert",
     headers: authHeadersSchema,
-    pathParams: z19.object({
+    pathParams: z20.object({
       type: modelProviderTypeSchema
     }),
-    body: z19.undefined(),
+    body: z20.undefined(),
     responses: {
       200: modelProviderResponseSchema,
       400: apiErrorSchema,
@@ -8029,15 +8128,15 @@ var modelProvidersConvertContract = c12.router({
     summary: "Convert existing user credential to model provider"
   }
 });
-var modelProvidersSetDefaultContract = c12.router({
+var modelProvidersSetDefaultContract = c13.router({
   setDefault: {
     method: "POST",
     path: "/api/model-providers/:type/set-default",
     headers: authHeadersSchema,
-    pathParams: z19.object({
+    pathParams: z20.object({
       type: modelProviderTypeSchema
     }),
-    body: z19.undefined(),
+    body: z20.undefined(),
     responses: {
       200: modelProviderResponseSchema,
       401: apiErrorSchema,
@@ -8047,15 +8146,15 @@ var modelProvidersSetDefaultContract = c12.router({
     summary: "Set a model provider as default for its framework"
   }
 });
-var updateModelRequestSchema = z19.object({
-  selectedModel: z19.string().optional()
+var updateModelRequestSchema = z20.object({
+  selectedModel: z20.string().optional()
 });
-var modelProvidersUpdateModelContract = c12.router({
+var modelProvidersUpdateModelContract = c13.router({
   updateModel: {
     method: "PATCH",
     path: "/api/model-providers/:type/model",
     headers: authHeadersSchema,
-    pathParams: z19.object({
+    pathParams: z20.object({
       type: modelProviderTypeSchema
     }),
     body: updateModelRequestSchema,
@@ -8070,42 +8169,42 @@ var modelProvidersUpdateModelContract = c12.router({
 });
 
 // ../../packages/core/src/contracts/sessions.ts
-import { z as z20 } from "zod";
-var c13 = initContract();
-var sessionResponseSchema = z20.object({
-  id: z20.string(),
-  agentComposeId: z20.string(),
-  agentComposeVersionId: z20.string().nullable(),
-  conversationId: z20.string().nullable(),
-  artifactName: z20.string().nullable(),
-  vars: z20.record(z20.string(), z20.string()).nullable(),
-  secretNames: z20.array(z20.string()).nullable(),
-  volumeVersions: z20.record(z20.string(), z20.string()).nullable(),
-  createdAt: z20.string(),
-  updatedAt: z20.string()
+import { z as z21 } from "zod";
+var c14 = initContract();
+var sessionResponseSchema = z21.object({
+  id: z21.string(),
+  agentComposeId: z21.string(),
+  agentComposeVersionId: z21.string().nullable(),
+  conversationId: z21.string().nullable(),
+  artifactName: z21.string().nullable(),
+  vars: z21.record(z21.string(), z21.string()).nullable(),
+  secretNames: z21.array(z21.string()).nullable(),
+  volumeVersions: z21.record(z21.string(), z21.string()).nullable(),
+  createdAt: z21.string(),
+  updatedAt: z21.string()
 });
-var agentComposeSnapshotSchema = z20.object({
-  agentComposeVersionId: z20.string(),
-  vars: z20.record(z20.string(), z20.string()).optional(),
-  secretNames: z20.array(z20.string()).optional()
+var agentComposeSnapshotSchema = z21.object({
+  agentComposeVersionId: z21.string(),
+  vars: z21.record(z21.string(), z21.string()).optional(),
+  secretNames: z21.array(z21.string()).optional()
 });
-var artifactSnapshotSchema2 = z20.object({
-  artifactName: z20.string(),
-  artifactVersion: z20.string()
+var artifactSnapshotSchema2 = z21.object({
+  artifactName: z21.string(),
+  artifactVersion: z21.string()
 });
-var volumeVersionsSnapshotSchema2 = z20.object({
-  versions: z20.record(z20.string(), z20.string())
+var volumeVersionsSnapshotSchema2 = z21.object({
+  versions: z21.record(z21.string(), z21.string())
 });
-var checkpointResponseSchema = z20.object({
-  id: z20.string(),
-  runId: z20.string(),
-  conversationId: z20.string(),
+var checkpointResponseSchema = z21.object({
+  id: z21.string(),
+  runId: z21.string(),
+  conversationId: z21.string(),
   agentComposeSnapshot: agentComposeSnapshotSchema,
   artifactSnapshot: artifactSnapshotSchema2.nullable(),
   volumeVersionsSnapshot: volumeVersionsSnapshotSchema2.nullable(),
-  createdAt: z20.string()
+  createdAt: z21.string()
 });
-var sessionsByIdContract = c13.router({
+var sessionsByIdContract = c14.router({
   /**
    * GET /api/agent/sessions/:id
    * Get session by ID
@@ -8114,8 +8213,8 @@ var sessionsByIdContract = c13.router({
     method: "GET",
     path: "/api/agent/sessions/:id",
     headers: authHeadersSchema,
-    pathParams: z20.object({
-      id: z20.string().min(1, "Session ID is required")
+    pathParams: z21.object({
+      id: z21.string().min(1, "Session ID is required")
     }),
     responses: {
       200: sessionResponseSchema,
@@ -8126,7 +8225,7 @@ var sessionsByIdContract = c13.router({
     summary: "Get session by ID"
   }
 });
-var checkpointsByIdContract = c13.router({
+var checkpointsByIdContract = c14.router({
   /**
    * GET /api/agent/checkpoints/:id
    * Get checkpoint by ID
@@ -8135,8 +8234,8 @@ var checkpointsByIdContract = c13.router({
     method: "GET",
     path: "/api/agent/checkpoints/:id",
     headers: authHeadersSchema,
-    pathParams: z20.object({
-      id: z20.string().min(1, "Checkpoint ID is required")
+    pathParams: z21.object({
+      id: z21.string().min(1, "Checkpoint ID is required")
     }),
     responses: {
       200: checkpointResponseSchema,
@@ -8149,93 +8248,93 @@ var checkpointsByIdContract = c13.router({
 });
 
 // ../../packages/core/src/contracts/schedules.ts
-import { z as z21 } from "zod";
-var c14 = initContract();
-var scheduleTriggerSchema = z21.object({
-  cron: z21.string().optional(),
-  at: z21.string().optional(),
-  timezone: z21.string().default("UTC")
+import { z as z22 } from "zod";
+var c15 = initContract();
+var scheduleTriggerSchema = z22.object({
+  cron: z22.string().optional(),
+  at: z22.string().optional(),
+  timezone: z22.string().default("UTC")
 }).refine((data) => data.cron && !data.at || !data.cron && data.at, {
   message: "Exactly one of 'cron' or 'at' must be specified"
 });
-var scheduleRunConfigSchema = z21.object({
-  agent: z21.string().min(1, "Agent reference required"),
-  prompt: z21.string().min(1, "Prompt required"),
-  vars: z21.record(z21.string(), z21.string()).optional(),
-  secrets: z21.record(z21.string(), z21.string()).optional(),
-  artifactName: z21.string().optional(),
-  artifactVersion: z21.string().optional(),
-  volumeVersions: z21.record(z21.string(), z21.string()).optional()
+var scheduleRunConfigSchema = z22.object({
+  agent: z22.string().min(1, "Agent reference required"),
+  prompt: z22.string().min(1, "Prompt required"),
+  vars: z22.record(z22.string(), z22.string()).optional(),
+  secrets: z22.record(z22.string(), z22.string()).optional(),
+  artifactName: z22.string().optional(),
+  artifactVersion: z22.string().optional(),
+  volumeVersions: z22.record(z22.string(), z22.string()).optional()
 });
-var scheduleDefinitionSchema = z21.object({
+var scheduleDefinitionSchema = z22.object({
   on: scheduleTriggerSchema,
   run: scheduleRunConfigSchema
 });
-var scheduleYamlSchema = z21.object({
-  version: z21.literal("1.0"),
-  schedules: z21.record(z21.string(), scheduleDefinitionSchema)
-});
-var deployScheduleRequestSchema = z21.object({
-  name: z21.string().min(1).max(64, "Schedule name max 64 chars"),
-  cronExpression: z21.string().optional(),
-  atTime: z21.string().optional(),
-  timezone: z21.string().default("UTC"),
-  prompt: z21.string().min(1, "Prompt required"),
-  vars: z21.record(z21.string(), z21.string()).optional(),
-  secrets: z21.record(z21.string(), z21.string()).optional(),
-  artifactName: z21.string().optional(),
-  artifactVersion: z21.string().optional(),
-  volumeVersions: z21.record(z21.string(), z21.string()).optional(),
+var scheduleYamlSchema = z22.object({
+  version: z22.literal("1.0"),
+  schedules: z22.record(z22.string(), scheduleDefinitionSchema)
+});
+var deployScheduleRequestSchema = z22.object({
+  name: z22.string().min(1).max(64, "Schedule name max 64 chars"),
+  cronExpression: z22.string().optional(),
+  atTime: z22.string().optional(),
+  timezone: z22.string().default("UTC"),
+  prompt: z22.string().min(1, "Prompt required"),
+  vars: z22.record(z22.string(), z22.string()).optional(),
+  secrets: z22.record(z22.string(), z22.string()).optional(),
+  artifactName: z22.string().optional(),
+  artifactVersion: z22.string().optional(),
+  volumeVersions: z22.record(z22.string(), z22.string()).optional(),
   // Resolved agent compose ID (CLI resolves scope/name:version → composeId)
-  composeId: z21.string().uuid("Invalid compose ID")
+  composeId: z22.string().uuid("Invalid compose ID")
 }).refine(
   (data) => data.cronExpression && !data.atTime || !data.cronExpression && data.atTime,
   {
     message: "Exactly one of 'cronExpression' or 'atTime' must be specified"
   }
 );
-var scheduleResponseSchema = z21.object({
-  id: z21.string().uuid(),
-  composeId: z21.string().uuid(),
-  composeName: z21.string(),
-  scopeSlug: z21.string(),
-  name: z21.string(),
-  cronExpression: z21.string().nullable(),
-  atTime: z21.string().nullable(),
-  timezone: z21.string(),
-  prompt: z21.string(),
-  vars: z21.record(z21.string(), z21.string()).nullable(),
+var scheduleResponseSchema = z22.object({
+  id: z22.string().uuid(),
+  composeId: z22.string().uuid(),
+  composeName: z22.string(),
+  scopeSlug: z22.string(),
+  name: z22.string(),
+  cronExpression: z22.string().nullable(),
+  atTime: z22.string().nullable(),
+  timezone: z22.string(),
+  prompt: z22.string(),
+  vars: z22.record(z22.string(), z22.string()).nullable(),
   // Secret names only (values are never returned)
-  secretNames: z21.array(z21.string()).nullable(),
-  artifactName: z21.string().nullable(),
-  artifactVersion: z21.string().nullable(),
-  volumeVersions: z21.record(z21.string(), z21.string()).nullable(),
-  enabled: z21.boolean(),
-  nextRunAt: z21.string().nullable(),
-  lastRunAt: z21.string().nullable(),
-  retryStartedAt: z21.string().nullable(),
-  createdAt: z21.string(),
-  updatedAt: z21.string()
-});
-var runSummarySchema = z21.object({
-  id: z21.string().uuid(),
-  status: z21.enum(["pending", "running", "completed", "failed", "timeout"]),
-  createdAt: z21.string(),
-  completedAt: z21.string().nullable(),
-  error: z21.string().nullable()
-});
-var scheduleRunsResponseSchema = z21.object({
-  runs: z21.array(runSummarySchema)
-});
-var scheduleListResponseSchema = z21.object({
-  schedules: z21.array(scheduleResponseSchema)
-});
-var deployScheduleResponseSchema = z21.object({
+  secretNames: z22.array(z22.string()).nullable(),
+  artifactName: z22.string().nullable(),
+  artifactVersion: z22.string().nullable(),
+  volumeVersions: z22.record(z22.string(), z22.string()).nullable(),
+  enabled: z22.boolean(),
+  nextRunAt: z22.string().nullable(),
+  lastRunAt: z22.string().nullable(),
+  retryStartedAt: z22.string().nullable(),
+  createdAt: z22.string(),
+  updatedAt: z22.string()
+});
+var runSummarySchema = z22.object({
+  id: z22.string().uuid(),
+  status: z22.enum(["pending", "running", "completed", "failed", "timeout"]),
+  createdAt: z22.string(),
+  completedAt: z22.string().nullable(),
+  error: z22.string().nullable()
+});
+var scheduleRunsResponseSchema = z22.object({
+  runs: z22.array(runSummarySchema)
+});
+var scheduleListResponseSchema = z22.object({
+  schedules: z22.array(scheduleResponseSchema)
+});
+var deployScheduleResponseSchema = z22.object({
   schedule: scheduleResponseSchema,
-  created: z21.boolean()
+  created: z22.boolean()
   // true if created, false if updated
 });
-var schedulesMainContract = c14.router({
+var schedulesMainContract = c15.router({
   /**
    * POST /api/agent/schedules
    * Deploy (create or update) a schedule
@@ -8273,7 +8372,7 @@ var schedulesMainContract = c14.router({
     summary: "List all schedules"
   }
 });
-var schedulesByNameContract = c14.router({
+var schedulesByNameContract = c15.router({
   /**
    * GET /api/agent/schedules/:name
    * Get schedule by name
@@ -8282,11 +8381,11 @@ var schedulesByNameContract = c14.router({
     method: "GET",
     path: "/api/agent/schedules/:name",
     headers: authHeadersSchema,
-    pathParams: z21.object({
-      name: z21.string().min(1, "Schedule name required")
+    pathParams: z22.object({
+      name: z22.string().min(1, "Schedule name required")
     }),
-    query: z21.object({
-      composeId: z21.string().uuid("Compose ID required")
+    query: z22.object({
+      composeId: z22.string().uuid("Compose ID required")
     }),
     responses: {
       200: scheduleResponseSchema,
@@ -8303,21 +8402,21 @@ var schedulesByNameContract = c14.router({
     method: "DELETE",
     path: "/api/agent/schedules/:name",
     headers: authHeadersSchema,
-    pathParams: z21.object({
-      name: z21.string().min(1, "Schedule name required")
+    pathParams: z22.object({
+      name: z22.string().min(1, "Schedule name required")
     }),
-    query: z21.object({
-      composeId: z21.string().uuid("Compose ID required")
+    query: z22.object({
+      composeId: z22.string().uuid("Compose ID required")
     }),
     responses: {
-      204: c14.noBody(),
+      204: c15.noBody(),
       401: apiErrorSchema,
       404: apiErrorSchema
     },
     summary: "Delete schedule"
   }
 });
-var schedulesEnableContract = c14.router({
+var schedulesEnableContract = c15.router({
   /**
    * POST /api/agent/schedules/:name/enable
    * Enable a disabled schedule
@@ -8326,11 +8425,11 @@ var schedulesEnableContract = c14.router({
     method: "POST",
     path: "/api/agent/schedules/:name/enable",
     headers: authHeadersSchema,
-    pathParams: z21.object({
-      name: z21.string().min(1, "Schedule name required")
+    pathParams: z22.object({
+      name: z22.string().min(1, "Schedule name required")
     }),
-    body: z21.object({
-      composeId: z21.string().uuid("Compose ID required")
+    body: z22.object({
+      composeId: z22.string().uuid("Compose ID required")
     }),
     responses: {
       200: scheduleResponseSchema,
@@ -8347,11 +8446,11 @@ var schedulesEnableContract = c14.router({
     method: "POST",
     path: "/api/agent/schedules/:name/disable",
     headers: authHeadersSchema,
-    pathParams: z21.object({
-      name: z21.string().min(1, "Schedule name required")
+    pathParams: z22.object({
+      name: z22.string().min(1, "Schedule name required")
     }),
-    body: z21.object({
-      composeId: z21.string().uuid("Compose ID required")
+    body: z22.object({
+      composeId: z22.string().uuid("Compose ID required")
     }),
     responses: {
       200: scheduleResponseSchema,
@@ -8361,7 +8460,7 @@ var schedulesEnableContract = c14.router({
     summary: "Disable schedule"
   }
 });
-var scheduleRunsContract = c14.router({
+var scheduleRunsContract = c15.router({
   /**
    * GET /api/agent/schedules/:name/runs
    * List recent runs for a schedule
@@ -8370,12 +8469,12 @@ var scheduleRunsContract = c14.router({
     method: "GET",
     path: "/api/agent/schedules/:name/runs",
     headers: authHeadersSchema,
-    pathParams: z21.object({
-      name: z21.string().min(1, "Schedule name required")
+    pathParams: z22.object({
+      name: z22.string().min(1, "Schedule name required")
     }),
-    query: z21.object({
-      composeId: z21.string().uuid("Compose ID required"),
-      limit: z21.coerce.number().min(0).max(100).default(5)
+    query: z22.object({
+      composeId: z22.string().uuid("Compose ID required"),
+      limit: z22.coerce.number().min(0).max(100).default(5)
     }),
     responses: {
       200: scheduleRunsResponseSchema,
@@ -8387,18 +8486,18 @@ var scheduleRunsContract = c14.router({
 });
 
 // ../../packages/core/src/contracts/realtime.ts
-import { z as z22 } from "zod";
-var c15 = initContract();
-var ablyTokenRequestSchema = z22.object({
-  keyName: z22.string(),
-  ttl: z22.number().optional(),
-  timestamp: z22.number(),
-  capability: z22.string(),
-  clientId: z22.string().optional(),
-  nonce: z22.string(),
-  mac: z22.string()
+import { z as z23 } from "zod";
+var c16 = initContract();
+var ablyTokenRequestSchema = z23.object({
+  keyName: z23.string(),
+  ttl: z23.number().optional(),
+  timestamp: z23.number(),
+  capability: z23.string(),
+  clientId: z23.string().optional(),
+  nonce: z23.string(),
+  mac: z23.string()
 });
-var realtimeTokenContract = c15.router({
+var realtimeTokenContract = c16.router({
   /**
    * POST /api/realtime/token
    * Get an Ably token to subscribe to a run's events channel
@@ -8407,8 +8506,8 @@ var realtimeTokenContract = c15.router({
     method: "POST",
     path: "/api/realtime/token",
     headers: authHeadersSchema,
-    body: z22.object({
-      runId: z22.string().uuid("runId must be a valid UUID")
+    body: z23.object({
+      runId: z23.string().uuid("runId must be a valid UUID")
     }),
     responses: {
       200: ablyTokenRequestSchema,
@@ -8420,7 +8519,7 @@ var realtimeTokenContract = c15.router({
     summary: "Get Ably token for run event subscription"
   }
 });
-var runnerRealtimeTokenContract = c15.router({
+var runnerRealtimeTokenContract = c16.router({
   /**
    * POST /api/runners/realtime/token
    * Get an Ably token to subscribe to a runner group's job notification channel
@@ -8429,7 +8528,7 @@ var runnerRealtimeTokenContract = c15.router({
     method: "POST",
     path: "/api/runners/realtime/token",
     headers: authHeadersSchema,
-    body: z22.object({
+    body: z23.object({
       group: runnerGroupSchema
     }),
     responses: {
@@ -8443,11 +8542,11 @@ var runnerRealtimeTokenContract = c15.router({
 });
 
 // ../../packages/core/src/contracts/platform.ts
-import { z as z24 } from "zod";
+import { z as z25 } from "zod";
 
 // ../../packages/core/src/contracts/public/common.ts
-import { z as z23 } from "zod";
-var publicApiErrorTypeSchema = z23.enum([
+import { z as z24 } from "zod";
+var publicApiErrorTypeSchema = z24.enum([
   "api_error",
   // Internal server error (5xx)
   "invalid_request_error",
@@ -8461,40 +8560,40 @@ var publicApiErrorTypeSchema = z23.enum([
   "rate_limit_error"
   // Rate limit exceeded (429)
 ]);
-var publicApiErrorSchema = z23.object({
-  error: z23.object({
+var publicApiErrorSchema = z24.object({
+  error: z24.object({
     type: publicApiErrorTypeSchema,
-    code: z23.string(),
-    message: z23.string(),
-    param: z23.string().optional(),
-    docUrl: z23.string().url().optional()
+    code: z24.string(),
+    message: z24.string(),
+    param: z24.string().optional(),
+    docUrl: z24.string().url().optional()
   })
 });
-var paginationSchema = z23.object({
-  hasMore: z23.boolean(),
-  nextCursor: z23.string().nullable()
+var paginationSchema = z24.object({
+  hasMore: z24.boolean(),
+  nextCursor: z24.string().nullable()
 });
 function createPaginatedResponseSchema(dataSchema) {
-  return z23.object({
-    data: z23.array(dataSchema),
+  return z24.object({
+    data: z24.array(dataSchema),
     pagination: paginationSchema
   });
 }
-var listQuerySchema = z23.object({
-  cursor: z23.string().optional(),
-  limit: z23.coerce.number().min(1).max(100).default(20)
+var listQuerySchema = z24.object({
+  cursor: z24.string().optional(),
+  limit: z24.coerce.number().min(1).max(100).default(20)
 });
-var requestIdSchema = z23.string().uuid();
-var timestampSchema = z23.string().datetime();
+var requestIdSchema = z24.string().uuid();
+var timestampSchema = z24.string().datetime();
 
 // ../../packages/core/src/contracts/platform.ts
-var c16 = initContract();
-var platformPaginationSchema = z24.object({
-  hasMore: z24.boolean(),
-  nextCursor: z24.string().nullable(),
-  totalPages: z24.number()
+var c17 = initContract();
+var platformPaginationSchema = z25.object({
+  hasMore: z25.boolean(),
+  nextCursor: z25.string().nullable(),
+  totalPages: z25.number()
 });
-var platformLogStatusSchema = z24.enum([
+var platformLogStatusSchema = z25.enum([
   "pending",
   "running",
   "completed",
@@ -8502,41 +8601,41 @@ var platformLogStatusSchema = z24.enum([
   "timeout",
   "cancelled"
 ]);
-var platformLogEntrySchema = z24.object({
-  id: z24.string().uuid(),
-  sessionId: z24.string().nullable(),
-  agentName: z24.string(),
-  framework: z24.string().nullable(),
+var platformLogEntrySchema = z25.object({
+  id: z25.string().uuid(),
+  sessionId: z25.string().nullable(),
+  agentName: z25.string(),
+  framework: z25.string().nullable(),
   status: platformLogStatusSchema,
-  createdAt: z24.string()
+  createdAt: z25.string()
 });
-var platformLogsListResponseSchema = z24.object({
-  data: z24.array(platformLogEntrySchema),
+var platformLogsListResponseSchema = z25.object({
+  data: z25.array(platformLogEntrySchema),
   pagination: platformPaginationSchema
 });
-var artifactSchema = z24.object({
-  name: z24.string().nullable(),
-  version: z24.string().nullable()
+var artifactSchema = z25.object({
+  name: z25.string().nullable(),
+  version: z25.string().nullable()
 });
-var platformLogDetailSchema = z24.object({
-  id: z24.string().uuid(),
-  sessionId: z24.string().nullable(),
-  agentName: z24.string(),
-  framework: z24.string().nullable(),
+var platformLogDetailSchema = z25.object({
+  id: z25.string().uuid(),
+  sessionId: z25.string().nullable(),
+  agentName: z25.string(),
+  framework: z25.string().nullable(),
   status: platformLogStatusSchema,
-  prompt: z24.string(),
-  error: z24.string().nullable(),
-  createdAt: z24.string(),
-  startedAt: z24.string().nullable(),
-  completedAt: z24.string().nullable(),
+  prompt: z25.string(),
+  error: z25.string().nullable(),
+  createdAt: z25.string(),
+  startedAt: z25.string().nullable(),
+  completedAt: z25.string().nullable(),
   artifact: artifactSchema
 });
-var platformLogsListContract = c16.router({
+var platformLogsListContract = c17.router({
   list: {
     method: "GET",
     path: "/api/platform/logs",
     query: listQuerySchema.extend({
-      search: z24.string().optional()
+      search: z25.string().optional()
     }),
     responses: {
       200: platformLogsListResponseSchema,
@@ -8545,12 +8644,12 @@ var platformLogsListContract = c16.router({
     summary: "List agent run logs with pagination"
   }
 });
-var platformLogsByIdContract = c16.router({
+var platformLogsByIdContract = c17.router({
   getById: {
     method: "GET",
     path: "/api/platform/logs/:id",
-    pathParams: z24.object({
-      id: z24.string().uuid("Invalid log ID")
+    pathParams: z25.object({
+      id: z25.string().uuid("Invalid log ID")
     }),
     responses: {
       200: platformLogDetailSchema,
@@ -8560,17 +8659,17 @@ var platformLogsByIdContract = c16.router({
     summary: "Get agent run log details by ID"
   }
 });
-var artifactDownloadResponseSchema = z24.object({
-  url: z24.string().url(),
-  expiresAt: z24.string()
+var artifactDownloadResponseSchema = z25.object({
+  url: z25.string().url(),
+  expiresAt: z25.string()
 });
-var platformArtifactDownloadContract = c16.router({
+var platformArtifactDownloadContract = c17.router({
   getDownloadUrl: {
     method: "GET",
     path: "/api/platform/artifacts/download",
-    query: z24.object({
-      name: z24.string().min(1, "Artifact name is required"),
-      version: z24.string().optional()
+    query: z25.object({
+      name: z25.string().min(1, "Artifact name is required"),
+      version: z25.string().optional()
     }),
     responses: {
       200: artifactDownloadResponseSchema,
@@ -8582,29 +8681,29 @@ var platformArtifactDownloadContract = c16.router({
 });
 
 // ../../packages/core/src/contracts/llm.ts
-import { z as z25 } from "zod";
-var c17 = initContract();
-var messageRoleSchema = z25.enum(["user", "assistant", "system"]);
-var chatMessageSchema = z25.object({
+import { z as z26 } from "zod";
+var c18 = initContract();
+var messageRoleSchema = z26.enum(["user", "assistant", "system"]);
+var chatMessageSchema = z26.object({
   role: messageRoleSchema,
-  content: z25.string()
+  content: z26.string()
 });
-var tokenUsageSchema = z25.object({
-  promptTokens: z25.number(),
-  completionTokens: z25.number(),
-  totalTokens: z25.number()
+var tokenUsageSchema = z26.object({
+  promptTokens: z26.number(),
+  completionTokens: z26.number(),
+  totalTokens: z26.number()
 });
-var llmChatRequestSchema = z25.object({
-  model: z25.string().min(1).optional(),
-  messages: z25.array(chatMessageSchema).min(1, "At least one message is required"),
-  stream: z25.boolean().optional().default(false)
+var llmChatRequestSchema = z26.object({
+  model: z26.string().min(1).optional(),
+  messages: z26.array(chatMessageSchema).min(1, "At least one message is required"),
+  stream: z26.boolean().optional().default(false)
 });
-var llmChatResponseSchema = z25.object({
-  content: z25.string(),
-  model: z25.string(),
+var llmChatResponseSchema = z26.object({
+  content: z26.string(),
+  model: z26.string(),
   usage: tokenUsageSchema
 });
-var llmChatContract = c17.router({
+var llmChatContract = c18.router({
   chat: {
     method: "POST",
     path: "/api/llm/chat",
@@ -8620,28 +8719,28 @@ var llmChatContract = c17.router({
 });
 
 // ../../packages/core/src/contracts/public/agents.ts
-import { z as z26 } from "zod";
-var c18 = initContract();
-var publicAgentSchema = z26.object({
-  id: z26.string(),
-  name: z26.string(),
-  currentVersionId: z26.string().nullable(),
+import { z as z27 } from "zod";
+var c19 = initContract();
+var publicAgentSchema = z27.object({
+  id: z27.string(),
+  name: z27.string(),
+  currentVersionId: z27.string().nullable(),
   createdAt: timestampSchema,
   updatedAt: timestampSchema
 });
-var agentVersionSchema = z26.object({
-  id: z26.string(),
-  agentId: z26.string(),
-  versionNumber: z26.number(),
+var agentVersionSchema = z27.object({
+  id: z27.string(),
+  agentId: z27.string(),
+  versionNumber: z27.number(),
   createdAt: timestampSchema
 });
 var publicAgentDetailSchema = publicAgentSchema;
 var paginatedAgentsSchema = createPaginatedResponseSchema(publicAgentSchema);
 var paginatedAgentVersionsSchema = createPaginatedResponseSchema(agentVersionSchema);
 var agentListQuerySchema = listQuerySchema.extend({
-  name: z26.string().optional()
+  name: z27.string().optional()
 });
-var publicAgentsListContract = c18.router({
+var publicAgentsListContract = c19.router({
   list: {
     method: "GET",
     path: "/v1/agents",
@@ -8656,13 +8755,13 @@ var publicAgentsListContract = c18.router({
     description: "List all agents in the current scope with pagination. Use the `name` query parameter to filter by agent name."
   }
 });
-var publicAgentByIdContract = c18.router({
+var publicAgentByIdContract = c19.router({
   get: {
     method: "GET",
     path: "/v1/agents/:id",
     headers: authHeadersSchema,
-    pathParams: z26.object({
-      id: z26.string().min(1, "Agent ID is required")
+    pathParams: z27.object({
+      id: z27.string().min(1, "Agent ID is required")
     }),
     responses: {
       200: publicAgentDetailSchema,
@@ -8674,13 +8773,13 @@ var publicAgentByIdContract = c18.router({
     description: "Get agent details by ID"
   }
 });
-var publicAgentVersionsContract = c18.router({
+var publicAgentVersionsContract = c19.router({
   list: {
     method: "GET",
     path: "/v1/agents/:id/versions",
     headers: authHeadersSchema,
-    pathParams: z26.object({
-      id: z26.string().min(1, "Agent ID is required")
+    pathParams: z27.object({
+      id: z27.string().min(1, "Agent ID is required")
     }),
     query: listQuerySchema,
     responses: {
@@ -8695,9 +8794,9 @@ var publicAgentVersionsContract = c18.router({
 });
 
 // ../../packages/core/src/contracts/public/runs.ts
-import { z as z27 } from "zod";
-var c19 = initContract();
-var publicRunStatusSchema = z27.enum([
+import { z as z28 } from "zod";
+var c20 = initContract();
+var publicRunStatusSchema = z28.enum([
   "pending",
   "running",
   "completed",
@@ -8705,54 +8804,54 @@ var publicRunStatusSchema = z27.enum([
   "timeout",
   "cancelled"
 ]);
-var publicRunSchema = z27.object({
-  id: z27.string(),
-  agentId: z27.string(),
-  agentName: z27.string(),
+var publicRunSchema = z28.object({
+  id: z28.string(),
+  agentId: z28.string(),
+  agentName: z28.string(),
   status: publicRunStatusSchema,
-  prompt: z27.string(),
+  prompt: z28.string(),
   createdAt: timestampSchema,
   startedAt: timestampSchema.nullable(),
   completedAt: timestampSchema.nullable()
 });
 var publicRunDetailSchema = publicRunSchema.extend({
-  error: z27.string().nullable(),
-  executionTimeMs: z27.number().nullable(),
-  checkpointId: z27.string().nullable(),
-  sessionId: z27.string().nullable(),
-  artifactName: z27.string().nullable(),
-  artifactVersion: z27.string().nullable(),
-  volumes: z27.record(z27.string(), z27.string()).optional()
+  error: z28.string().nullable(),
+  executionTimeMs: z28.number().nullable(),
+  checkpointId: z28.string().nullable(),
+  sessionId: z28.string().nullable(),
+  artifactName: z28.string().nullable(),
+  artifactVersion: z28.string().nullable(),
+  volumes: z28.record(z28.string(), z28.string()).optional()
 });
 var paginatedRunsSchema = createPaginatedResponseSchema(publicRunSchema);
-var createRunRequestSchema = z27.object({
+var createRunRequestSchema = z28.object({
   // Agent identification (one of: agent, agentId, sessionId, checkpointId)
-  agent: z27.string().optional(),
+  agent: z28.string().optional(),
   // Agent name
-  agentId: z27.string().optional(),
+  agentId: z28.string().optional(),
   // Agent ID
-  agentVersion: z27.string().optional(),
+  agentVersion: z28.string().optional(),
   // Version specifier (e.g., "latest", "v1", specific ID)
   // Continue session
-  sessionId: z27.string().optional(),
+  sessionId: z28.string().optional(),
   // Resume from checkpoint
-  checkpointId: z27.string().optional(),
+  checkpointId: z28.string().optional(),
   // Required
-  prompt: z27.string().min(1, "Prompt is required"),
+  prompt: z28.string().min(1, "Prompt is required"),
   // Optional configuration
-  variables: z27.record(z27.string(), z27.string()).optional(),
-  secrets: z27.record(z27.string(), z27.string()).optional(),
-  artifactName: z27.string().optional(),
+  variables: z28.record(z28.string(), z28.string()).optional(),
+  secrets: z28.record(z28.string(), z28.string()).optional(),
+  artifactName: z28.string().optional(),
   // Artifact name to mount
-  artifactVersion: z27.string().optional(),
+  artifactVersion: z28.string().optional(),
   // Artifact version (defaults to latest)
-  volumes: z27.record(z27.string(), z27.string()).optional()
+  volumes: z28.record(z28.string(), z28.string()).optional()
   // volume_name -> version
 });
 var runListQuerySchema = listQuerySchema.extend({
   status: publicRunStatusSchema.optional()
 });
-var publicRunsListContract = c19.router({
+var publicRunsListContract = c20.router({
   list: {
     method: "GET",
     path: "/v1/runs",
@@ -8784,13 +8883,13 @@ var publicRunsListContract = c19.router({
     description: "Create and execute a new agent run. Returns 202 Accepted as runs execute asynchronously."
   }
 });
-var publicRunByIdContract = c19.router({
+var publicRunByIdContract = c20.router({
   get: {
     method: "GET",
     path: "/v1/runs/:id",
     headers: authHeadersSchema,
-    pathParams: z27.object({
-      id: z27.string().min(1, "Run ID is required")
+    pathParams: z28.object({
+      id: z28.string().min(1, "Run ID is required")
     }),
     responses: {
       200: publicRunDetailSchema,
@@ -8802,15 +8901,15 @@ var publicRunByIdContract = c19.router({
     description: "Get run details by ID"
   }
 });
-var publicRunCancelContract = c19.router({
+var publicRunCancelContract = c20.router({
   cancel: {
     method: "POST",
     path: "/v1/runs/:id/cancel",
     headers: authHeadersSchema,
-    pathParams: z27.object({
-      id: z27.string().min(1, "Run ID is required")
+    pathParams: z28.object({
+      id: z28.string().min(1, "Run ID is required")
     }),
-    body: z27.undefined(),
+    body: z28.undefined(),
     responses: {
       200: publicRunDetailSchema,
       400: publicApiErrorSchema,
@@ -8823,27 +8922,27 @@ var publicRunCancelContract = c19.router({
     description: "Cancel a pending or running execution"
   }
 });
-var logEntrySchema = z27.object({
+var logEntrySchema = z28.object({
   timestamp: timestampSchema,
-  type: z27.enum(["agent", "system", "network"]),
-  level: z27.enum(["debug", "info", "warn", "error"]),
-  message: z27.string(),
-  metadata: z27.record(z27.string(), z27.unknown()).optional()
+  type: z28.enum(["agent", "system", "network"]),
+  level: z28.enum(["debug", "info", "warn", "error"]),
+  message: z28.string(),
+  metadata: z28.record(z28.string(), z28.unknown()).optional()
 });
 var paginatedLogsSchema = createPaginatedResponseSchema(logEntrySchema);
 var logsQuerySchema = listQuerySchema.extend({
-  type: z27.enum(["agent", "system", "network", "all"]).default("all"),
+  type: z28.enum(["agent", "system", "network", "all"]).default("all"),
   since: timestampSchema.optional(),
   until: timestampSchema.optional(),
-  order: z27.enum(["asc", "desc"]).default("asc")
+  order: z28.enum(["asc", "desc"]).default("asc")
 });
-var publicRunLogsContract = c19.router({
+var publicRunLogsContract = c20.router({
   getLogs: {
     method: "GET",
     path: "/v1/runs/:id/logs",
     headers: authHeadersSchema,
-    pathParams: z27.object({
-      id: z27.string().min(1, "Run ID is required")
+    pathParams: z28.object({
+      id: z28.string().min(1, "Run ID is required")
     }),
     query: logsQuerySchema,
     responses: {
@@ -8856,30 +8955,30 @@ var publicRunLogsContract = c19.router({
     description: "Get unified logs for a run. Combines agent, system, and network logs."
   }
 });
-var metricPointSchema = z27.object({
+var metricPointSchema = z28.object({
   timestamp: timestampSchema,
-  cpuPercent: z27.number(),
-  memoryUsedMb: z27.number(),
-  memoryTotalMb: z27.number(),
-  diskUsedMb: z27.number(),
-  diskTotalMb: z27.number()
-});
-var metricsSummarySchema = z27.object({
-  avgCpuPercent: z27.number(),
-  maxMemoryUsedMb: z27.number(),
-  totalDurationMs: z27.number().nullable()
-});
-var metricsResponseSchema2 = z27.object({
-  data: z27.array(metricPointSchema),
+  cpuPercent: z28.number(),
+  memoryUsedMb: z28.number(),
+  memoryTotalMb: z28.number(),
+  diskUsedMb: z28.number(),
+  diskTotalMb: z28.number()
+});
+var metricsSummarySchema = z28.object({
+  avgCpuPercent: z28.number(),
+  maxMemoryUsedMb: z28.number(),
+  totalDurationMs: z28.number().nullable()
+});
+var metricsResponseSchema2 = z28.object({
+  data: z28.array(metricPointSchema),
   summary: metricsSummarySchema
 });
-var publicRunMetricsContract = c19.router({
+var publicRunMetricsContract = c20.router({
   getMetrics: {
     method: "GET",
     path: "/v1/runs/:id/metrics",
     headers: authHeadersSchema,
-    pathParams: z27.object({
-      id: z27.string().min(1, "Run ID is required")
+    pathParams: z28.object({
+      id: z28.string().min(1, "Run ID is required")
     }),
     responses: {
       200: metricsResponseSchema2,
@@ -8891,7 +8990,7 @@ var publicRunMetricsContract = c19.router({
     description: "Get CPU, memory, and disk metrics for a run"
   }
 });
-var sseEventTypeSchema = z27.enum([
+var sseEventTypeSchema = z28.enum([
   "status",
   // Run status change
   "output",
@@ -8903,26 +9002,26 @@ var sseEventTypeSchema = z27.enum([
   "heartbeat"
   // Keep-alive
 ]);
-var sseEventSchema = z27.object({
+var sseEventSchema = z28.object({
   event: sseEventTypeSchema,
-  data: z27.unknown(),
-  id: z27.string().optional()
+  data: z28.unknown(),
+  id: z28.string().optional()
   // For Last-Event-ID reconnection
 });
-var publicRunEventsContract = c19.router({
+var publicRunEventsContract = c20.router({
   streamEvents: {
     method: "GET",
     path: "/v1/runs/:id/events",
     headers: authHeadersSchema,
-    pathParams: z27.object({
-      id: z27.string().min(1, "Run ID is required")
+    pathParams: z28.object({
+      id: z28.string().min(1, "Run ID is required")
     }),
-    query: z27.object({
-      lastEventId: z27.string().optional()
+    query: z28.object({
+      lastEventId: z28.string().optional()
       // For reconnection
     }),
     responses: {
-      200: z27.any(),
+      200: z28.any(),
       // SSE stream - actual content is text/event-stream
       401: publicApiErrorSchema,
       404: publicApiErrorSchema,
@@ -8934,28 +9033,28 @@ var publicRunEventsContract = c19.router({
 });
 
 // ../../packages/core/src/contracts/public/artifacts.ts
-import { z as z28 } from "zod";
-var c20 = initContract();
-var publicArtifactSchema = z28.object({
-  id: z28.string(),
-  name: z28.string(),
-  currentVersionId: z28.string().nullable(),
-  size: z28.number(),
+import { z as z29 } from "zod";
+var c21 = initContract();
+var publicArtifactSchema = z29.object({
+  id: z29.string(),
+  name: z29.string(),
+  currentVersionId: z29.string().nullable(),
+  size: z29.number(),
   // Total size in bytes
-  fileCount: z28.number(),
+  fileCount: z29.number(),
   createdAt: timestampSchema,
   updatedAt: timestampSchema
 });
-var artifactVersionSchema = z28.object({
-  id: z28.string(),
+var artifactVersionSchema = z29.object({
+  id: z29.string(),
   // SHA-256 content hash
-  artifactId: z28.string(),
-  size: z28.number(),
+  artifactId: z29.string(),
+  size: z29.number(),
   // Size in bytes
-  fileCount: z28.number(),
-  message: z28.string().nullable(),
+  fileCount: z29.number(),
+  message: z29.string().nullable(),
   // Optional commit message
-  createdBy: z28.string(),
+  createdBy: z29.string(),
   createdAt: timestampSchema
 });
 var publicArtifactDetailSchema = publicArtifactSchema.extend({
@@ -8965,7 +9064,7 @@ var paginatedArtifactsSchema = createPaginatedResponseSchema(publicArtifactSchem
 var paginatedArtifactVersionsSchema = createPaginatedResponseSchema(
   artifactVersionSchema
 );
-var publicArtifactsListContract = c20.router({
+var publicArtifactsListContract = c21.router({
   list: {
     method: "GET",
     path: "/v1/artifacts",
@@ -8980,13 +9079,13 @@ var publicArtifactsListContract = c20.router({
     description: "List all artifacts in the current scope with pagination"
   }
 });
-var publicArtifactByIdContract = c20.router({
+var publicArtifactByIdContract = c21.router({
   get: {
     method: "GET",
     path: "/v1/artifacts/:id",
     headers: authHeadersSchema,
-    pathParams: z28.object({
-      id: z28.string().min(1, "Artifact ID is required")
+    pathParams: z29.object({
+      id: z29.string().min(1, "Artifact ID is required")
     }),
     responses: {
       200: publicArtifactDetailSchema,
@@ -8998,13 +9097,13 @@ var publicArtifactByIdContract = c20.router({
     description: "Get artifact details by ID"
   }
 });
-var publicArtifactVersionsContract = c20.router({
+var publicArtifactVersionsContract = c21.router({
   list: {
     method: "GET",
     path: "/v1/artifacts/:id/versions",
     headers: authHeadersSchema,
-    pathParams: z28.object({
-      id: z28.string().min(1, "Artifact ID is required")
+    pathParams: z29.object({
+      id: z29.string().min(1, "Artifact ID is required")
     }),
     query: listQuerySchema,
     responses: {
@@ -9017,20 +9116,20 @@ var publicArtifactVersionsContract = c20.router({
     description: "List all versions of an artifact with pagination"
   }
 });
-var publicArtifactDownloadContract = c20.router({
+var publicArtifactDownloadContract = c21.router({
   download: {
     method: "GET",
     path: "/v1/artifacts/:id/download",
     headers: authHeadersSchema,
-    pathParams: z28.object({
-      id: z28.string().min(1, "Artifact ID is required")
+    pathParams: z29.object({
+      id: z29.string().min(1, "Artifact ID is required")
     }),
-    query: z28.object({
-      versionId: z28.string().optional()
+    query: z29.object({
+      versionId: z29.string().optional()
       // Defaults to current version
     }),
     responses: {
-      302: z28.undefined(),
+      302: z29.undefined(),
       // Redirect to presigned URL
       401: publicApiErrorSchema,
       404: publicApiErrorSchema,
@@ -9042,28 +9141,28 @@ var publicArtifactDownloadContract = c20.router({
 });
 
 // ../../packages/core/src/contracts/public/volumes.ts
-import { z as z29 } from "zod";
-var c21 = initContract();
-var publicVolumeSchema = z29.object({
-  id: z29.string(),
-  name: z29.string(),
-  currentVersionId: z29.string().nullable(),
-  size: z29.number(),
+import { z as z30 } from "zod";
+var c22 = initContract();
+var publicVolumeSchema = z30.object({
+  id: z30.string(),
+  name: z30.string(),
+  currentVersionId: z30.string().nullable(),
+  size: z30.number(),
   // Total size in bytes
-  fileCount: z29.number(),
+  fileCount: z30.number(),
   createdAt: timestampSchema,
   updatedAt: timestampSchema
 });
-var volumeVersionSchema = z29.object({
-  id: z29.string(),
+var volumeVersionSchema = z30.object({
+  id: z30.string(),
   // SHA-256 content hash
-  volumeId: z29.string(),
-  size: z29.number(),
+  volumeId: z30.string(),
+  size: z30.number(),
   // Size in bytes
-  fileCount: z29.number(),
-  message: z29.string().nullable(),
+  fileCount: z30.number(),
+  message: z30.string().nullable(),
   // Optional commit message
-  createdBy: z29.string(),
+  createdBy: z30.string(),
   createdAt: timestampSchema
 });
 var publicVolumeDetailSchema = publicVolumeSchema.extend({
@@ -9071,7 +9170,7 @@ var publicVolumeDetailSchema = publicVolumeSchema.extend({
 });
 var paginatedVolumesSchema = createPaginatedResponseSchema(publicVolumeSchema);
 var paginatedVolumeVersionsSchema = createPaginatedResponseSchema(volumeVersionSchema);
-var publicVolumesListContract = c21.router({
+var publicVolumesListContract = c22.router({
   list: {
     method: "GET",
     path: "/v1/volumes",
@@ -9086,13 +9185,13 @@ var publicVolumesListContract = c21.router({
     description: "List all volumes in the current scope with pagination"
   }
 });
-var publicVolumeByIdContract = c21.router({
+var publicVolumeByIdContract = c22.router({
   get: {
     method: "GET",
     path: "/v1/volumes/:id",
     headers: authHeadersSchema,
-    pathParams: z29.object({
-      id: z29.string().min(1, "Volume ID is required")
+    pathParams: z30.object({
+      id: z30.string().min(1, "Volume ID is required")
     }),
     responses: {
       200: publicVolumeDetailSchema,
@@ -9104,13 +9203,13 @@ var publicVolumeByIdContract = c21.router({
     description: "Get volume details by ID"
   }
 });
-var publicVolumeVersionsContract = c21.router({
+var publicVolumeVersionsContract = c22.router({
   list: {
     method: "GET",
     path: "/v1/volumes/:id/versions",
     headers: authHeadersSchema,
-    pathParams: z29.object({
-      id: z29.string().min(1, "Volume ID is required")
+    pathParams: z30.object({
+      id: z30.string().min(1, "Volume ID is required")
     }),
     query: listQuerySchema,
     responses: {
@@ -9123,20 +9222,20 @@ var publicVolumeVersionsContract = c21.router({
     description: "List all versions of a volume with pagination"
   }
 });
-var publicVolumeDownloadContract = c21.router({
+var publicVolumeDownloadContract = c22.router({
   download: {
     method: "GET",
     path: "/v1/volumes/:id/download",
     headers: authHeadersSchema,
-    pathParams: z29.object({
-      id: z29.string().min(1, "Volume ID is required")
+    pathParams: z30.object({
+      id: z30.string().min(1, "Volume ID is required")
     }),
-    query: z29.object({
-      versionId: z29.string().optional()
+    query: z30.object({
+      versionId: z30.string().optional()
       // Defaults to current version
     }),
     responses: {
-      302: z29.undefined(),
+      302: z30.undefined(),
       // Redirect to presigned URL
       401: publicApiErrorSchema,
       404: publicApiErrorSchema,
@@ -9195,11 +9294,10 @@ var ENV_LOADER_PATH = "/usr/local/bin/vm0-agent/env-loader.mjs";
 // src/lib/proxy/vm-registry.ts
 import fs6 from "fs";
 var logger5 = createLogger("VMRegistry");
-var DEFAULT_REGISTRY_PATH = tempPaths.vmRegistry;
 var VMRegistry = class {
   registryPath;
   data;
-  constructor(registryPath = DEFAULT_REGISTRY_PATH) {
+  constructor(registryPath) {
     this.registryPath = registryPath;
     this.data = this.load();
   }
@@ -9286,7 +9384,9 @@ var VMRegistry = class {
 var globalRegistry = null;
 function getVMRegistry() {
   if (!globalRegistry) {
-    globalRegistry = new VMRegistry();
+    throw new Error(
+      "VMRegistry not initialized. Call initVMRegistry(registryPath) first."
+    );
   }
   return globalRegistry;
 }
@@ -9299,502 +9399,16 @@ function initVMRegistry(registryPath) {
 import { spawn as spawn2 } from "child_process";
 import fs7 from "fs";
 import path5 from "path";
-
-// src/lib/proxy/mitm-addon-script.ts
-var RUNNER_MITM_ADDON_SCRIPT = `#!/usr/bin/env python3
-"""
-mitmproxy addon for VM0 runner-level network security mode.
-
-This addon runs on the runner HOST (not inside VMs) and:
-1. Intercepts all HTTPS requests from VMs
-2. Looks up the source VM's runId and firewall rules from the VM registry
-3. Evaluates firewall rules (first-match-wins) to ALLOW or DENY
-4. For MITM mode: Rewrites requests to go through VM0 Proxy endpoint
-5. For SNI-only mode: Passes through or blocks without decryption
-6. Logs network activity per-run to JSONL files
-"""
-import os
-import json
-import time
-import urllib.parse
-import ipaddress
-import socket
-from mitmproxy import http, ctx, tls
-
-
-# VM0 Proxy configuration from environment
-API_URL = os.environ.get("VM0_API_URL", "https://www.vm0.ai")
-REGISTRY_PATH = os.environ.get("VM0_REGISTRY_PATH", "/tmp/vm0-vm-registry.json")
-VERCEL_BYPASS = os.environ.get("VERCEL_AUTOMATION_BYPASS_SECRET", "")
-
-# Construct proxy URL
-PROXY_URL = f"{API_URL}/api/webhooks/agent/proxy"
-
-# Cache for VM registry (reloaded periodically)
-_registry_cache = {}
-_registry_cache_time = 0
-REGISTRY_CACHE_TTL = 2  # seconds
-
-# Track request start times for latency calculation
-request_start_times = {}
-
-
-def load_registry() -> dict:
-    """Load the VM registry from file, with caching."""
-    global _registry_cache, _registry_cache_time
-
-    now = time.time()
-    if now - _registry_cache_time < REGISTRY_CACHE_TTL:
-        return _registry_cache
-
-    try:
-        if os.path.exists(REGISTRY_PATH):
-            with open(REGISTRY_PATH, "r") as f:
-                data = json.load(f)
-                _registry_cache = data.get("vms", {})
-                _registry_cache_time = now
-                return _registry_cache
-    except Exception as e:
-        ctx.log.warn(f"Failed to load VM registry: {e}")
-
-    return _registry_cache
-
-
-def get_vm_info(client_ip: str) -> dict | None:
-    """Look up VM info by client IP address."""
-    registry = load_registry()
-    return registry.get(client_ip)
-
-
-def get_network_log_path(run_id: str) -> str:
-    """Get the network log file path for a run."""
-    return f"/tmp/vm0-network-{run_id}.jsonl"
-
-
-def log_network_entry(run_id: str, entry: dict) -> None:
-    """Write a network log entry to the per-run JSONL file."""
-    if not run_id:
-        return
-
-    log_path = get_network_log_path(run_id)
-    try:
-        fd = os.open(log_path, os.O_CREAT | os.O_APPEND | os.O_WRONLY, 0o644)
-        try:
-            os.write(fd, (json.dumps(entry) + "\\n").encode())
-        finally:
-            os.close(fd)
-    except Exception as e:
-        ctx.log.warn(f"Failed to write network log: {e}")
-
-
-def get_original_url(flow: http.HTTPFlow) -> str:
-    """Reconstruct the original target URL from the request."""
-    scheme = "https" if flow.request.port == 443 else "http"
-    host = flow.request.pretty_host
-    port = flow.request.port
-
-    if (scheme == "https" and port != 443) or (scheme == "http" and port != 80):
-        host_with_port = f"{host}:{port}"
-    else:
-        host_with_port = host
-
-    path = flow.request.path
-    return f"{scheme}://{host_with_port}{path}"
-
-
-# ============================================================================
-# Firewall Rule Matching
-# ============================================================================
-
-def match_domain(pattern: str, hostname: str) -> bool:
-    """
-    Match hostname against domain pattern.
-    Supports exact match and wildcard prefix (*.example.com).
-    """
-    if not pattern or not hostname:
-        return False
-
-    pattern = pattern.lower()
-    hostname = hostname.lower()
-
-    if pattern.startswith("*."):
-        # Wildcard: *.example.com matches sub.example.com, www.example.com
-        # Also matches example.com itself (without subdomain)
-        suffix = pattern[1:]  # .example.com
-        base = pattern[2:]    # example.com
-        return hostname.endswith(suffix) or hostname == base
-
-    return hostname == pattern
-
-
-def match_ip(cidr: str, ip_str: str) -> bool:
-    """
-    Match IP address against CIDR range.
-    Supports single IPs (1.2.3.4) and ranges (10.0.0.0/8).
-    """
-    if not cidr or not ip_str:
-        return False
-
-    try:
-        # Parse CIDR (automatically handles single IPs as /32)
-        if "/" not in cidr:
-            cidr = f"{cidr}/32"
-        network = ipaddress.ip_network(cidr, strict=False)
-        ip = ipaddress.ip_address(ip_str)
-        return ip in network
-    except ValueError:
-        return False
-
-
-def resolve_hostname_to_ip(hostname: str) -> str | None:
-    """Resolve hostname to IP address for IP-based rule matching."""
-    try:
-        return socket.gethostbyname(hostname)
-    except socket.gaierror:
-        return None
-
-
-def evaluate_rules(rules: list, hostname: str, ip_str: str = None) -> tuple[str, str | None]:
-    """
-    Evaluate firewall rules against hostname/IP.
-    Returns (action, matched_rule_description).
-
-    Rule evaluation is first-match-wins (top to bottom).
-
-    Rule formats:
-    - Domain/IP rule: { domain: "*.example.com", action: "ALLOW" }
-    - Terminal rule: { final: "DENY" }
-    """
-    if not rules:
-        return ("ALLOW", None)  # No rules = allow all
-
-    for rule in rules:
-        # Final/terminal rule - value is the action
-        final_action = rule.get("final")
-        if final_action:
-            return (final_action, "final")
-
-        # Domain rule
-        domain = rule.get("domain")
-        if domain and match_domain(domain, hostname):
-            return (rule.get("action", "DENY"), f"domain:{domain}")
-
-        # IP rule
-        ip_pattern = rule.get("ip")
-        if ip_pattern:
-            target_ip = ip_str
-            if not target_ip:
-                target_ip = resolve_hostname_to_ip(hostname)
-            if target_ip and match_ip(ip_pattern, target_ip):
-                return (rule.get("action", "DENY"), f"ip:{ip_pattern}")
-
-    # No rule matched - default deny (zero-trust)
-    return ("DENY", "default")
-
-
-# ============================================================================
-# TLS ClientHello Handler (SNI-only mode)
-# ============================================================================
-
-def tls_clienthello(data: tls.ClientHelloData) -> None:
-    """
-    Handle TLS ClientHello for SNI-based filtering.
-    This is called BEFORE TLS decryption, allowing SNI-only filtering.
-    """
-    client_ip = data.context.client.peername[0] if data.context.client.peername else None
-    if not client_ip:
-        return
-
-    vm_info = get_vm_info(client_ip)
-    if not vm_info:
-        # Not a registered VM - pass through without MITM interception
-        # This is critical for CIDR-based rules where all VM traffic is redirected
-        data.ignore_connection = True
-        return
-
-    # If MITM is enabled, let the normal flow handle it
-    if vm_info.get("mitmEnabled", False):
-        return
-
-    # SNI-only mode: check rules based on SNI
-    sni = data.context.client.sni
-    run_id = vm_info.get("runId", "")
-    rules = vm_info.get("firewallRules", [])
-
-    # Auto-allow VM0 API requests - the agent MUST be able to communicate with VM0
-    if API_URL and sni:
-        parsed_api = urllib.parse.urlparse(API_URL)
-        api_hostname = parsed_api.hostname.lower() if parsed_api.hostname else ""
-        sni_lower = sni.lower()
-        if api_hostname and (sni_lower == api_hostname or sni_lower.endswith(f".{api_hostname}")):
-            ctx.log.info(f"[{run_id}] SNI-only auto-allow VM0 API: {sni}")
-            log_network_entry(run_id, {
-                "timestamp": time.strftime("%Y-%m-%dT%H:%M:%S", time.gmtime()),
-                "mode": "sni",
-                "action": "ALLOW",
-                "host": sni,
-                "port": 443,
-                "rule_matched": "vm0-api",
-            })
-            data.ignore_connection = True  # Pass through without MITM
-            return
-
-    if not sni:
-        # No SNI, can't determine target - block for security
-        ctx.log.warn(f"[{run_id}] SNI-only: No SNI in ClientHello, blocking")
-        log_network_entry(run_id, {
-            "timestamp": time.strftime("%Y-%m-%dT%H:%M:%S", time.gmtime()),
-            "mode": "sni",
-            "action": "DENY",
-            "host": "",
-            "port": 443,
-            "rule_matched": "no-sni",
-        })
-        # Don't set ignore_connection - mitmproxy will attempt MITM handshake
-        # Since VM doesn't have CA cert (SNI-only mode), TLS will fail immediately
-        return
-
-    # Evaluate rules
-    action, matched_rule = evaluate_rules(rules, sni)
-
-    # Log the connection
-    log_network_entry(run_id, {
-        "timestamp": time.strftime("%Y-%m-%dT%H:%M:%S", time.gmtime()),
-        "mode": "sni",
-        "action": action,
-        "host": sni,
-        "port": 443,
-        "rule_matched": matched_rule,
-    })
-
-    if action == "ALLOW":
-        # Pass through without MITM - mitmproxy will relay without decryption
-        ctx.log.info(f"[{run_id}] SNI-only ALLOW: {sni} (rule: {matched_rule})")
-        data.ignore_connection = True
-    else:
-        # Block the connection by NOT setting ignore_connection
-        # mitmproxy will attempt MITM handshake, but since VM doesn't have
-        # our CA certificate installed (SNI-only mode), the TLS handshake
-        # will fail immediately with a certificate error.
-        ctx.log.warn(f"[{run_id}] SNI-only DENY: {sni} (rule: {matched_rule})")
-        # Client will see: SSL certificate problem / certificate verify failed
-
-
-# ============================================================================
-# HTTP Request Handler (MITM mode)
-# ============================================================================
-
-def request(flow: http.HTTPFlow) -> None:
-    """
-    Intercept request and apply firewall rules.
-    For MITM mode, rewrites allowed requests to VM0 Proxy.
-    """
-    # Track request start time
-    request_start_times[flow.id] = time.time()
-
-    # Get client IP (source VM)
-    client_ip = flow.client_conn.peername[0] if flow.client_conn.peername else None
-
-    if not client_ip:
-        ctx.log.warn("No client IP available, passing through")
-        return
-
-    # Look up VM info from registry
-    vm_info = get_vm_info(client_ip)
-
-    if not vm_info:
-        # Not a registered VM, pass through without proxying
-        ctx.log.info(f"No VM registration for {client_ip}, passing through")
-        return
-
-    run_id = vm_info.get("runId", "")
-    sandbox_token = vm_info.get("sandboxToken", "")
-    mitm_enabled = vm_info.get("mitmEnabled", False)
-    rules = vm_info.get("firewallRules", [])
-
-    # Store info for response handler
-    flow.metadata["vm_run_id"] = run_id
-    flow.metadata["vm_client_ip"] = client_ip
-    flow.metadata["vm_mitm_enabled"] = mitm_enabled
-
-    # Get target hostname
-    hostname = flow.request.pretty_host.lower()
-
-    # Auto-allow VM0 API requests - the agent MUST be able to communicate with VM0
-    # This is checked before user firewall rules to ensure agent functionality
-    if API_URL:
-        parsed_api = urllib.parse.urlparse(API_URL)
-        api_hostname = parsed_api.hostname.lower() if parsed_api.hostname else ""
-        if api_hostname and (hostname == api_hostname or hostname.endswith(f".{api_hostname}")):
-            ctx.log.info(f"[{run_id}] Auto-allow VM0 API: {hostname}")
-            flow.metadata["firewall_action"] = "ALLOW"
-            flow.metadata["firewall_rule"] = "vm0-api"
-            # Continue to skip rewrite check below
-            flow.metadata["original_url"] = get_original_url(flow)
-            flow.metadata["skip_rewrite"] = True
-            return
-
-    # Evaluate firewall rules
-    action, matched_rule = evaluate_rules(rules, hostname)
-    flow.metadata["firewall_action"] = action
-    flow.metadata["firewall_rule"] = matched_rule
-
-    if action == "DENY":
-        ctx.log.warn(f"[{run_id}] Firewall DENY: {hostname} (rule: {matched_rule})")
-        # Kill the flow and return error response
-        flow.response = http.Response.make(
-            403,
-            b"Blocked by firewall",
-            {"Content-Type": "text/plain"}
-        )
-        return
-
-    # Request is ALLOWED - proceed with processing
-
-    # Skip if no API URL configured
-    if not API_URL:
-        ctx.log.warn("VM0_API_URL not set, passing through")
-        return
-
-    # Skip rewriting requests already going to VM0 (avoid loops)
-    if API_URL in flow.request.pretty_url:
-        flow.metadata["original_url"] = flow.request.pretty_url
-        flow.metadata["skip_rewrite"] = True
-        return
-
-    # Skip rewriting requests to trusted storage domains (S3, etc.)
-    # S3 presigned URLs have signatures that break when proxied
-    TRUSTED_DOMAINS = [
-        ".s3.amazonaws.com",
-        ".s3-",  # Regional S3 endpoints like s3-us-west-2.amazonaws.com
-        "s3.amazonaws.com",
-        ".r2.cloudflarestorage.com",
-        ".storage.googleapis.com",
-    ]
-    for domain in TRUSTED_DOMAINS:
-        if domain in hostname or hostname.endswith(domain.lstrip(".")):
-            ctx.log.info(f"[{run_id}] Skipping trusted storage domain: {hostname}")
-            flow.metadata["original_url"] = get_original_url(flow)
-            flow.metadata["skip_rewrite"] = True
-            return
-
-    # Get original target URL
-    original_url = get_original_url(flow)
-    flow.metadata["original_url"] = original_url
-
-    # If MITM is not enabled, just allow the request through without rewriting
-    if not mitm_enabled:
-        ctx.log.info(f"[{run_id}] Firewall ALLOW (no MITM): {hostname}")
-        return
-
-    # MITM mode: rewrite to VM0 Proxy
-    ctx.log.info(f"[{run_id}] Proxying via MITM: {original_url}")
-
-    # Parse proxy URL
-    parsed = urllib.parse.urlparse(PROXY_URL)
-
-    # Build query params
-    query_params = {"url": original_url}
-    if run_id:
-        query_params["runId"] = run_id
-    query_string = urllib.parse.urlencode(query_params)
-
-    # Rewrite request to proxy
-    flow.request.host = parsed.hostname
-    flow.request.port = 443 if parsed.scheme == "https" else 80
-    flow.request.scheme = parsed.scheme
-    flow.request.path = f"{parsed.path}?{query_string}"
-
-    # Save original Authorization header before overwriting
-    if "Authorization" in flow.request.headers:
-        flow.request.headers["x-vm0-original-authorization"] = flow.request.headers["Authorization"]
-
-    # Add sandbox authentication token
-    if sandbox_token:
-        flow.request.headers["Authorization"] = f"Bearer {sandbox_token}"
-
-    # Add Vercel bypass header if configured
-    if VERCEL_BYPASS:
-        flow.request.headers["x-vercel-protection-bypass"] = VERCEL_BYPASS
-
-
-def response(flow: http.HTTPFlow) -> None:
-    """
-    Handle response and log network activity.
-    """
-    # Calculate latency
-    start_time = request_start_times.pop(flow.id, None)
-    latency_ms = int((time.time() - start_time) * 1000) if start_time else 0
-
-    # Get stored info
-    run_id = flow.metadata.get("vm_run_id", "")
-    original_url = flow.metadata.get("original_url", flow.request.pretty_url)
-    mitm_enabled = flow.metadata.get("vm_mitm_enabled", False)
-    firewall_action = flow.metadata.get("firewall_action", "ALLOW")
-    firewall_rule = flow.metadata.get("firewall_rule")
-
-    # Calculate sizes
-    request_size = len(flow.request.content) if flow.request.content else 0
-    response_size = len(flow.response.content) if flow.response and flow.response.content else 0
-    status_code = flow.response.status_code if flow.response else 0
-
-    # Parse URL for host
-    try:
-        parsed_url = urllib.parse.urlparse(original_url)
-        host = parsed_url.hostname or flow.request.pretty_host
-        port = parsed_url.port or (443 if parsed_url.scheme == "https" else 80)
-    except:
-        host = flow.request.pretty_host
-        port = flow.request.port
-
-    # Log network entry for this run
-    if run_id:
-        log_entry = {
-            "timestamp": time.strftime("%Y-%m-%dT%H:%M:%S", time.gmtime()),
-            "mode": "mitm" if mitm_enabled else "sni",
-            "action": firewall_action,
-            "host": host,
-            "port": port,
-            "rule_matched": firewall_rule,
-        }
-
-        # Add HTTP details only in MITM mode
-        if mitm_enabled:
-            log_entry.update({
-                "method": flow.request.method,
-                "path": flow.request.path.split("?")[0],  # Path without query
-                "url": original_url,
-                "status": status_code,
-                "latency_ms": latency_ms,
-                "request_size": request_size,
-                "response_size": response_size,
-            })
-
-        log_network_entry(run_id, log_entry)
-
-    # Log errors to mitmproxy console
-    if flow.response and flow.response.status_code >= 400:
-        ctx.log.warn(
-            f"[{run_id}] Response {flow.response.status_code}: {original_url}"
-        )
-
-
-# mitmproxy addon registration
-addons = [tls_clienthello, request, response]
-`;
-
-// src/lib/proxy/proxy-manager.ts
 var logger6 = createLogger("ProxyManager");
 var DEFAULT_PROXY_OPTIONS = {
-  port: 8080,
-  registryPath: DEFAULT_REGISTRY_PATH
+  port: 8080
 };
 var ProxyManager = class {
   config;
   process = null;
   isRunning = false;
   constructor(config) {
-    const addonPath = path5.join(config.caDir, "mitm_addon.py");
+    const addonPath = path5.join(config.caDir, "mitm-addon.py");
     this.config = {
       ...DEFAULT_PROXY_OPTIONS,
       ...config,
@@ -9817,19 +9431,6 @@ var ProxyManager = class {
       });
     });
   }
-  /**
-   * Ensure the addon script exists at the configured path
-   */
-  ensureAddonScript() {
-    const addonDir = path5.dirname(this.config.addonPath);
-    if (!fs7.existsSync(addonDir)) {
-      fs7.mkdirSync(addonDir, { recursive: true });
-    }
-    fs7.writeFileSync(this.config.addonPath, RUNNER_MITM_ADDON_SCRIPT, {
-      mode: 493
-    });
-    logger6.log(`Addon script written to ${this.config.addonPath}`);
-  }
   /**
    * Validate proxy configuration
    */
@@ -9841,7 +9442,9 @@ var ProxyManager = class {
     if (!fs7.existsSync(caCertPath)) {
       throw new Error(`Proxy CA certificate not found: ${caCertPath}`);
     }
-    this.ensureAddonScript();
+    if (!fs7.existsSync(this.config.addonPath)) {
+      throw new Error(`Addon script not found: ${this.config.addonPath}`);
+    }
   }
   /**
    * Start mitmproxy
@@ -9871,17 +9474,15 @@ var ProxyManager = class {
       String(this.config.port),
       "--set",
       `confdir=${this.config.caDir}`,
+      "--set",
+      `vm0_api_url=${this.config.apiUrl}`,
+      "--set",
+      `vm0_registry_path=${this.config.registryPath}`,
       "--scripts",
       this.config.addonPath,
       "--quiet"
     ];
-    const env = {
-      ...process.env,
-      VM0_API_URL: this.config.apiUrl,
-      VM0_REGISTRY_PATH: this.config.registryPath
-    };
     this.process = spawn2("mitmdump", args, {
-      env,
       stdio: ["ignore", "pipe", "pipe"],
       detached: false
     });
@@ -10527,14 +10128,6 @@ function checkNetworkPrerequisites() {
     errors
   };
 }
-async function isPortInUse(port) {
-  try {
-    await execAsync3(`ss -tln | grep -q ":${port} "`);
-    return true;
-  } catch {
-    return false;
-  }
-}
 
 // src/lib/runner/runner-lock.ts
 import fs10 from "fs";
@@ -10588,11 +10181,13 @@ async function setupEnvironment(options) {
     process.exit(1);
   }
   logger12.log("Initializing network proxy...");
-  initVMRegistry();
+  const registryPath = runnerPaths.vmRegistry(config.base_dir);
+  initVMRegistry(registryPath);
   const proxyManager = initProxyManager({
     apiUrl: config.server.url,
     port: config.proxy.port,
-    caDir: config.proxy.ca_dir
+    caDir: config.proxy.ca_dir,
+    registryPath
   });
   let proxyEnabled = false;
   try {
@@ -10942,19 +10537,24 @@ function parseFirecrackerCmdline(cmdline) {
     }
   }
   if (!filePath) return null;
-  const match = filePath.match(/vm0-([a-f0-9]+)\//);
-  if (!match?.[1]) return null;
-  return createVmId(match[1]);
+  const vmIdMatch = filePath.match(/vm0-([a-f0-9]+)\//);
+  if (!vmIdMatch?.[1]) return null;
+  const baseDirMatch = filePath.match(/^(.+)\/workspaces\/vm0-[a-f0-9]+\//);
+  if (!baseDirMatch?.[1]) return null;
+  return { vmId: createVmId(vmIdMatch[1]), baseDir: baseDirMatch[1] };
 }
 function parseMitmproxyCmdline(cmdline) {
   if (!cmdline.includes("mitmproxy") && !cmdline.includes("mitmdump")) {
     return null;
   }
   const args = cmdline.split("\0");
-  const portIdx = args.findIndex((a) => a === "-p" || a === "--listen-port");
-  const portArg = args[portIdx + 1];
-  const port = portIdx !== -1 && portArg ? parseInt(portArg, 10) : void 0;
-  return { port };
+  for (const arg of args) {
+    const match = arg.match(/^vm0_registry_path=(.+)\/vm-registry\.json$/);
+    if (match?.[1]) {
+      return match[1];
+    }
+  }
+  return null;
 }
 function findFirecrackerProcesses() {
   const processes = [];
@@ -10972,9 +10572,9 @@ function findFirecrackerProcesses() {
     if (!existsSync4(cmdlinePath)) continue;
     try {
       const cmdline = readFileSync2(cmdlinePath, "utf-8");
-      const vmId = parseFirecrackerCmdline(cmdline);
-      if (vmId) {
-        processes.push({ pid, vmId });
+      const parsed = parseFirecrackerCmdline(cmdline);
+      if (parsed) {
+        processes.push({ pid, vmId: parsed.vmId, baseDir: parsed.baseDir });
       }
     } catch {
       continue;
@@ -11007,13 +10607,14 @@ async function killProcess(pid, timeoutMs = 5e3) {
   }
   return !isProcessRunning(pid);
 }
-function findMitmproxyProcess() {
+function findMitmproxyProcesses() {
+  const processes = [];
   const procDir = "/proc";
   let entries;
   try {
     entries = readdirSync(procDir);
   } catch {
-    return null;
+    return [];
   }
   for (const entry of entries) {
     if (!/^\d+$/.test(entry)) continue;
@@ -11022,26 +10623,26 @@ function findMitmproxyProcess() {
     if (!existsSync4(cmdlinePath)) continue;
     try {
       const cmdline = readFileSync2(cmdlinePath, "utf-8");
-      const parsed = parseMitmproxyCmdline(cmdline);
-      if (parsed) {
-        return { pid, port: parsed.port };
+      const baseDir = parseMitmproxyCmdline(cmdline);
+      if (baseDir) {
+        processes.push({ pid, baseDir });
       }
     } catch {
       continue;
     }
   }
-  return null;
+  return processes;
 }
 
 // src/lib/runner/types.ts
-import { z as z30 } from "zod";
-var RunnerModeSchema = z30.enum(["running", "draining", "stopping", "stopped"]);
-var RunnerStatusSchema = z30.object({
+import { z as z31 } from "zod";
+var RunnerModeSchema = z31.enum(["running", "draining", "stopping", "stopped"]);
+var RunnerStatusSchema = z31.object({
   mode: RunnerModeSchema,
-  active_runs: z30.number(),
-  active_run_ids: z30.array(z30.string()),
-  started_at: z30.string(),
-  updated_at: z30.string()
+  active_runs: z31.number(),
+  active_run_ids: z31.array(z31.string()),
+  started_at: z31.string(),
+  updated_at: z31.string()
 });
 
 // src/commands/doctor.ts
@@ -11083,20 +10684,14 @@ async function checkApiConnectivity(config, warnings) {
     });
   }
 }
-async function checkNetwork(config, warnings) {
+function checkNetwork(config, warnings) {
   console.log("Network:");
-  const proxyPort = config.proxy.port;
-  const mitmProc = findMitmproxyProcess();
-  const portInUse = await isPortInUse(proxyPort);
+  const mitmProcesses = findMitmproxyProcesses();
+  const mitmProc = mitmProcesses.find((p) => p.baseDir === config.base_dir);
   if (mitmProc) {
-    console.log(`  \u2713 Proxy mitmproxy (PID ${mitmProc.pid}) on :${proxyPort}`);
-  } else if (portInUse) {
     console.log(
-      `  \u26A0\uFE0F Proxy port :${proxyPort} in use but mitmproxy process not found`
+      `  \u2713 Proxy mitmproxy (PID ${mitmProc.pid}) on :${config.proxy.port}`
     );
-    warnings.push({
-      message: `Port ${proxyPort} is in use but mitmproxy process not detected`
-    });
   } else {
     console.log(`  \u2717 Proxy mitmproxy not running`);
     warnings.push({ message: "Proxy mitmproxy is not running" });
@@ -11182,7 +10777,8 @@ async function findOrphanNetworkNamespaces(warnings) {
     return [];
   }
 }
-async function detectOrphanResources(jobs, processes, workspaces, statusVmIds, warnings) {
+async function detectOrphanResources(jobs, allProcesses, workspaces, statusVmIds, baseDir, warnings) {
+  const processes = allProcesses.filter((p) => p.baseDir === baseDir);
   for (const job of jobs) {
     if (!job.firecrackerPid) {
       warnings.push({
@@ -11244,7 +10840,7 @@ var doctorCommand = new Command2("doctor").description("Diagnose runner health,
     console.log("");
     await checkApiConnectivity(config, warnings);
     console.log("");
-    await checkNetwork(config, warnings);
+    checkNetwork(config, warnings);
     console.log("");
     const processes = findFirecrackerProcesses();
     const workspaces = existsSync5(workspacesDir) ? readdirSync2(workspacesDir).filter(runnerPaths.isVmWorkspace) : [];
@@ -11256,6 +10852,7 @@ var doctorCommand = new Command2("doctor").description("Diagnose runner health,
       processes,
       workspaces,
       statusVmIds,
+      config.base_dir,
       warnings
     );
     displayWarnings(warnings);
@@ -11502,6 +11099,7 @@ var benchmarkCommand = new Command4("benchmark").description(
       }
       process.exit(1);
     }
+    initVMRegistry(runnerPaths.vmRegistry(config.base_dir));
     timer.log("Initializing pools...");
     const snapshotConfig = config.firecracker.snapshot;
     await initOverlayPool({
@@ -11747,7 +11345,7 @@ var snapshotCommand = new Command5("snapshot").description("Generate a Firecrack
 );
 
 // src/index.ts
-var version = true ? "3.12.1" : "0.1.0";
+var version = true ? "3.12.3" : "0.1.0";
 program.name("vm0-runner").version(version).description("Self-hosted runner for VM0 agents");
 program.addCommand(startCommand);
 program.addCommand(doctorCommand);