@vm0/runner 3.5.0 → 3.6.0

package/index.js

@@ -857,53 +857,51 @@ function checkNetworkPrerequisites() {
     errors
   };
 }
-async function setupVMProxyRules(vmIp, proxyPort, runnerName) {
-  const comment = `vm0:runner:${runnerName}`;
+async function setupCIDRProxyRules(proxyPort) {
+  const comment = "vm0:cidr-proxy";
   console.log(
-    `Setting up proxy rules for VM ${vmIp} -> localhost:${proxyPort} (comment: ${comment})`
+    `Setting up CIDR proxy rules for ${BRIDGE_CIDR} -> port ${proxyPort}`
   );
   try {
     await execCommand(
-      `iptables -t nat -C PREROUTING -s ${vmIp} -p tcp --dport 80 -j REDIRECT --to-port ${proxyPort} -m comment --comment "${comment}"`
+      `iptables -t nat -C PREROUTING -s ${BRIDGE_CIDR} -p tcp --dport 80 -j REDIRECT --to-port ${proxyPort} -m comment --comment "${comment}"`
     );
-    console.log(`Proxy rule for ${vmIp}:80 already exists`);
+    console.log("CIDR proxy rule for port 80 already exists");
   } catch {
     await execCommand(
-      `iptables -t nat -A PREROUTING -s ${vmIp} -p tcp --dport 80 -j REDIRECT --to-port ${proxyPort} -m comment --comment "${comment}"`
+      `iptables -t nat -A PREROUTING -s ${BRIDGE_CIDR} -p tcp --dport 80 -j REDIRECT --to-port ${proxyPort} -m comment --comment "${comment}"`
     );
-    console.log(`Proxy rule for ${vmIp}:80 added`);
+    console.log("CIDR proxy rule for port 80 added");
   }
   try {
     await execCommand(
-      `iptables -t nat -C PREROUTING -s ${vmIp} -p tcp --dport 443 -j REDIRECT --to-port ${proxyPort} -m comment --comment "${comment}"`
+      `iptables -t nat -C PREROUTING -s ${BRIDGE_CIDR} -p tcp --dport 443 -j REDIRECT --to-port ${proxyPort} -m comment --comment "${comment}"`
     );
-    console.log(`Proxy rule for ${vmIp}:443 already exists`);
+    console.log("CIDR proxy rule for port 443 already exists");
   } catch {
     await execCommand(
-      `iptables -t nat -A PREROUTING -s ${vmIp} -p tcp --dport 443 -j REDIRECT --to-port ${proxyPort} -m comment --comment "${comment}"`
+      `iptables -t nat -A PREROUTING -s ${BRIDGE_CIDR} -p tcp --dport 443 -j REDIRECT --to-port ${proxyPort} -m comment --comment "${comment}"`
     );
-    console.log(`Proxy rule for ${vmIp}:443 added`);
+    console.log("CIDR proxy rule for port 443 added");
   }
-  console.log(`Proxy rules configured for VM ${vmIp}`);
 }
-async function removeVMProxyRules(vmIp, proxyPort, runnerName) {
-  const comment = `vm0:runner:${runnerName}`;
-  console.log(`Removing proxy rules for VM ${vmIp}...`);
+async function cleanupCIDRProxyRules(proxyPort) {
+  const comment = "vm0:cidr-proxy";
+  console.log("Cleaning up CIDR proxy rules...");
   try {
     await execCommand(
-      `iptables -t nat -D PREROUTING -s ${vmIp} -p tcp --dport 80 -j REDIRECT --to-port ${proxyPort} -m comment --comment "${comment}"`
+      `iptables -t nat -D PREROUTING -s ${BRIDGE_CIDR} -p tcp --dport 80 -j REDIRECT --to-port ${proxyPort} -m comment --comment "${comment}"`
     );
-    console.log(`Proxy rule for ${vmIp}:80 removed`);
+    console.log("CIDR proxy rule for port 80 removed");
   } catch {
   }
   try {
     await execCommand(
-      `iptables -t nat -D PREROUTING -s ${vmIp} -p tcp --dport 443 -j REDIRECT --to-port ${proxyPort} -m comment --comment "${comment}"`
+      `iptables -t nat -D PREROUTING -s ${BRIDGE_CIDR} -p tcp --dport 443 -j REDIRECT --to-port ${proxyPort} -m comment --comment "${comment}"`
     );
-    console.log(`Proxy rule for ${vmIp}:443 removed`);
+    console.log("CIDR proxy rule for port 443 removed");
   } catch {
   }
-  console.log(`Proxy rules cleanup complete for VM ${vmIp}`);
 }
 async function listTapDevices() {
   try {
@@ -8654,7 +8652,10 @@ def tls_clienthello(data: tls.ClientHelloData) -> None:
 
     vm_info = get_vm_info(client_ip)
     if not vm_info:
-        return  # Not a registered VM, let it through
+        # Not a registered VM - pass through without MITM interception
+        # This is critical for CIDR-based rules where all VM traffic is redirected
+        data.ignore_connection = True
+        return
 
     # If MITM is enabled, let the normal flow handle it
     if vm_info.get("mitmEnabled", False):
@@ -9125,171 +9126,80 @@ function initProxyManager(config) {
   return globalProxyManager;
 }
 
-// src/lib/metrics/provider.ts
-import {
-  MeterProvider,
-  PeriodicExportingMetricReader
-} from "@opentelemetry/sdk-metrics";
-import { OTLPMetricExporter } from "@opentelemetry/exporter-metrics-otlp-proto";
-import { Resource } from "@opentelemetry/resources";
-import { ATTR_SERVICE_NAME } from "@opentelemetry/semantic-conventions";
-import { metrics } from "@opentelemetry/api";
-var meterProvider = null;
-var initialized = false;
-var enabled = false;
-var _runnerLabel = "";
-function initMetrics(config) {
-  if (initialized) return;
-  initialized = true;
-  _runnerLabel = config.runnerLabel;
-  if (!config.axiomToken) {
-    console.log("[metrics] AXIOM_TOKEN not configured, metrics disabled");
-    return;
-  }
-  const env = config.environment ?? "dev";
-  const exporter = new OTLPMetricExporter({
-    url: "https://api.axiom.co/v1/metrics",
-    headers: {
-      Authorization: `Bearer ${config.axiomToken}`,
-      "X-Axiom-Dataset": `vm0-sandbox-op-log-${env}`
-    }
-  });
-  meterProvider = new MeterProvider({
-    resource: new Resource({
-      [ATTR_SERVICE_NAME]: config.serviceName,
-      "deployment.environment": env,
-      "runner.label": config.runnerLabel
-    }),
-    readers: [
-      new PeriodicExportingMetricReader({
-        exporter,
-        exportIntervalMillis: config.exportIntervalMs ?? 3e4
-      })
-    ]
-  });
-  metrics.setGlobalMeterProvider(meterProvider);
-  enabled = true;
-  console.log(
-    `[metrics] initialized for ${config.serviceName} (${env}), runner: ${config.runnerLabel}`
-  );
-}
-function isMetricsEnabled() {
-  return enabled;
-}
-function getRunnerLabel() {
-  return _runnerLabel;
-}
-function getMeter(name) {
-  return metrics.getMeter(name);
+// src/lib/metrics/instruments.ts
+var FLUSH_THRESHOLD_MS = 3e4;
+var sandboxContext = null;
+var pendingOps = [];
+var oldestPendingTime = null;
+function setSandboxContext(ctx) {
+  sandboxContext = ctx;
+  pendingOps = [];
+  oldestPendingTime = null;
 }
-async function flushMetrics() {
-  if (meterProvider) {
-    await meterProvider.forceFlush();
+async function clearSandboxContext() {
+  const ctx = sandboxContext;
+  const ops = pendingOps;
+  sandboxContext = null;
+  pendingOps = [];
+  oldestPendingTime = null;
+  if (ctx && ops.length > 0) {
+    await flushOpsWithContext(ctx, ops);
   }
 }
-async function shutdownMetrics() {
-  if (meterProvider) {
-    await meterProvider.shutdown();
-  }
+async function flushOps() {
+  if (!sandboxContext || pendingOps.length === 0) return;
+  const ctx = sandboxContext;
+  const ops = pendingOps;
+  pendingOps = [];
+  oldestPendingTime = null;
+  await flushOpsWithContext(ctx, ops);
 }
-
-// src/lib/metrics/instruments.ts
-var runnerOperationTotal = null;
-var runnerOperationErrorsTotal = null;
-var runnerOperationDuration = null;
-var sandboxOperationTotal = null;
-var sandboxOperationErrorsTotal = null;
-var sandboxOperationDuration = null;
-function getRunnerInstruments() {
-  if (!runnerOperationTotal) {
-    const meter = getMeter("vm0-runner");
-    runnerOperationTotal = meter.createCounter("runner_operation_total", {
-      description: "Total number of runner operations"
-    });
-    runnerOperationErrorsTotal = meter.createCounter(
-      "runner_operation_errors_total",
-      {
-        description: "Total number of runner operation errors"
-      }
-    );
-    runnerOperationDuration = meter.createHistogram(
-      "runner_operation_duration_ms",
-      {
-        description: "Runner operation duration in milliseconds",
-        unit: "ms"
-      }
-    );
-  }
-  return {
-    runnerOperationTotal,
-    runnerOperationErrorsTotal,
-    runnerOperationDuration
+async function flushOpsWithContext(ctx, ops) {
+  const { apiUrl, runId, sandboxToken } = ctx;
+  const headers = {
+    Authorization: `Bearer ${sandboxToken}`,
+    "Content-Type": "application/json"
   };
-}
-function getSandboxInstruments() {
-  if (!sandboxOperationTotal) {
-    const meter = getMeter("vm0-runner");
-    sandboxOperationTotal = meter.createCounter("sandbox_operation_total", {
-      description: "Total number of sandbox operations"
+  const bypassSecret = process.env.VERCEL_AUTOMATION_BYPASS_SECRET;
+  if (bypassSecret) {
+    headers["x-vercel-protection-bypass"] = bypassSecret;
+  }
+  try {
+    const response = await fetch(`${apiUrl}/api/webhooks/agent/telemetry`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        runId,
+        sandboxOperations: ops
+      })
     });
-    sandboxOperationErrorsTotal = meter.createCounter(
-      "sandbox_operation_errors_total",
-      {
-        description: "Total number of sandbox operation errors"
-      }
-    );
-    sandboxOperationDuration = meter.createHistogram(
-      "sandbox_operation_duration_ms",
-      {
-        description: "Sandbox operation duration in milliseconds",
-        unit: "ms"
-      }
-    );
+    await response.text();
+    if (!response.ok) {
+      console.warn(
+        `[metrics] Failed to flush operations: HTTP ${response.status}`
+      );
+    }
+  } catch (err) {
+    console.warn(`[metrics] Failed to flush operations: ${err}`);
   }
-  return {
-    sandboxOperationTotal,
-    sandboxOperationErrorsTotal,
-    sandboxOperationDuration
-  };
 }
-function recordRunnerOperation(attrs) {
-  if (!isMetricsEnabled()) return;
-  const {
-    runnerOperationTotal: runnerOperationTotal2,
-    runnerOperationErrorsTotal: runnerOperationErrorsTotal2,
-    runnerOperationDuration: runnerOperationDuration2
-  } = getRunnerInstruments();
-  const labels = {
-    action_type: attrs.actionType,
-    runner_label: getRunnerLabel()
-  };
-  runnerOperationTotal2.add(1, labels);
-  if (!attrs.success) {
-    runnerOperationErrorsTotal2.add(1, labels);
+function recordOperation(attrs) {
+  if (!sandboxContext) {
+    return;
   }
-  runnerOperationDuration2.record(attrs.durationMs, {
-    ...labels,
-    success: String(attrs.success)
-  });
-}
-function recordSandboxOperation(attrs) {
-  if (!isMetricsEnabled()) return;
-  const {
-    sandboxOperationTotal: sandboxOperationTotal2,
-    sandboxOperationErrorsTotal: sandboxOperationErrorsTotal2,
-    sandboxOperationDuration: sandboxOperationDuration2
-  } = getSandboxInstruments();
-  const labels = {
-    sandbox_type: "runner",
-    action_type: attrs.actionType
-  };
-  sandboxOperationTotal2.add(1, labels);
-  if (!attrs.success) {
-    sandboxOperationErrorsTotal2.add(1, labels);
+  const now = Date.now();
+  if (oldestPendingTime && now - oldestPendingTime >= FLUSH_THRESHOLD_MS) {
+    flushOps().catch(() => {
+    });
+  }
+  if (oldestPendingTime === null) {
+    oldestPendingTime = now;
   }
-  sandboxOperationDuration2.record(attrs.durationMs, {
-    ...labels,
-    success: String(attrs.success)
+  pendingOps.push({
+    ts: (/* @__PURE__ */ new Date()).toISOString(),
+    action_type: attrs.actionType,
+    duration_ms: attrs.durationMs,
+    success: attrs.success
   });
 }
 
@@ -9303,7 +9213,7 @@ async function withRunnerTiming(actionType, fn) {
     success = false;
     throw error;
   } finally {
-    recordRunnerOperation({
+    recordOperation({
       actionType,
       durationMs: Date.now() - startTime,
       success
@@ -9319,7 +9229,7 @@ async function withSandboxTiming(actionType, fn) {
     success = false;
     throw error;
   } finally {
-    recordSandboxOperation({
+    recordOperation({
       actionType,
       durationMs: Date.now() - startTime,
       success
@@ -9487,15 +9397,18 @@ async function installProxyCA(guest, caCertPath) {
     );
   }
   const caCert = fs8.readFileSync(caCertPath, "utf-8");
+  const certWithNewline = caCert.endsWith("\n") ? caCert : caCert + "\n";
   console.log(
-    `[Executor] Installing proxy CA certificate (${caCert.length} bytes)`
+    `[Executor] Installing proxy CA certificate (${certWithNewline.length} bytes)`
   );
   await guest.writeFileWithSudo(
     "/usr/local/share/ca-certificates/vm0-proxy-ca.crt",
-    caCert
+    certWithNewline
+  );
+  await guest.execOrThrow(
+    "cat /usr/local/share/ca-certificates/vm0-proxy-ca.crt | sudo tee -a /etc/ssl/certs/ca-certificates.crt > /dev/null"
   );
-  await guest.execOrThrow("sudo update-ca-certificates");
-  console.log(`[Executor] Proxy CA certificate installed successfully`);
+  console.log("[Executor] Proxy CA certificate installed successfully");
 }
 
 // src/lib/executor.ts
@@ -9553,6 +9466,18 @@ async function reportPreflightFailure(apiUrl, runId, sandboxToken, error, bypass
   }
 }
 async function executeJob(context, config, options = {}) {
+  setSandboxContext({
+    apiUrl: config.server.url,
+    runId: context.runId,
+    sandboxToken: context.sandboxToken
+  });
+  if (context.apiStartTime) {
+    recordOperation({
+      actionType: "api_to_vm_start",
+      durationMs: Date.now() - context.apiStartTime,
+      success: true
+    });
+  }
   const vmId = getVmIdFromRunId(context.runId);
   let vm = null;
   let guestIp = null;
@@ -9594,19 +9519,25 @@ async function executeJob(context, config, options = {}) {
       log(
         `[Executor] Setting up network security for VM ${guestIp} (mitm=${mitmEnabled}, sealSecrets=${sealSecretsEnabled})`
       );
-      await setupVMProxyRules(guestIp, config.proxy.port, config.name);
-      getVMRegistry().register(guestIp, context.runId, context.sandboxToken, {
-        firewallRules: firewallConfig?.rules,
-        mitmEnabled,
-        sealSecretsEnabled
-      });
-      if (mitmEnabled) {
-        const caCertPath = path4.join(
-          config.proxy.ca_dir,
-          "mitmproxy-ca-cert.pem"
+      await withSandboxTiming("network_setup", async () => {
+        getVMRegistry().register(
+          guestIp,
+          context.runId,
+          context.sandboxToken,
+          {
+            firewallRules: firewallConfig?.rules,
+            mitmEnabled,
+            sealSecretsEnabled
+          }
         );
-        await installProxyCA(guest, caCertPath);
-      }
+        if (mitmEnabled) {
+          const caCertPath = path4.join(
+            config.proxy.ca_dir,
+            "mitmproxy-ca-cert.pem"
+          );
+          await installProxyCA(guest, caCertPath);
+        }
+      });
     }
     if (context.storageManifest) {
       await withSandboxTiming(
@@ -9634,12 +9565,15 @@ async function executeJob(context, config, options = {}) {
     if (!options.benchmarkMode) {
       log(`[Executor] Running preflight connectivity check...`);
       const bypassSecret = process.env.VERCEL_AUTOMATION_BYPASS_SECRET;
-      const preflight = await runPreflightCheck(
-        guest,
-        config.server.url,
-        context.runId,
-        context.sandboxToken,
-        bypassSecret
+      const preflight = await withSandboxTiming(
+        "preflight_check",
+        () => runPreflightCheck(
+          guest,
+          config.server.url,
+          context.runId,
+          context.sandboxToken,
+          bypassSecret
+        )
       );
       if (!preflight.success) {
         log(`[Executor] Preflight check failed: ${preflight.error}`);
@@ -9711,7 +9645,7 @@ async function executeJob(context, config, options = {}) {
             );
           }
           const durationMs2 = Date.now() - startTime;
-          recordRunnerOperation({
+          recordOperation({
             actionType: "agent_execute",
             durationMs: durationMs2,
             success: false
@@ -9727,7 +9661,7 @@ async function executeJob(context, config, options = {}) {
     const duration = Math.round(durationMs / 1e3);
     if (!completed) {
       log(`[Executor] Agent timed out after ${duration}s`);
-      recordRunnerOperation({
+      recordOperation({
         actionType: "agent_execute",
         durationMs,
         success: false
@@ -9737,7 +9671,7 @@ async function executeJob(context, config, options = {}) {
         error: `Agent execution timed out after ${duration}s`
       };
     }
-    recordRunnerOperation({
+    recordOperation({
       actionType: "agent_execute",
       durationMs,
       success: exitCode === 0
@@ -9765,13 +9699,6 @@ async function executeJob(context, config, options = {}) {
   } finally {
     if (context.experimentalFirewall?.enabled && guestIp) {
       log(`[Executor] Cleaning up network security for VM ${guestIp}`);
-      try {
-        await removeVMProxyRules(guestIp, config.proxy.port, config.name);
-      } catch (err) {
-        console.error(
-          `[Executor] Failed to remove VM proxy rules: ${err instanceof Error ? err.message : "Unknown error"}`
-        );
-      }
       getVMRegistry().unregister(guestIp);
       if (!options.benchmarkMode) {
         try {
@@ -9791,6 +9718,7 @@ async function executeJob(context, config, options = {}) {
       log(`[Executor] Cleaning up VM ${vmId}...`);
       await withSandboxTiming("cleanup", () => vm.kill());
     }
+    await clearSandboxContext();
   }
 }
 
@@ -9826,18 +9754,6 @@ function createStatusUpdater(statusFilePath, state) {
 // src/lib/runner/setup.ts
 async function setupEnvironment(options) {
   const { config } = options;
-  const datasetSuffix = process.env.AXIOM_DATASET_SUFFIX;
-  if (!datasetSuffix) {
-    throw new Error(
-      "AXIOM_DATASET_SUFFIX is required. Set to 'dev' or 'prod'."
-    );
-  }
-  initMetrics({
-    serviceName: "vm0-runner",
-    runnerLabel: config.name,
-    axiomToken: process.env.AXIOM_TOKEN,
-    environment: datasetSuffix
-  });
   const networkCheck = checkNetworkPrerequisites();
   if (!networkCheck.ok) {
     console.error("Network prerequisites not met:");
@@ -9866,6 +9782,8 @@ async function setupEnvironment(options) {
     await proxyManager.start();
     proxyEnabled = true;
     console.log("Network proxy initialized successfully");
+    console.log("Setting up CIDR proxy rules...");
+    await setupCIDRProxyRules(config.proxy.port);
   } catch (err) {
     console.warn(
       `Network proxy not available: ${err instanceof Error ? err.message : "Unknown error"}`
@@ -9874,16 +9792,17 @@ async function setupEnvironment(options) {
       "Jobs with experimentalFirewall enabled will run without network interception"
     );
   }
-  return { proxyEnabled };
+  return { proxyEnabled, proxyPort: config.proxy.port };
 }
 async function cleanupEnvironment(resources) {
+  if (resources.proxyEnabled) {
+    console.log("Cleaning up CIDR proxy rules...");
+    await cleanupCIDRProxyRules(resources.proxyPort);
+  }
   if (resources.proxyEnabled) {
     console.log("Stopping network proxy...");
     await getProxyManager().stop();
   }
-  console.log("Flushing metrics...");
-  await flushMetrics();
-  await shutdownMetrics();
 }
 
 // src/lib/runner/signals.ts
@@ -10720,7 +10639,7 @@ var benchmarkCommand = new Command4("benchmark").description(
 });
 
 // src/index.ts
-var version = true ? "3.5.0" : "0.1.0";
+var version = true ? "3.6.0" : "0.1.0";
 program.name("vm0-runner").version(version).description("Self-hosted runner for VM0 agents");
 program.addCommand(startCommand);
 program.addCommand(doctorCommand);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vm0/runner",
-  "version": "3.5.0",
+  "version": "3.6.0",
   "description": "Self-hosted runner for VM0 agents",
   "repository": {
     "type": "git",
@@ -15,11 +15,6 @@
     "."
   ],
   "dependencies": {
-    "@opentelemetry/api": "^1.9.0",
-    "@opentelemetry/exporter-metrics-otlp-proto": "^0.52.0",
-    "@opentelemetry/resources": "^1.25.0",
-    "@opentelemetry/sdk-metrics": "^1.25.0",
-    "@opentelemetry/semantic-conventions": "^1.25.0",
     "ably": "^2.17.0",
     "commander": "^14.0.0",
     "yaml": "^2.3.4",