@vm0/runner 3.6.2 → 3.7.1

package/index.js

@@ -272,14 +272,13 @@ async function subscribeToJobs(server, group, onJob, onConnectionChange) {
 }
 
 // src/lib/executor.ts
-import path4 from "path";
+import path5 from "path";
 
 // src/lib/firecracker/vm.ts
-import { exec as exec3, spawn } from "child_process";
-import fs3 from "fs";
-import path2 from "path";
+import { spawn } from "child_process";
+import fs4 from "fs";
+import path3 from "path";
 import readline from "readline";
-import { promisify as promisify3 } from "util";
 
 // src/lib/firecracker/client.ts
 import http from "http";
@@ -291,7 +290,7 @@ var FirecrackerClient = class {
   /**
    * Make HTTP request to Firecracker API
    */
-  async request(method, path6, body) {
+  async request(method, path8, body) {
     return new Promise((resolve, reject) => {
       const bodyStr = body !== void 0 ? JSON.stringify(body) : void 0;
       const headers = {
@@ -304,11 +303,11 @@ var FirecrackerClient = class {
         headers["Content-Length"] = Buffer.byteLength(bodyStr);
       }
       console.log(
-        `[FC API] ${method} ${path6}${bodyStr ? ` (${Buffer.byteLength(bodyStr)} bytes)` : ""}`
+        `[FC API] ${method} ${path8}${bodyStr ? ` (${Buffer.byteLength(bodyStr)} bytes)` : ""}`
       );
       const options = {
         socketPath: this.socketPath,
-        path: path6,
+        path: path8,
         method,
         headers,
         // Disable agent to ensure fresh connection for each request
@@ -1064,9 +1063,205 @@ async function cleanupOrphanedProxyRules(runnerName) {
   }
 }
 
-// src/lib/firecracker/vm.ts
+// src/lib/firecracker/overlay-pool.ts
+import { exec as exec3 } from "child_process";
+import { randomUUID } from "crypto";
+import fs3 from "fs";
+import path2 from "path";
+import { promisify as promisify3 } from "util";
 var execAsync3 = promisify3(exec3);
-var logger3 = createLogger("VM");
+var logger3 = createLogger("OverlayPool");
+var VM0_RUN_DIR2 = "/var/run/vm0";
+var DEFAULT_POOL_DIR = path2.join(VM0_RUN_DIR2, "overlay-pool");
+var OVERLAY_SIZE = 2 * 1024 * 1024 * 1024;
+async function defaultCreateFile(filePath) {
+  const fd = fs3.openSync(filePath, "w");
+  fs3.ftruncateSync(fd, OVERLAY_SIZE);
+  fs3.closeSync(fd);
+  await execAsync3(`mkfs.ext4 -F -q "${filePath}"`);
+}
+var OverlayPool = class {
+  initialized = false;
+  queue = [];
+  replenishing = false;
+  config;
+  constructor(config) {
+    this.config = {
+      size: config.size,
+      replenishThreshold: config.replenishThreshold,
+      poolDir: config.poolDir ?? DEFAULT_POOL_DIR,
+      createFile: config.createFile ?? defaultCreateFile
+    };
+  }
+  /**
+   * Generate unique file name using UUID
+   */
+  generateFileName() {
+    return `overlay-${randomUUID()}.ext4`;
+  }
+  /**
+   * Ensure the pool directory exists
+   */
+  async ensurePoolDir() {
+    const parentDir = path2.dirname(this.config.poolDir);
+    if (!fs3.existsSync(parentDir)) {
+      await execAsync3(`sudo mkdir -p ${parentDir}`);
+      await execAsync3(`sudo chmod 777 ${parentDir}`);
+    }
+    if (!fs3.existsSync(this.config.poolDir)) {
+      fs3.mkdirSync(this.config.poolDir, { recursive: true });
+    }
+  }
+  /**
+   * Scan pool directory for overlay files
+   */
+  scanPoolDir() {
+    if (!fs3.existsSync(this.config.poolDir)) {
+      return [];
+    }
+    return fs3.readdirSync(this.config.poolDir).filter((f) => f.startsWith("overlay-") && f.endsWith(".ext4")).map((f) => path2.join(this.config.poolDir, f));
+  }
+  /**
+   * Replenish the pool in background
+   */
+  async replenish() {
+    if (this.replenishing || !this.initialized) {
+      return;
+    }
+    const needed = this.config.size - this.queue.length;
+    if (needed <= 0) {
+      return;
+    }
+    this.replenishing = true;
+    logger3.log(`Replenishing pool: creating ${needed} overlay(s)...`);
+    try {
+      const promises = [];
+      for (let i = 0; i < needed; i++) {
+        const filePath = path2.join(
+          this.config.poolDir,
+          this.generateFileName()
+        );
+        promises.push(
+          this.config.createFile(filePath).then(() => {
+            this.queue.push(filePath);
+          })
+        );
+      }
+      await Promise.all(promises);
+      logger3.log(`Pool replenished: ${this.queue.length} available`);
+    } catch (err) {
+      logger3.error(
+        `Replenish failed: ${err instanceof Error ? err.message : "Unknown"}`
+      );
+    } finally {
+      this.replenishing = false;
+    }
+  }
+  /**
+   * Initialize the overlay pool
+   */
+  async init() {
+    this.queue = [];
+    logger3.log(
+      `Initializing overlay pool (size=${this.config.size}, threshold=${this.config.replenishThreshold})...`
+    );
+    await this.ensurePoolDir();
+    const existing = this.scanPoolDir();
+    if (existing.length > 0) {
+      logger3.log(`Cleaning up ${existing.length} stale overlay(s)`);
+      for (const file of existing) {
+        fs3.unlinkSync(file);
+      }
+    }
+    this.initialized = true;
+    await this.replenish();
+    logger3.log("Overlay pool initialized");
+  }
+  /**
+   * Acquire an overlay file from the pool
+   *
+   * Returns the file path. Caller owns the file and must delete it when done.
+   * Falls back to on-demand creation if pool is exhausted.
+   */
+  async acquire() {
+    if (!this.initialized) {
+      throw new Error("Overlay pool not initialized");
+    }
+    const filePath = this.queue.shift();
+    if (filePath) {
+      logger3.log(`Acquired overlay from pool (${this.queue.length} remaining)`);
+      if (this.queue.length < this.config.replenishThreshold) {
+        this.replenish().catch((err) => {
+          logger3.error(
+            `Background replenish failed: ${err instanceof Error ? err.message : "Unknown"}`
+          );
+        });
+      }
+      return filePath;
+    }
+    logger3.log("Pool exhausted, creating overlay on-demand");
+    const newPath = path2.join(this.config.poolDir, this.generateFileName());
+    await this.config.createFile(newPath);
+    return newPath;
+  }
+  /**
+   * Clean up the overlay pool
+   */
+  cleanup() {
+    if (!this.initialized) {
+      return;
+    }
+    logger3.log("Cleaning up overlay pool...");
+    for (const file of this.queue) {
+      try {
+        fs3.unlinkSync(file);
+      } catch (err) {
+        logger3.log(
+          `Failed to delete ${file}: ${err instanceof Error ? err.message : "Unknown"}`
+        );
+      }
+    }
+    this.queue = [];
+    for (const file of this.scanPoolDir()) {
+      try {
+        fs3.unlinkSync(file);
+      } catch (err) {
+        logger3.log(
+          `Failed to delete ${file}: ${err instanceof Error ? err.message : "Unknown"}`
+        );
+      }
+    }
+    this.initialized = false;
+    this.replenishing = false;
+    logger3.log("Overlay pool cleaned up");
+  }
+};
+var overlayPool = null;
+async function initOverlayPool(config) {
+  if (overlayPool) {
+    overlayPool.cleanup();
+  }
+  overlayPool = new OverlayPool(config);
+  await overlayPool.init();
+  return overlayPool;
+}
+function acquireOverlay() {
+  if (!overlayPool) {
+    throw new Error(
+      "Overlay pool not initialized. Call initOverlayPool() first."
+    );
+  }
+  return overlayPool.acquire();
+}
+function cleanupOverlayPool() {
+  if (overlayPool) {
+    overlayPool.cleanup();
+    overlayPool = null;
+  }
+}
+
+// src/lib/firecracker/vm.ts
+var logger4 = createLogger("VM");
 var FirecrackerVM = class {
   config;
   process = null;
@@ -1075,16 +1270,15 @@ var FirecrackerVM = class {
   state = "created";
   workDir;
   socketPath;
-  vmOverlayPath;
-  // Per-VM sparse overlay for writes
+  vmOverlayPath = null;
+  // Set during start()
   vsockPath;
   // Vsock UDS path for host-guest communication
   constructor(config) {
     this.config = config;
     this.workDir = config.workDir || `/tmp/vm0-vm-${config.vmId}`;
-    this.socketPath = path2.join(this.workDir, "firecracker.sock");
-    this.vmOverlayPath = path2.join(this.workDir, "overlay.ext4");
-    this.vsockPath = path2.join(this.workDir, "vsock.sock");
+    this.socketPath = path3.join(this.workDir, "firecracker.sock");
+    this.vsockPath = path3.join(this.workDir, "vsock.sock");
   }
   /**
    * Get current VM state
@@ -1125,25 +1319,23 @@ var FirecrackerVM = class {
       throw new Error(`Cannot start VM in state: ${this.state}`);
     }
     try {
-      fs3.mkdirSync(this.workDir, { recursive: true });
-      if (fs3.existsSync(this.socketPath)) {
-        fs3.unlinkSync(this.socketPath);
-      }
-      logger3.log(`[VM ${this.config.vmId}] Setting up overlay and network...`);
-      const createOverlay = async () => {
-        const overlaySize = 2 * 1024 * 1024 * 1024;
-        const fd = fs3.openSync(this.vmOverlayPath, "w");
-        fs3.ftruncateSync(fd, overlaySize);
-        fs3.closeSync(fd);
-        await execAsync3(`mkfs.ext4 -F -q "${this.vmOverlayPath}"`);
-        logger3.log(`[VM ${this.config.vmId}] Overlay created`);
+      fs4.mkdirSync(this.workDir, { recursive: true });
+      if (fs4.existsSync(this.socketPath)) {
+        fs4.unlinkSync(this.socketPath);
+      }
+      logger4.log(`[VM ${this.config.vmId}] Setting up overlay and network...`);
+      const setupOverlay = async () => {
+        this.vmOverlayPath = await acquireOverlay();
+        logger4.log(
+          `[VM ${this.config.vmId}] Overlay acquired: ${this.vmOverlayPath}`
+        );
       };
       const [, networkConfig] = await Promise.all([
-        createOverlay(),
+        setupOverlay(),
         createTapDevice(this.config.vmId)
       ]);
       this.networkConfig = networkConfig;
-      logger3.log(`[VM ${this.config.vmId}] Starting Firecracker...`);
+      logger4.log(`[VM ${this.config.vmId}] Starting Firecracker...`);
       this.process = spawn(
         this.config.firecrackerBinary,
         ["--api-sock", this.socketPath],
@@ -1154,11 +1346,11 @@ var FirecrackerVM = class {
         }
       );
       this.process.on("error", (err) => {
-        logger3.log(`[VM ${this.config.vmId}] Firecracker error: ${err}`);
+        logger4.log(`[VM ${this.config.vmId}] Firecracker error: ${err}`);
         this.state = "error";
       });
       this.process.on("exit", (code, signal) => {
-        logger3.log(
+        logger4.log(
           `[VM ${this.config.vmId}] Firecracker exited: code=${code}, signal=${signal}`
         );
         if (this.state !== "stopped") {
@@ -1171,7 +1363,7 @@ var FirecrackerVM = class {
         });
         stdoutRL.on("line", (line) => {
           if (line.trim()) {
-            logger3.log(`[VM ${this.config.vmId}] ${line}`);
+            logger4.log(`[VM ${this.config.vmId}] ${line}`);
           }
         });
       }
@@ -1181,19 +1373,19 @@ var FirecrackerVM = class {
         });
         stderrRL.on("line", (line) => {
           if (line.trim()) {
-            logger3.log(`[VM ${this.config.vmId}] stderr: ${line}`);
+            logger4.log(`[VM ${this.config.vmId}] stderr: ${line}`);
           }
         });
       }
       this.client = new FirecrackerClient(this.socketPath);
-      logger3.log(`[VM ${this.config.vmId}] Waiting for API...`);
+      logger4.log(`[VM ${this.config.vmId}] Waiting for API...`);
       await this.client.waitUntilReady(1e4, 100);
       this.state = "configuring";
       await this.configure();
-      logger3.log(`[VM ${this.config.vmId}] Booting...`);
+      logger4.log(`[VM ${this.config.vmId}] Booting...`);
       await this.client.start();
       this.state = "running";
-      logger3.log(
+      logger4.log(
         `[VM ${this.config.vmId}] Running at ${this.networkConfig.guestIp}`
       );
     } catch (error) {
@@ -1206,10 +1398,10 @@ var FirecrackerVM = class {
    * Configure the VM via Firecracker API
    */
   async configure() {
-    if (!this.client || !this.networkConfig) {
+    if (!this.client || !this.networkConfig || !this.vmOverlayPath) {
       throw new Error("VM not properly initialized");
     }
-    logger3.log(
+    logger4.log(
       `[VM ${this.config.vmId}] Configuring: ${this.config.vcpus} vCPUs, ${this.config.memoryMb}MB RAM`
     );
     await this.client.setMachineConfig({
@@ -1218,12 +1410,12 @@ var FirecrackerVM = class {
     });
     const networkBootArgs = generateNetworkBootArgs(this.networkConfig);
     const bootArgs = `console=ttyS0 reboot=k panic=1 pci=off nomodules random.trust_cpu=on quiet loglevel=0 nokaslr audit=0 numa=off mitigations=off noresume init=/sbin/vm-init ${networkBootArgs}`;
-    logger3.log(`[VM ${this.config.vmId}] Boot args: ${bootArgs}`);
+    logger4.log(`[VM ${this.config.vmId}] Boot args: ${bootArgs}`);
     await this.client.setBootSource({
       kernel_image_path: this.config.kernelPath,
       boot_args: bootArgs
     });
-    logger3.log(
+    logger4.log(
       `[VM ${this.config.vmId}] Base rootfs: ${this.config.rootfsPath}`
     );
     await this.client.setDrive({
@@ -1232,14 +1424,14 @@ var FirecrackerVM = class {
       is_root_device: true,
       is_read_only: true
     });
-    logger3.log(`[VM ${this.config.vmId}] Overlay: ${this.vmOverlayPath}`);
+    logger4.log(`[VM ${this.config.vmId}] Overlay: ${this.vmOverlayPath}`);
     await this.client.setDrive({
       drive_id: "overlay",
       path_on_host: this.vmOverlayPath,
       is_root_device: false,
       is_read_only: false
     });
-    logger3.log(
+    logger4.log(
       `[VM ${this.config.vmId}] Network: ${this.networkConfig.tapDevice}`
     );
     await this.client.setNetworkInterface({
@@ -1247,7 +1439,7 @@ var FirecrackerVM = class {
       guest_mac: this.networkConfig.guestMac,
       host_dev_name: this.networkConfig.tapDevice
     });
-    logger3.log(`[VM ${this.config.vmId}] Vsock: ${this.vsockPath}`);
+    logger4.log(`[VM ${this.config.vmId}] Vsock: ${this.vsockPath}`);
     await this.client.setVsock({
       vsock_id: "vsock0",
       guest_cid: 3,
@@ -1259,15 +1451,15 @@ var FirecrackerVM = class {
    */
   async stop() {
     if (this.state !== "running") {
-      logger3.log(`[VM ${this.config.vmId}] Not running, state: ${this.state}`);
+      logger4.log(`[VM ${this.config.vmId}] Not running, state: ${this.state}`);
       return;
     }
     this.state = "stopping";
-    logger3.log(`[VM ${this.config.vmId}] Stopping...`);
+    logger4.log(`[VM ${this.config.vmId}] Stopping...`);
     try {
       if (this.client) {
         await this.client.sendCtrlAltDel().catch((error) => {
-          logger3.log(
+          logger4.log(
             `[VM ${this.config.vmId}] Graceful shutdown signal failed (VM may already be stopping): ${error instanceof Error ? error.message : error}`
           );
         });
@@ -1280,7 +1472,7 @@ var FirecrackerVM = class {
    * Force kill the VM
    */
   async kill() {
-    logger3.log(`[VM ${this.config.vmId}] Force killing...`);
+    logger4.log(`[VM ${this.config.vmId}] Force killing...`);
     await this.cleanup();
   }
   /**
@@ -1300,12 +1492,16 @@ var FirecrackerVM = class {
       );
       this.networkConfig = null;
     }
-    if (fs3.existsSync(this.workDir)) {
-      fs3.rmSync(this.workDir, { recursive: true, force: true });
+    if (this.vmOverlayPath && fs4.existsSync(this.vmOverlayPath)) {
+      fs4.unlinkSync(this.vmOverlayPath);
+      this.vmOverlayPath = null;
+    }
+    if (fs4.existsSync(this.workDir)) {
+      fs4.rmSync(this.workDir, { recursive: true, force: true });
     }
     this.client = null;
     this.state = "stopped";
-    logger3.log(`[VM ${this.config.vmId}] Stopped`);
+    logger4.log(`[VM ${this.config.vmId}] Stopped`);
   }
   /**
    * Wait for the VM process to exit
@@ -1336,7 +1532,7 @@ var FirecrackerVM = class {
 
 // src/lib/firecracker/vsock.ts
 import * as net from "net";
-import * as fs4 from "fs";
+import * as fs5 from "fs";
 var VSOCK_PORT = 1e3;
 var HEADER_SIZE = 4;
 var MAX_MESSAGE_SIZE = 16 * 1024 * 1024;
@@ -1368,8 +1564,8 @@ function encodeExecPayload(command, timeoutMs) {
   cmdBuf.copy(payload, 8);
   return payload;
 }
-function encodeWriteFilePayload(path6, content, sudo) {
-  const pathBuf = Buffer.from(path6, "utf-8");
+function encodeWriteFilePayload(path8, content, sudo) {
+  const pathBuf = Buffer.from(path8, "utf-8");
   if (pathBuf.length > 65535) {
     throw new Error(`Path too long: ${pathBuf.length} bytes (max 65535)`);
   }
@@ -1676,8 +1872,8 @@ var VsockClient = class {
       return;
     }
     const listenerPath = `${this.vsockPath}_${VSOCK_PORT}`;
-    if (fs4.existsSync(listenerPath)) {
-      fs4.unlinkSync(listenerPath);
+    if (fs5.existsSync(listenerPath)) {
+      fs5.unlinkSync(listenerPath);
     }
     return new Promise((resolve, reject) => {
       const server = net.createServer();
@@ -1687,8 +1883,8 @@ var VsockClient = class {
         if (!settled) {
           settled = true;
           server.close();
-          if (fs4.existsSync(listenerPath)) {
-            fs4.unlinkSync(listenerPath);
+          if (fs5.existsSync(listenerPath)) {
+            fs5.unlinkSync(listenerPath);
           }
           reject(new Error(`Guest connection timeout after ${timeoutMs}ms`));
         }
@@ -1698,8 +1894,8 @@ var VsockClient = class {
           settled = true;
           clearTimeout(timeout);
           server.close();
-          if (fs4.existsSync(listenerPath)) {
-            fs4.unlinkSync(listenerPath);
+          if (fs5.existsSync(listenerPath)) {
+            fs5.unlinkSync(listenerPath);
           }
           reject(err);
         }
@@ -1731,8 +1927,8 @@ var VsockClient = class {
                 }
                 settled = true;
                 clearTimeout(timeout);
-                if (fs4.existsSync(listenerPath)) {
-                  fs4.unlinkSync(listenerPath);
+                if (fs5.existsSync(listenerPath)) {
+                  fs5.unlinkSync(listenerPath);
                 }
                 state = 2 /* Connected */;
                 this.socket = socket;
@@ -2226,8 +2422,8 @@ function getErrorMap() {
   return overrideErrorMap;
 }
 var makeIssue = (params) => {
-  const { data, path: path6, errorMaps, issueData } = params;
-  const fullPath = [...path6, ...issueData.path || []];
+  const { data, path: path8, errorMaps, issueData } = params;
+  const fullPath = [...path8, ...issueData.path || []];
   const fullIssue = {
     ...issueData,
     path: fullPath
@@ -2326,11 +2522,11 @@ var errorUtil;
   errorUtil2.toString = (message) => typeof message === "string" ? message : message === null || message === void 0 ? void 0 : message.message;
 })(errorUtil || (errorUtil = {}));
 var ParseInputLazyPath = class {
-  constructor(parent, value, path6, key) {
+  constructor(parent, value, path8, key) {
     this._cachedPath = [];
     this.parent = parent;
     this.data = value;
-    this._path = path6;
+    this._path = path8;
     this._key = key;
   }
   get path() {
@@ -8509,8 +8705,8 @@ var FEATURE_SWITCHES = {
 var ENV_LOADER_PATH = "/usr/local/bin/vm0-agent/env-loader.mjs";
 
 // src/lib/proxy/vm-registry.ts
-import fs5 from "fs";
-var logger4 = createLogger("VMRegistry");
+import fs6 from "fs";
+var logger5 = createLogger("VMRegistry");
 var DEFAULT_REGISTRY_PATH = "/tmp/vm0-vm-registry.json";
 var VMRegistry = class {
   registryPath;
@@ -8524,8 +8720,8 @@ var VMRegistry = class {
    */
   load() {
     try {
-      if (fs5.existsSync(this.registryPath)) {
-        const content = fs5.readFileSync(this.registryPath, "utf-8");
+      if (fs6.existsSync(this.registryPath)) {
+        const content = fs6.readFileSync(this.registryPath, "utf-8");
         return JSON.parse(content);
       }
     } catch {
@@ -8539,8 +8735,8 @@ var VMRegistry = class {
     this.data.updatedAt = Date.now();
     const content = JSON.stringify(this.data, null, 2);
     const tempPath = `${this.registryPath}.tmp`;
-    fs5.writeFileSync(tempPath, content, { mode: 420 });
-    fs5.renameSync(tempPath, this.registryPath);
+    fs6.writeFileSync(tempPath, content, { mode: 420 });
+    fs6.renameSync(tempPath, this.registryPath);
   }
   /**
    * Register a VM with its IP address
@@ -8557,7 +8753,7 @@ var VMRegistry = class {
     this.save();
     const firewallInfo = options?.firewallRules ? ` with ${options.firewallRules.length} firewall rules` : "";
     const mitmInfo = options?.mitmEnabled ? ", MITM enabled" : "";
-    logger4.log(
+    logger5.log(
       `Registered VM ${vmIp} for run ${runId}${firewallInfo}${mitmInfo}`
     );
   }
@@ -8569,7 +8765,7 @@ var VMRegistry = class {
       const registration = this.data.vms[vmIp];
       delete this.data.vms[vmIp];
       this.save();
-      logger4.log(`Unregistered VM ${vmIp} (run ${registration.runId})`);
+      logger5.log(`Unregistered VM ${vmIp} (run ${registration.runId})`);
     }
   }
   /**
@@ -8590,7 +8786,7 @@ var VMRegistry = class {
   clear() {
     this.data.vms = {};
     this.save();
-    logger4.log("Cleared all registrations");
+    logger5.log("Cleared all registrations");
   }
   /**
    * Get the path to the registry file
@@ -8613,8 +8809,8 @@ function initVMRegistry(registryPath) {
 
 // src/lib/proxy/proxy-manager.ts
 import { spawn as spawn2 } from "child_process";
-import fs6 from "fs";
-import path3 from "path";
+import fs7 from "fs";
+import path4 from "path";
 
 // src/lib/proxy/mitm-addon-script.ts
 var RUNNER_MITM_ADDON_SCRIPT = `#!/usr/bin/env python3
@@ -9100,7 +9296,7 @@ addons = [tls_clienthello, request, response]
 `;
 
 // src/lib/proxy/proxy-manager.ts
-var logger5 = createLogger("ProxyManager");
+var logger6 = createLogger("ProxyManager");
 var DEFAULT_PROXY_OPTIONS = {
   port: 8080,
   registryPath: DEFAULT_REGISTRY_PATH,
@@ -9111,7 +9307,7 @@ var ProxyManager = class {
   process = null;
   isRunning = false;
   constructor(config) {
-    const addonPath = path3.join(config.caDir, "mitm_addon.py");
+    const addonPath = path4.join(config.caDir, "mitm_addon.py");
     this.config = {
       ...DEFAULT_PROXY_OPTIONS,
       ...config,
@@ -9138,24 +9334,24 @@ var ProxyManager = class {
    * Ensure the addon script exists at the configured path
    */
   ensureAddonScript() {
-    const addonDir = path3.dirname(this.config.addonPath);
-    if (!fs6.existsSync(addonDir)) {
-      fs6.mkdirSync(addonDir, { recursive: true });
+    const addonDir = path4.dirname(this.config.addonPath);
+    if (!fs7.existsSync(addonDir)) {
+      fs7.mkdirSync(addonDir, { recursive: true });
     }
-    fs6.writeFileSync(this.config.addonPath, RUNNER_MITM_ADDON_SCRIPT, {
+    fs7.writeFileSync(this.config.addonPath, RUNNER_MITM_ADDON_SCRIPT, {
       mode: 493
     });
-    logger5.log(`Addon script written to ${this.config.addonPath}`);
+    logger6.log(`Addon script written to ${this.config.addonPath}`);
   }
   /**
    * Validate proxy configuration
    */
   validateConfig() {
-    if (!fs6.existsSync(this.config.caDir)) {
+    if (!fs7.existsSync(this.config.caDir)) {
       throw new Error(`Proxy CA directory not found: ${this.config.caDir}`);
     }
-    const caCertPath = path3.join(this.config.caDir, "mitmproxy-ca.pem");
-    if (!fs6.existsSync(caCertPath)) {
+    const caCertPath = path4.join(this.config.caDir, "mitmproxy-ca.pem");
+    if (!fs7.existsSync(caCertPath)) {
       throw new Error(`Proxy CA certificate not found: ${caCertPath}`);
     }
     this.ensureAddonScript();
@@ -9165,7 +9361,7 @@ var ProxyManager = class {
    */
   async start() {
     if (this.isRunning) {
-      logger5.log("Proxy already running");
+      logger6.log("Proxy already running");
       return;
     }
     const mitmproxyInstalled = await this.checkMitmproxyInstalled();
@@ -9176,11 +9372,11 @@ var ProxyManager = class {
     }
     this.validateConfig();
     getVMRegistry();
-    logger5.log("Starting mitmproxy...");
-    logger5.log(`  Port: ${this.config.port}`);
-    logger5.log(`  CA Dir: ${this.config.caDir}`);
-    logger5.log(`  Addon: ${this.config.addonPath}`);
-    logger5.log(`  Registry: ${this.config.registryPath}`);
+    logger6.log("Starting mitmproxy...");
+    logger6.log(`  Port: ${this.config.port}`);
+    logger6.log(`  CA Dir: ${this.config.caDir}`);
+    logger6.log(`  Addon: ${this.config.addonPath}`);
+    logger6.log(`  Registry: ${this.config.registryPath}`);
     const args = [
       "--mode",
       "transparent",
@@ -9210,18 +9406,23 @@ var ProxyManager = class {
       mitmLogger.log(data.toString().trim());
     });
     this.process.on("close", (code) => {
-      logger5.log(`mitmproxy exited with code ${code}`);
+      logger6.log(`mitmproxy exited with code ${code}`);
       this.isRunning = false;
       this.process = null;
     });
     this.process.on("error", (err) => {
-      logger5.error(`mitmproxy error: ${err.message}`);
+      logger6.error(`mitmproxy error: ${err.message}`);
       this.isRunning = false;
       this.process = null;
     });
     await this.waitForReady();
     this.isRunning = true;
-    logger5.log("mitmproxy started successfully");
+    logger6.log("mitmproxy started successfully");
+    process.on("exit", () => {
+      if (this.process && !this.process.killed) {
+        this.process.kill("SIGKILL");
+      }
+    });
   }
   /**
    * Wait for proxy to be ready
@@ -9247,24 +9448,24 @@ var ProxyManager = class {
    */
   async stop() {
     if (!this.process || !this.isRunning) {
-      logger5.log("Proxy not running");
+      logger6.log("Proxy not running");
       return;
     }
-    logger5.log("Stopping mitmproxy...");
+    logger6.log("Stopping mitmproxy...");
     return new Promise((resolve) => {
       if (!this.process) {
         resolve();
         return;
       }
       const timeout = setTimeout(() => {
-        logger5.log("Force killing mitmproxy...");
+        logger6.log("Force killing mitmproxy...");
         this.process?.kill("SIGKILL");
       }, 5e3);
       this.process.on("close", () => {
         clearTimeout(timeout);
         this.isRunning = false;
         this.process = null;
-        logger5.log("mitmproxy stopped");
+        logger6.log("mitmproxy stopped");
         resolve();
       });
       this.process.kill("SIGTERM");
@@ -9409,15 +9610,15 @@ async function withSandboxTiming(actionType, fn) {
 }
 
 // src/lib/vm-setup/vm-setup.ts
-var logger6 = createLogger("VMSetup");
+var logger7 = createLogger("VMSetup");
 var VM_PROXY_CA_PATH = "/usr/local/share/ca-certificates/vm0-proxy-ca.crt";
 async function downloadStorages(guest, manifest) {
   const totalArchives = manifest.storages.filter((s) => s.archiveUrl).length + (manifest.artifact?.archiveUrl ? 1 : 0);
   if (totalArchives === 0) {
-    logger6.log(`No archives to download`);
+    logger7.log(`No archives to download`);
     return;
   }
-  logger6.log(`Downloading ${totalArchives} archive(s)...`);
+  logger7.log(`Downloading ${totalArchives} archive(s)...`);
   const manifestJson = JSON.stringify(manifest);
   await guest.writeFile("/tmp/storage-manifest.json", manifestJson);
   const result = await guest.exec(
@@ -9426,23 +9627,23 @@ async function downloadStorages(guest, manifest) {
   if (result.exitCode !== 0) {
     throw new Error(`Storage download failed: ${result.stderr}`);
   }
-  logger6.log(`Storage download completed`);
+  logger7.log(`Storage download completed`);
 }
 async function restoreSessionHistory(guest, resumeSession, workingDir, cliAgentType) {
   const { sessionId, sessionHistory } = resumeSession;
   let sessionPath;
   if (cliAgentType === "codex") {
-    logger6.log(`Codex resume session will be handled by checkpoint.py`);
+    logger7.log(`Codex resume session will be handled by checkpoint.py`);
     return;
   } else {
     const projectName = workingDir.replace(/^\//, "").replace(/\//g, "-");
     sessionPath = `/home/user/.claude/projects/-${projectName}/${sessionId}.jsonl`;
   }
-  logger6.log(`Restoring session history to ${sessionPath}`);
+  logger7.log(`Restoring session history to ${sessionPath}`);
   const dirPath = sessionPath.substring(0, sessionPath.lastIndexOf("/"));
   await guest.execOrThrow(`mkdir -p "${dirPath}"`);
   await guest.writeFile(sessionPath, sessionHistory);
-  logger6.log(
+  logger7.log(
     `Session history restored (${sessionHistory.split("\n").length} lines)`
   );
 }
@@ -9495,22 +9696,22 @@ function buildEnvironmentVariables(context, apiUrl) {
 }
 
 // src/lib/network-logs/network-logs.ts
-import fs7 from "fs";
-var logger7 = createLogger("NetworkLogs");
+import fs8 from "fs";
+var logger8 = createLogger("NetworkLogs");
 function getNetworkLogPath(runId) {
   return `/tmp/vm0-network-${runId}.jsonl`;
 }
 function readNetworkLogs(runId) {
   const logPath = getNetworkLogPath(runId);
-  if (!fs7.existsSync(logPath)) {
+  if (!fs8.existsSync(logPath)) {
     return [];
   }
   try {
-    const content = fs7.readFileSync(logPath, "utf-8");
+    const content = fs8.readFileSync(logPath, "utf-8");
     const lines = content.split("\n").filter((line) => line.trim());
     return lines.map((line) => JSON.parse(line));
   } catch (err) {
-    logger7.error(
+    logger8.error(
       `Failed to read network logs: ${err instanceof Error ? err.message : "Unknown error"}`
     );
     return [];
@@ -9519,11 +9720,11 @@ function readNetworkLogs(runId) {
 function cleanupNetworkLogs(runId) {
   const logPath = getNetworkLogPath(runId);
   try {
-    if (fs7.existsSync(logPath)) {
-      fs7.unlinkSync(logPath);
+    if (fs8.existsSync(logPath)) {
+      fs8.unlinkSync(logPath);
     }
   } catch (err) {
-    logger7.error(
+    logger8.error(
       `Failed to cleanup network logs: ${err instanceof Error ? err.message : "Unknown error"}`
     );
   }
@@ -9531,10 +9732,10 @@ function cleanupNetworkLogs(runId) {
 async function uploadNetworkLogs(apiUrl, sandboxToken, runId) {
   const networkLogs = readNetworkLogs(runId);
   if (networkLogs.length === 0) {
-    logger7.log(`No network logs to upload for ${runId}`);
+    logger8.log(`No network logs to upload for ${runId}`);
     return;
   }
-  logger7.log(
+  logger8.log(
     `Uploading ${networkLogs.length} network log entries for ${runId}`
   );
   const headers = {
@@ -9555,68 +9756,18 @@ async function uploadNetworkLogs(apiUrl, sandboxToken, runId) {
   });
   if (!response.ok) {
     const errorText = await response.text();
-    logger7.error(`Failed to upload network logs: ${errorText}`);
+    logger8.error(`Failed to upload network logs: ${errorText}`);
     return;
   }
-  logger7.log(`Network logs uploaded successfully for ${runId}`);
+  logger8.log(`Network logs uploaded successfully for ${runId}`);
   cleanupNetworkLogs(runId);
 }
 
 // src/lib/executor.ts
-var logger8 = createLogger("Executor");
+var logger9 = createLogger("Executor");
 function getVmIdFromRunId(runId) {
   return runId.split("-")[0] || runId.substring(0, 8);
 }
-var CURL_ERROR_MESSAGES = {
-  6: "DNS resolution failed",
-  7: "Connection refused",
-  28: "Connection timeout",
-  60: "TLS certificate error (proxy CA not trusted)",
-  22: "HTTP error from server"
-};
-async function runPreflightCheck(guest, apiUrl, runId, sandboxToken, bypassSecret) {
-  const heartbeatUrl = `${apiUrl}/api/webhooks/agent/heartbeat`;
-  const bypassHeader = bypassSecret ? ` -H "x-vercel-protection-bypass: ${bypassSecret}"` : "";
-  const curlCmd = `curl -sf --connect-timeout 5 --max-time 10 "${heartbeatUrl}" -X POST -H "Content-Type: application/json" -H "Authorization: Bearer ${sandboxToken}"${bypassHeader} -d '{"runId":"${runId}"}'`;
-  const result = await guest.exec(curlCmd, 2e4);
-  if (result.exitCode === 0) {
-    return { success: true };
-  }
-  const errorDetail = CURL_ERROR_MESSAGES[result.exitCode] ?? `curl exit code ${result.exitCode}`;
-  const stderrInfo = result.stderr?.trim() ? ` (${result.stderr.trim()})` : "";
-  return {
-    success: false,
-    error: `Preflight check failed: ${errorDetail}${stderrInfo} - VM cannot reach VM0 API at ${apiUrl}`
-  };
-}
-async function reportPreflightFailure(apiUrl, runId, sandboxToken, error, bypassSecret) {
-  const completeUrl = `${apiUrl}/api/webhooks/agent/complete`;
-  const headers = {
-    "Content-Type": "application/json",
-    Authorization: `Bearer ${sandboxToken}`
-  };
-  if (bypassSecret) {
-    headers["x-vercel-protection-bypass"] = bypassSecret;
-  }
-  try {
-    const response = await fetch(completeUrl, {
-      method: "POST",
-      headers,
-      body: JSON.stringify({
-        runId,
-        exitCode: 1,
-        error
-      })
-    });
-    if (!response.ok) {
-      logger8.error(
-        `Failed to report preflight failure: HTTP ${response.status}`
-      );
-    }
-  } catch (err) {
-    logger8.error(`Failed to report preflight failure: ${err}`);
-  }
-}
 async function executeJob(context, config, options = {}) {
   setSandboxContext({
     apiUrl: config.server.url,
@@ -9633,9 +9784,9 @@ async function executeJob(context, config, options = {}) {
   const vmId = getVmIdFromRunId(context.runId);
   let vm = null;
   let guestIp = null;
-  logger8.log(`Starting job ${context.runId} in VM ${vmId}`);
+  logger9.log(`Starting job ${context.runId} in VM ${vmId}`);
   try {
-    const workspacesDir = path4.join(process.cwd(), "workspaces");
+    const workspacesDir = path5.join(process.cwd(), "workspaces");
     const vmConfig = {
       vmId,
       vcpus: config.sandbox.vcpu,
@@ -9643,30 +9794,30 @@ async function executeJob(context, config, options = {}) {
       kernelPath: config.firecracker.kernel,
       rootfsPath: config.firecracker.rootfs,
       firecrackerBinary: config.firecracker.binary,
-      workDir: path4.join(workspacesDir, `vm0-${vmId}`)
+      workDir: path5.join(workspacesDir, `vm0-${vmId}`)
     };
-    logger8.log(`Creating VM ${vmId}...`);
+    logger9.log(`Creating VM ${vmId}...`);
     vm = new FirecrackerVM(vmConfig);
     await withSandboxTiming("vm_create", () => vm.start());
     guestIp = vm.getGuestIp();
     if (!guestIp) {
       throw new Error("VM started but no IP address available");
     }
-    logger8.log(`VM ${vmId} started, guest IP: ${guestIp}`);
+    logger9.log(`VM ${vmId} started, guest IP: ${guestIp}`);
     const vsockPath = vm.getVsockPath();
     const guest = new VsockClient(vsockPath);
-    logger8.log(`Using vsock for guest communication: ${vsockPath}`);
-    logger8.log(`Waiting for guest connection...`);
+    logger9.log(`Using vsock for guest communication: ${vsockPath}`);
+    logger9.log(`Waiting for guest connection...`);
     await withSandboxTiming(
       "guest_wait",
       () => guest.waitForGuestConnection(3e4)
     );
-    logger8.log(`Guest client ready`);
+    logger9.log(`Guest client ready`);
     const firewallConfig = context.experimentalFirewall;
     if (firewallConfig?.enabled) {
       const mitmEnabled = firewallConfig.experimental_mitm ?? false;
       const sealSecretsEnabled = firewallConfig.experimental_seal_secrets ?? false;
-      logger8.log(
+      logger9.log(
         `Setting up network security for VM ${guestIp} (mitm=${mitmEnabled}, sealSecrets=${sealSecretsEnabled})`
       );
       await withSandboxTiming("network_setup", async () => {
@@ -9701,52 +9852,23 @@ async function executeJob(context, config, options = {}) {
     }
     const envVars = buildEnvironmentVariables(context, config.server.url);
     const envJson = JSON.stringify(envVars);
-    logger8.log(
+    logger9.log(
       `Writing env JSON (${envJson.length} bytes) to ${ENV_JSON_PATH}`
     );
     await guest.writeFile(ENV_JSON_PATH, envJson);
-    if (!options.benchmarkMode) {
-      logger8.log(`Running preflight connectivity check...`);
-      const bypassSecret = process.env.VERCEL_AUTOMATION_BYPASS_SECRET;
-      const preflight = await withSandboxTiming(
-        "preflight_check",
-        () => runPreflightCheck(
-          guest,
-          config.server.url,
-          context.runId,
-          context.sandboxToken,
-          bypassSecret
-        )
-      );
-      if (!preflight.success) {
-        logger8.log(`Preflight check failed: ${preflight.error}`);
-        await reportPreflightFailure(
-          config.server.url,
-          context.runId,
-          context.sandboxToken,
-          preflight.error,
-          bypassSecret
-        );
-        return {
-          exitCode: 1,
-          error: preflight.error
-        };
-      }
-      logger8.log(`Preflight check passed`);
-    }
     const systemLogFile = `/tmp/vm0-main-${context.runId}.log`;
     const startTime = Date.now();
     const maxWaitMs = 2 * 60 * 60 * 1e3;
     let command;
     if (options.benchmarkMode) {
-      logger8.log(`Running command directly (benchmark mode)...`);
+      logger9.log(`Running command directly (benchmark mode)...`);
       command = `${context.prompt} > ${systemLogFile} 2>&1`;
     } else {
-      logger8.log(`Running agent via env-loader...`);
+      logger9.log(`Running agent via env-loader...`);
       command = `node ${ENV_LOADER_PATH} > ${systemLogFile} 2>&1`;
     }
     const { pid } = await guest.spawnAndWatch(command, maxWaitMs);
-    logger8.log(`Process started with pid=${pid}`);
+    logger9.log(`Process started with pid=${pid}`);
     let exitCode = 1;
     let exitEvent;
     try {
@@ -9755,7 +9877,7 @@ async function executeJob(context, config, options = {}) {
     } catch {
       const durationMs2 = Date.now() - startTime;
       const duration2 = Math.round(durationMs2 / 1e3);
-      logger8.log(`Agent timed out after ${duration2}s`);
+      logger9.log(`Agent timed out after ${duration2}s`);
       recordOperation({
         actionType: "agent_execute",
         durationMs: durationMs2,
@@ -9773,7 +9895,7 @@ async function executeJob(context, config, options = {}) {
         `dmesg | tail -20 | grep -iE "killed|oom" 2>/dev/null`
       );
       if (dmesgCheck.stdout.toLowerCase().includes("oom") || dmesgCheck.stdout.toLowerCase().includes("killed")) {
-        logger8.log(`OOM detected: ${dmesgCheck.stdout}`);
+        logger9.log(`OOM detected: ${dmesgCheck.stdout}`);
         recordOperation({
           actionType: "agent_execute",
           durationMs,
@@ -9790,9 +9912,9 @@ async function executeJob(context, config, options = {}) {
       durationMs,
       success: exitCode === 0
     });
-    logger8.log(`Agent finished in ${duration}s with exit code ${exitCode}`);
+    logger9.log(`Agent finished in ${duration}s with exit code ${exitCode}`);
     if (exitEvent.stderr) {
-      logger8.log(
+      logger9.log(
         `Stderr (${exitEvent.stderr.length} chars): ${exitEvent.stderr.substring(0, 500)}`
       );
     }
@@ -9802,14 +9924,14 @@ async function executeJob(context, config, options = {}) {
     };
   } catch (error) {
     const errorMsg = error instanceof Error ? error.message : "Unknown error";
-    logger8.error(`Job ${context.runId} failed: ${errorMsg}`);
+    logger9.error(`Job ${context.runId} failed: ${errorMsg}`);
     return {
       exitCode: 1,
       error: errorMsg
     };
   } finally {
     if (context.experimentalFirewall?.enabled && guestIp) {
-      logger8.log(`Cleaning up network security for VM ${guestIp}`);
+      logger9.log(`Cleaning up network security for VM ${guestIp}`);
       getVMRegistry().unregister(guestIp);
       if (!options.benchmarkMode) {
         try {
@@ -9819,14 +9941,14 @@ async function executeJob(context, config, options = {}) {
             context.runId
           );
         } catch (err) {
-          logger8.error(
+          logger9.error(
             `Failed to upload network logs: ${err instanceof Error ? err.message : "Unknown error"}`
           );
         }
       }
     }
     if (vm) {
-      logger8.log(`Cleaning up VM ${vmId}...`);
+      logger9.log(`Cleaning up VM ${vmId}...`);
       await withSandboxTiming("cleanup", () => vm.kill());
     }
     await clearSandboxContext();
@@ -9835,7 +9957,7 @@ async function executeJob(context, config, options = {}) {
 
 // src/lib/runner/status.ts
 import { writeFileSync as writeFileSync2 } from "fs";
-var logger9 = createLogger("Runner");
+var logger10 = createLogger("Runner");
 function writeStatusFile(statusFilePath, mode, activeRuns, startedAt) {
   const status = {
     mode,
@@ -9847,7 +9969,7 @@ function writeStatusFile(statusFilePath, mode, activeRuns, startedAt) {
   try {
     writeFileSync2(statusFilePath, JSON.stringify(status, null, 2));
   } catch (err) {
-    logger9.error(
+    logger10.error(
       `Failed to write status file: ${err instanceof Error ? err.message : "Unknown error"}`
     );
   }
@@ -9863,27 +9985,97 @@ function createStatusUpdater(statusFilePath, state) {
   };
 }
 
+// src/lib/runner/runner-lock.ts
+import { exec as exec4 } from "child_process";
+import fs9 from "fs";
+import path6 from "path";
+import { promisify as promisify4 } from "util";
+var execAsync4 = promisify4(exec4);
+var logger11 = createLogger("RunnerLock");
+var DEFAULT_RUN_DIR = "/var/run/vm0";
+var DEFAULT_PID_FILE = `${DEFAULT_RUN_DIR}/runner.pid`;
+var currentPidFile = null;
+async function ensureRunDir2(dirPath, skipSudo) {
+  if (!fs9.existsSync(dirPath)) {
+    if (skipSudo) {
+      fs9.mkdirSync(dirPath, { recursive: true });
+    } else {
+      await execAsync4(`sudo mkdir -p ${dirPath}`);
+      await execAsync4(`sudo chmod 777 ${dirPath}`);
+    }
+  }
+}
+function isProcessRunning(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (err) {
+    if (err instanceof Error && "code" in err && err.code === "EPERM") {
+      return true;
+    }
+    return false;
+  }
+}
+async function acquireRunnerLock(options = {}) {
+  const pidFile = options.pidFile ?? DEFAULT_PID_FILE;
+  const skipSudo = options.skipSudo ?? false;
+  const runDir = path6.dirname(pidFile);
+  await ensureRunDir2(runDir, skipSudo);
+  if (fs9.existsSync(pidFile)) {
+    const pidStr = fs9.readFileSync(pidFile, "utf-8").trim();
+    const pid = parseInt(pidStr, 10);
+    if (!isNaN(pid) && isProcessRunning(pid)) {
+      logger11.error(`Error: Another runner is already running (PID ${pid})`);
+      logger11.error(`If this is incorrect, remove ${pidFile} and try again.`);
+      process.exit(1);
+    }
+    if (isNaN(pid)) {
+      logger11.log("Cleaning up invalid PID file");
+    } else {
+      logger11.log(`Cleaning up stale PID file (PID ${pid} not running)`);
+    }
+    fs9.unlinkSync(pidFile);
+  }
+  fs9.writeFileSync(pidFile, process.pid.toString());
+  currentPidFile = pidFile;
+  logger11.log(`Runner lock acquired (PID ${process.pid})`);
+}
+function releaseRunnerLock() {
+  const pidFile = currentPidFile ?? DEFAULT_PID_FILE;
+  if (fs9.existsSync(pidFile)) {
+    fs9.unlinkSync(pidFile);
+    logger11.log("Runner lock released");
+  }
+  currentPidFile = null;
+}
+
 // src/lib/runner/setup.ts
-var logger10 = createLogger("Runner");
+var logger12 = createLogger("Runner");
 async function setupEnvironment(options) {
   const { config } = options;
+  await acquireRunnerLock();
   const networkCheck = checkNetworkPrerequisites();
   if (!networkCheck.ok) {
-    logger10.error("Network prerequisites not met:");
+    logger12.error("Network prerequisites not met:");
     for (const error of networkCheck.errors) {
-      logger10.error(`  - ${error}`);
+      logger12.error(`  - ${error}`);
     }
     process.exit(1);
   }
-  logger10.log("Setting up network bridge...");
+  logger12.log("Setting up network bridge...");
   await setupBridge();
-  logger10.log("Flushing bridge ARP cache...");
+  logger12.log("Flushing bridge ARP cache...");
   await flushBridgeArpCache();
-  logger10.log("Cleaning up orphaned proxy rules...");
+  logger12.log("Cleaning up orphaned proxy rules...");
   await cleanupOrphanedProxyRules(config.name);
-  logger10.log("Cleaning up orphaned IP allocations...");
+  logger12.log("Cleaning up orphaned IP allocations...");
   await cleanupOrphanedAllocations();
-  logger10.log("Initializing network proxy...");
+  logger12.log("Initializing overlay pool...");
+  await initOverlayPool({
+    size: config.sandbox.max_concurrent + 2,
+    replenishThreshold: config.sandbox.max_concurrent
+  });
+  logger12.log("Initializing network proxy...");
   initVMRegistry();
   const proxyManager = initProxyManager({
     apiUrl: config.server.url,
@@ -9894,49 +10086,79 @@ async function setupEnvironment(options) {
   try {
     await proxyManager.start();
     proxyEnabled = true;
-    logger10.log("Network proxy initialized successfully");
-    logger10.log("Setting up CIDR proxy rules...");
+    logger12.log("Network proxy initialized successfully");
+    logger12.log("Setting up CIDR proxy rules...");
     await setupCIDRProxyRules(config.proxy.port);
   } catch (err) {
-    logger10.log(
+    logger12.log(
       `Network proxy not available: ${err instanceof Error ? err.message : "Unknown error"}`
     );
-    logger10.log(
+    logger12.log(
       "Jobs with experimentalFirewall enabled will run without network interception"
     );
   }
   return { proxyEnabled, proxyPort: config.proxy.port };
 }
 async function cleanupEnvironment(resources) {
+  const errors = [];
   if (resources.proxyEnabled) {
-    logger10.log("Cleaning up CIDR proxy rules...");
-    await cleanupCIDRProxyRules(resources.proxyPort);
+    try {
+      logger12.log("Cleaning up CIDR proxy rules...");
+      await cleanupCIDRProxyRules(resources.proxyPort);
+    } catch (err) {
+      const error = err instanceof Error ? err : new Error(String(err));
+      errors.push(error);
+      logger12.error(`Failed to cleanup CIDR proxy rules: ${error.message}`);
+    }
   }
   if (resources.proxyEnabled) {
-    logger10.log("Stopping network proxy...");
-    await getProxyManager().stop();
+    try {
+      logger12.log("Stopping network proxy...");
+      await getProxyManager().stop();
+    } catch (err) {
+      const error = err instanceof Error ? err : new Error(String(err));
+      errors.push(error);
+      logger12.error(`Failed to stop network proxy: ${error.message}`);
+    }
+  }
+  try {
+    cleanupOverlayPool();
+  } catch (err) {
+    const error = err instanceof Error ? err : new Error(String(err));
+    errors.push(error);
+    logger12.error(`Failed to cleanup overlay pool: ${error.message}`);
+  }
+  try {
+    releaseRunnerLock();
+  } catch (err) {
+    const error = err instanceof Error ? err : new Error(String(err));
+    errors.push(error);
+    logger12.error(`Failed to release runner lock: ${error.message}`);
+  }
+  if (errors.length > 0) {
+    logger12.error(`Cleanup completed with ${errors.length} error(s)`);
   }
 }
 
 // src/lib/runner/signals.ts
-var logger11 = createLogger("Runner");
+var logger13 = createLogger("Runner");
 function setupSignalHandlers(state, handlers) {
   process.on("SIGINT", () => {
-    logger11.log("\nShutting down...");
-    handlers.onShutdown();
-    state.mode = "stopped";
+    logger13.log("\nShutting down...");
+    state.mode = "stopping";
     handlers.updateStatus();
+    handlers.onShutdown();
   });
   process.on("SIGTERM", () => {
-    logger11.log("\nShutting down...");
-    handlers.onShutdown();
-    state.mode = "stopped";
+    logger13.log("\nShutting down...");
+    state.mode = "stopping";
     handlers.updateStatus();
+    handlers.onShutdown();
   });
   process.on("SIGUSR1", () => {
     if (state.mode === "running") {
-      logger11.log("\n[Maintenance] Entering drain mode...");
-      logger11.log(
+      logger13.log("\n[Maintenance] Entering drain mode...");
+      logger13.log(
         `[Maintenance] Active jobs: ${state.activeRuns.size} (will wait for completion)`
       );
       state.mode = "draining";
@@ -9947,7 +10169,7 @@ function setupSignalHandlers(state, handlers) {
 }
 
 // src/lib/runner/runner.ts
-var logger12 = createLogger("Runner");
+var logger14 = createLogger("Runner");
 var Runner = class _Runner {
   config;
   statusFilePath;
@@ -9986,41 +10208,43 @@ var Runner = class _Runner {
       onDrain: () => {
         this.pendingJobs.length = 0;
         if (this.state.activeRuns.size === 0) {
-          logger12.log("[Maintenance] No active jobs, exiting immediately");
+          logger14.log("[Maintenance] No active jobs, exiting immediately");
+          this.state.mode = "stopping";
+          this.updateStatus();
           this.resolveShutdown?.();
         }
       },
       updateStatus: this.updateStatus
     });
-    logger12.log(
+    logger14.log(
       `Starting runner '${this.config.name}' for group '${this.config.group}'...`
     );
-    logger12.log(`Max concurrent jobs: ${this.config.sandbox.max_concurrent}`);
-    logger12.log(`Status file: ${this.statusFilePath}`);
-    logger12.log("Press Ctrl+C to stop");
-    logger12.log("");
+    logger14.log(`Max concurrent jobs: ${this.config.sandbox.max_concurrent}`);
+    logger14.log(`Status file: ${this.statusFilePath}`);
+    logger14.log("Press Ctrl+C to stop");
+    logger14.log("");
     this.updateStatus();
-    logger12.log("Checking for pending jobs...");
+    logger14.log("Checking for pending jobs...");
     await this.pollFallback();
-    logger12.log("Connecting to realtime job notifications...");
+    logger14.log("Connecting to realtime job notifications...");
     this.subscription = await subscribeToJobs(
       this.config.server,
       this.config.group,
       (notification) => {
-        logger12.log(`Ably notification: ${notification.runId}`);
+        logger14.log(`Ably notification: ${notification.runId}`);
         this.processJob(notification.runId).catch(console.error);
       },
       (connectionState, reason) => {
-        logger12.log(
+        logger14.log(
           `Ably connection: ${connectionState}${reason ? ` (${reason})` : ""}`
         );
       }
     );
-    logger12.log("Connected to realtime job notifications");
+    logger14.log("Connected to realtime job notifications");
     this.pollInterval = setInterval(() => {
       this.pollFallback().catch(console.error);
     }, this.config.sandbox.poll_interval_ms);
-    logger12.log(
+    logger14.log(
       `Polling fallback enabled (every ${this.config.sandbox.poll_interval_ms / 1e3}s)`
     );
     await shutdownPromise;
@@ -10031,7 +10255,7 @@ var Runner = class _Runner {
       this.subscription.cleanup();
     }
     if (this.state.jobPromises.size > 0) {
-      logger12.log(
+      logger14.log(
         `Waiting for ${this.state.jobPromises.size} active job(s) to complete...`
       );
       await Promise.all(this.state.jobPromises);
@@ -10039,7 +10263,7 @@ var Runner = class _Runner {
     await cleanupEnvironment(this.resources);
     this.state.mode = "stopped";
     this.updateStatus();
-    logger12.log("Runner stopped");
+    logger14.log("Runner stopped");
     process.exit(0);
   }
   /**
@@ -10056,11 +10280,11 @@ var Runner = class _Runner {
         () => pollForJob(this.config.server, this.config.group)
       );
       if (job) {
-        logger12.log(`Poll fallback found job: ${job.runId}`);
+        logger14.log(`Poll fallback found job: ${job.runId}`);
         await this.processJob(job.runId);
       }
     } catch (error) {
-      logger12.error(
+      logger14.error(
         `Poll fallback error: ${error instanceof Error ? error.message : "Unknown error"}`
       );
     }
@@ -10070,7 +10294,7 @@ var Runner = class _Runner {
    */
   async processJob(runId) {
     if (this.state.mode !== "running") {
-      logger12.log(`Not running (${this.state.mode}), ignoring job ${runId}`);
+      logger14.log(`Not running (${this.state.mode}), ignoring job ${runId}`);
       return;
     }
     if (this.state.activeRuns.has(runId)) {
@@ -10078,10 +10302,10 @@ var Runner = class _Runner {
     }
     if (this.state.activeRuns.size >= this.config.sandbox.max_concurrent) {
       if (!this.pendingJobs.includes(runId) && this.pendingJobs.length < _Runner.MAX_PENDING_QUEUE_SIZE) {
-        logger12.log(`At capacity, queueing job ${runId}`);
+        logger14.log(`At capacity, queueing job ${runId}`);
         this.pendingJobs.push(runId);
       } else if (this.pendingJobs.length >= _Runner.MAX_PENDING_QUEUE_SIZE) {
-        logger12.log(
+        logger14.log(
           `Pending queue full (${_Runner.MAX_PENDING_QUEUE_SIZE}), dropping job ${runId}`
         );
       }
@@ -10092,11 +10316,11 @@ var Runner = class _Runner {
         "claim",
         () => claimJob(this.config.server, runId)
       );
-      logger12.log(`Claimed job: ${context.runId}`);
+      logger14.log(`Claimed job: ${context.runId}`);
       this.state.activeRuns.add(context.runId);
       this.updateStatus();
       const jobPromise = this.executeJob(context).catch((error) => {
-        logger12.error(
+        logger14.error(
           `Job ${context.runId} failed: ${error instanceof Error ? error.message : "Unknown error"}`
         );
       }).finally(() => {
@@ -10104,7 +10328,9 @@ var Runner = class _Runner {
         this.state.jobPromises.delete(jobPromise);
         this.updateStatus();
         if (this.state.mode === "draining" && this.state.activeRuns.size === 0) {
-          logger12.log("[Maintenance] All jobs completed, exiting");
+          logger14.log("[Maintenance] All jobs completed, exiting");
+          this.state.mode = "stopping";
+          this.updateStatus();
           this.resolveShutdown?.();
           return;
         }
@@ -10117,33 +10343,33 @@ var Runner = class _Runner {
       });
       this.state.jobPromises.add(jobPromise);
     } catch (error) {
-      logger12.log(
+      logger14.log(
         `Could not claim job ${runId}: ${error instanceof Error ? error.message : "Unknown error"}`
       );
     }
   }
   async executeJob(context) {
-    logger12.log(`  Executing job ${context.runId}...`);
-    logger12.log(`  Prompt: ${context.prompt.substring(0, 100)}...`);
-    logger12.log(`  Compose version: ${context.agentComposeVersionId}`);
+    logger14.log(`  Executing job ${context.runId}...`);
+    logger14.log(`  Prompt: ${context.prompt.substring(0, 100)}...`);
+    logger14.log(`  Compose version: ${context.agentComposeVersionId}`);
     try {
       const result = await executeJob(context, this.config);
-      logger12.log(
+      logger14.log(
         `  Job ${context.runId} execution completed with exit code ${result.exitCode}`
       );
       if (result.exitCode !== 0 && result.error) {
-        logger12.error(`  Job ${context.runId} failed: ${result.error}`);
+        logger14.error(`  Job ${context.runId} failed: ${result.error}`);
       }
     } catch (err) {
       const error = err instanceof Error ? err.message : "Unknown execution error";
-      logger12.error(`  Job ${context.runId} execution failed: ${error}`);
+      logger14.error(`  Job ${context.runId} execution failed: ${error}`);
       const result = await completeJob(
         this.config.server.url,
         context,
         1,
         error
       );
-      logger12.log(`  Job ${context.runId} reported as ${result.status}`);
+      logger14.log(`  Job ${context.runId} reported as ${result.status}`);
     }
   }
 };
@@ -10174,7 +10400,7 @@ import { dirname as dirname2, join as join3 } from "path";
 
 // src/lib/firecracker/process.ts
 import { readdirSync, readFileSync as readFileSync2, existsSync as existsSync3 } from "fs";
-import path5 from "path";
+import path7 from "path";
 function parseFirecrackerCmdline(cmdline) {
   const args = cmdline.split("\0");
   if (!args[0]?.includes("firecracker")) return null;
@@ -10207,7 +10433,7 @@ function findFirecrackerProcesses() {
   for (const entry of entries) {
     if (!/^\d+$/.test(entry)) continue;
     const pid = parseInt(entry, 10);
-    const cmdlinePath = path5.join(procDir, entry, "cmdline");
+    const cmdlinePath = path7.join(procDir, entry, "cmdline");
     if (!existsSync3(cmdlinePath)) continue;
     try {
       const cmdline = readFileSync2(cmdlinePath, "utf-8");
@@ -10225,7 +10451,7 @@ function findProcessByVmId(vmId) {
   const processes = findFirecrackerProcesses();
   return processes.find((p) => p.vmId === vmId) || null;
 }
-function isProcessRunning(pid) {
+function isProcessRunning2(pid) {
   try {
     process.kill(pid, 0);
     return true;
@@ -10234,24 +10460,24 @@ function isProcessRunning(pid) {
   }
 }
 async function killProcess(pid, timeoutMs = 5e3) {
-  if (!isProcessRunning(pid)) return true;
+  if (!isProcessRunning2(pid)) return true;
   try {
     process.kill(pid, "SIGTERM");
   } catch {
-    return !isProcessRunning(pid);
+    return !isProcessRunning2(pid);
   }
   const startTime = Date.now();
   while (Date.now() - startTime < timeoutMs) {
-    if (!isProcessRunning(pid)) return true;
+    if (!isProcessRunning2(pid)) return true;
     await new Promise((resolve) => setTimeout(resolve, 100));
   }
-  if (isProcessRunning(pid)) {
+  if (isProcessRunning2(pid)) {
     try {
       process.kill(pid, "SIGKILL");
     } catch {
     }
   }
-  return !isProcessRunning(pid);
+  return !isProcessRunning2(pid);
 }
 function findMitmproxyProcess() {
   const procDir = "/proc";
@@ -10264,7 +10490,7 @@ function findMitmproxyProcess() {
   for (const entry of entries) {
     if (!/^\d+$/.test(entry)) continue;
     const pid = parseInt(entry, 10);
-    const cmdlinePath = path5.join(procDir, entry, "cmdline");
+    const cmdlinePath = path7.join(procDir, entry, "cmdline");
     if (!existsSync3(cmdlinePath)) continue;
     try {
       const cmdline = readFileSync2(cmdlinePath, "utf-8");
@@ -10736,6 +10962,12 @@ var benchmarkCommand = new Command4("benchmark").description(
     }
     timer.log("Setting up network bridge...");
     await setupBridge();
+    timer.log("Initializing overlay pool...");
+    await initOverlayPool({
+      size: 2,
+      replenishThreshold: 1,
+      poolDir: "/var/run/vm0/overlay-pool-benchmark"
+    });
     timer.log(`Executing command: ${prompt}`);
     const context = createBenchmarkContext(prompt, options);
     const result = await executeJob(context, config, {
@@ -10756,7 +10988,7 @@ var benchmarkCommand = new Command4("benchmark").description(
 });
 
 // src/index.ts
-var version = true ? "3.6.2" : "0.1.0";
+var version = true ? "3.7.1" : "0.1.0";
 program.name("vm0-runner").version(version).description("Self-hosted runner for VM0 agents");
 program.addCommand(startCommand);
 program.addCommand(doctorCommand);