@vm0/runner 3.9.2 → 3.9.4

package/index.js

@@ -5,7 +5,6 @@ import { program } from "commander";
 
 // src/commands/start.ts
 import { Command } from "commander";
-import { dirname, join } from "path";
 
 // src/lib/config.ts
 import { z } from "zod";
@@ -19,22 +18,35 @@ var VM0_TMP_PREFIX = "/tmp/vm0";
 var runtimePaths = {
   /** Runner PID file for single-instance lock */
   runnerPid: path.join(VM0_RUN_DIR, "runner.pid"),
-  /** IP pool lock file */
-  ipPoolLock: path.join(VM0_RUN_DIR, "ip-pool.lock.active"),
   /** IP allocation registry */
   ipRegistry: path.join(VM0_RUN_DIR, "ip-registry.json")
 };
-var dataPaths = {
+var VM_WORKSPACE_PREFIX = "vm0-";
+var runnerPaths = {
   /** Overlay pool directory for pre-warmed VM overlays */
-  overlayPool: (dataDir) => path.join(dataDir, "overlay-pool")
+  overlayPool: (baseDir) => path.join(baseDir, "overlay-pool"),
+  /** Workspaces directory for VM work directories */
+  workspacesDir: (baseDir) => path.join(baseDir, "workspaces"),
+  /** VM work directory */
+  vmWorkDir: (baseDir, vmId) => path.join(baseDir, "workspaces", `${VM_WORKSPACE_PREFIX}${vmId}`),
+  /** Runner status file */
+  statusFile: (baseDir) => path.join(baseDir, "status.json"),
+  /** Check if a directory name is a VM workspace */
+  isVmWorkspace: (dirname) => dirname.startsWith(VM_WORKSPACE_PREFIX),
+  /** Extract vmId from workspace directory name */
+  extractVmId: (dirname) => dirname.replace(VM_WORKSPACE_PREFIX, "")
+};
+var vmPaths = {
+  /** Firecracker config file (used with --config-file --no-api) */
+  config: (workDir) => path.join(workDir, "config.json"),
+  /** Vsock UDS for host-guest communication */
+  vsock: (workDir) => path.join(workDir, "vsock.sock")
 };
 var tempPaths = {
   /** Default proxy CA directory */
   proxyDir: `${VM0_TMP_PREFIX}-proxy`,
   /** VM registry for proxy */
   vmRegistry: `${VM0_TMP_PREFIX}-vm-registry.json`,
-  /** VM work directory (fallback when not using workspaces) */
-  vmWorkDir: (vmId) => `${VM0_TMP_PREFIX}-vm-${vmId}`,
   /** Network log file for a run */
   networkLog: (runId) => `${VM0_TMP_PREFIX}-network-${runId}.jsonl`
 };
@@ -56,7 +68,7 @@ var runnerConfigSchema = z.object({
     /^[a-z0-9-]+\/[a-z0-9-]+$/,
     "Group must be in format 'scope/name' (lowercase, hyphens allowed)"
   ),
-  data_dir: z.string().min(1, "Data directory is required"),
+  base_dir: z.string().min(1, "Base directory is required"),
   server: z.object({
     url: z.url({ message: "Server URL must be a valid URL" }),
     token: z.string().min(1, "Server token is required")
@@ -84,7 +96,7 @@ var DEBUG_SERVER_DEFAULTS = {
 var debugConfigSchema = z.object({
   name: z.string().default("debug-runner"),
   group: z.string().default("debug/local"),
-  data_dir: z.string().min(1, "Data directory is required"),
+  base_dir: z.string().min(1, "Base directory is required"),
   server: z.object({
     url: z.url().default(DEBUG_SERVER_DEFAULTS.url),
     token: z.string().default(DEBUG_SERVER_DEFAULTS.token)
@@ -302,175 +314,11 @@ async function subscribeToJobs(server, group, onJob, onConnectionChange) {
   };
 }
 
-// src/lib/executor.ts
-import path6 from "path";
-
 // src/lib/firecracker/vm.ts
 import { spawn } from "child_process";
 import fs4 from "fs";
-import path4 from "path";
 import readline from "readline";
 
-// src/lib/firecracker/client.ts
-import http from "http";
-var FirecrackerClient = class {
-  socketPath;
-  constructor(socketPath) {
-    this.socketPath = socketPath;
-  }
-  /**
-   * Make HTTP request to Firecracker API
-   */
-  async request(method, path9, body) {
-    return new Promise((resolve, reject) => {
-      const bodyStr = body !== void 0 ? JSON.stringify(body) : void 0;
-      const headers = {
-        Accept: "application/json",
-        Connection: "close"
-        // Disable keep-alive to prevent request pipelining issues
-      };
-      if (bodyStr !== void 0) {
-        headers["Content-Type"] = "application/json";
-        headers["Content-Length"] = Buffer.byteLength(bodyStr);
-      }
-      console.log(
-        `[FC API] ${method} ${path9}${bodyStr ? ` (${Buffer.byteLength(bodyStr)} bytes)` : ""}`
-      );
-      const options = {
-        socketPath: this.socketPath,
-        path: path9,
-        method,
-        headers,
-        // Disable agent to ensure fresh connection for each request
-        // Firecracker's single-threaded API can have issues with pipelined requests
-        agent: false
-      };
-      const req = http.request(options, (res) => {
-        let data = "";
-        res.on("data", (chunk) => {
-          data += chunk.toString();
-        });
-        res.on("end", () => {
-          if (res.statusCode && res.statusCode >= 200 && res.statusCode < 300) {
-            if (data) {
-              try {
-                resolve(JSON.parse(data));
-              } catch {
-                resolve(data);
-              }
-            } else {
-              resolve(void 0);
-            }
-          } else {
-            let errorMsg = `Firecracker API error: ${res.statusCode}`;
-            if (data) {
-              try {
-                const errorBody = JSON.parse(data);
-                if (errorBody.fault_message) {
-                  errorMsg = `${errorMsg} - ${errorBody.fault_message}`;
-                }
-              } catch {
-                errorMsg = `${errorMsg} - ${data}`;
-              }
-            }
-            reject(new Error(errorMsg));
-          }
-        });
-      });
-      req.on("error", (err) => {
-        reject(new Error(`Failed to connect to Firecracker: ${err.message}`));
-      });
-      if (bodyStr !== void 0) {
-        req.write(bodyStr);
-      }
-      req.end();
-    });
-  }
-  /**
-   * Configure machine settings (vCPUs, memory)
-   */
-  async setMachineConfig(config) {
-    await this.request("PUT", "/machine-config", config);
-  }
-  /**
-   * Configure boot source (kernel)
-   */
-  async setBootSource(config) {
-    await this.request("PUT", "/boot-source", config);
-  }
-  /**
-   * Add or update a drive (block device)
-   */
-  async setDrive(drive) {
-    await this.request("PUT", `/drives/${drive.drive_id}`, drive);
-  }
-  /**
-   * Add or update a network interface
-   */
-  async setNetworkInterface(iface) {
-    await this.request("PUT", `/network-interfaces/${iface.iface_id}`, iface);
-  }
-  /**
-   * Configure vsock device for host-guest communication
-   */
-  async setVsock(vsock) {
-    await this.request("PUT", "/vsock", vsock);
-  }
-  /**
-   * Perform an action (start, stop, etc.)
-   */
-  async performAction(actionType) {
-    await this.request("PUT", "/actions", { action_type: actionType });
-  }
-  /**
-   * Start the VM instance
-   */
-  async start() {
-    await this.performAction("InstanceStart");
-  }
-  /**
-   * Send Ctrl+Alt+Del to the VM (graceful shutdown request)
-   */
-  async sendCtrlAltDel() {
-    await this.performAction("SendCtrlAltDel");
-  }
-  /**
-   * Get machine configuration
-   */
-  async getMachineConfig() {
-    return await this.request("GET", "/machine-config");
-  }
-  /**
-   * Check if the Firecracker API is ready
-   * Returns true if API is responding
-   */
-  async isReady() {
-    try {
-      await this.request("GET", "/");
-      return true;
-    } catch {
-      return false;
-    }
-  }
-  /**
-   * Wait for Firecracker API to become ready
-   * @param timeoutMs Maximum time to wait
-   * @param intervalMs Polling interval
-   */
-  async waitUntilReady(timeoutMs = 5e3, intervalMs = 100) {
-    const start = Date.now();
-    while (Date.now() - start < timeoutMs) {
-      if (await this.isReady()) {
-        return;
-      }
-      await new Promise((resolve) => setTimeout(resolve, intervalMs));
-    }
-    throw new Error(
-      `Firecracker API not ready after ${timeoutMs}ms at ${this.socketPath}`
-    );
-  }
-};
-
 // src/lib/firecracker/network.ts
 import { execSync, exec } from "child_process";
 import { promisify } from "util";
@@ -1004,28 +852,47 @@ import { exec as exec3 } from "child_process";
 import { promisify as promisify3 } from "util";
 import * as fs3 from "fs";
 import path3 from "path";
+
+// src/lib/utils/file-lock.ts
+import lockfile from "proper-lockfile";
+var DEFAULT_OPTIONS = {
+  stale: 3e4,
+  // Consider lock stale after 30 seconds
+  retries: {
+    retries: 5,
+    minTimeout: 100,
+    maxTimeout: 1e3
+  }
+};
+async function withFileLock(path7, fn, options) {
+  const release = await lockfile.lock(path7, { ...DEFAULT_OPTIONS, ...options });
+  try {
+    return await fn();
+  } finally {
+    await release();
+  }
+}
+
+// src/lib/firecracker/ip-registry.ts
 var execAsync3 = promisify3(exec3);
 var logger3 = createLogger("IPRegistry");
 var IP_PREFIX = "172.16.0.";
 var IP_START = 2;
 var IP_END = 254;
-var LOCK_TIMEOUT_MS = 1e4;
-var LOCK_RETRY_INTERVAL_MS = 100;
-async function defaultEnsureRunDir(runDir) {
-  if (!fs3.existsSync(runDir)) {
-    await execAsync3(`sudo mkdir -p ${runDir}`);
-    await execAsync3(`sudo chmod 777 ${runDir}`);
+async function defaultEnsureRegistryDir(registryPath) {
+  const dir = path3.dirname(registryPath);
+  if (!fs3.existsSync(dir)) {
+    await execAsync3(`sudo mkdir -p ${dir}`);
+    await execAsync3(`sudo chmod 777 ${dir}`);
   }
 }
-async function defaultScanTapDevices() {
+async function scanTapDevices() {
   const tapDevices = /* @__PURE__ */ new Set();
   try {
-    const { stdout } = await execAsync3(
-      `ip -o link show type tuntap 2>/dev/null || true`
-    );
+    const { stdout } = await execAsync3(`ip link show 2>/dev/null || true`);
     const lines = stdout.split("\n");
     for (const line of lines) {
-      const match = line.match(/^\d+:\s+([a-z0-9]+):/);
+      const match = line.match(/^\d+:\s+(vm0[a-z0-9]+):/);
       if (match && match[1]) {
         tapDevices.add(match[1]);
       }
@@ -1056,13 +923,11 @@ function isProcessRunning(pid) {
 var IPRegistry = class {
   config;
   constructor(config = {}) {
-    const runDir = config.runDir ?? VM0_RUN_DIR;
+    const registryPath = config.registryPath ?? runtimePaths.ipRegistry;
     this.config = {
-      runDir,
-      lockPath: config.lockPath ?? path3.join(runDir, "ip-pool.lock.active"),
-      registryPath: config.registryPath ?? path3.join(runDir, "ip-registry.json"),
-      ensureRunDir: config.ensureRunDir ?? (() => defaultEnsureRunDir(runDir)),
-      scanTapDevices: config.scanTapDevices ?? defaultScanTapDevices,
+      registryPath,
+      ensureRegistryDir: config.ensureRegistryDir ?? (() => defaultEnsureRegistryDir(registryPath)),
+      scanTapDevices: config.scanTapDevices ?? scanTapDevices,
       checkTapExists: config.checkTapExists ?? defaultCheckTapExists
     };
   }
@@ -1071,44 +936,21 @@ var IPRegistry = class {
    * Execute a function while holding an exclusive lock on the IP pool
    */
   async withIPLock(fn) {
-    await this.config.ensureRunDir();
-    const startTime = Date.now();
-    let lockAcquired = false;
-    while (Date.now() - startTime < LOCK_TIMEOUT_MS) {
+    await this.config.ensureRegistryDir();
+    if (!fs3.existsSync(this.config.registryPath)) {
       try {
-        fs3.writeFileSync(this.config.lockPath, process.pid.toString(), {
-          flag: "wx"
-        });
-        lockAcquired = true;
-        break;
-      } catch {
-        try {
-          const pidStr = fs3.readFileSync(this.config.lockPath, "utf-8");
-          const pid = parseInt(pidStr, 10);
-          if (!isProcessRunning(pid)) {
-            fs3.unlinkSync(this.config.lockPath);
-            continue;
-          }
-        } catch {
-        }
-        await new Promise(
-          (resolve) => setTimeout(resolve, LOCK_RETRY_INTERVAL_MS)
+        fs3.writeFileSync(
+          this.config.registryPath,
+          JSON.stringify({ allocations: {} }, null, 2),
+          { flag: "wx" }
         );
+      } catch (err) {
+        if (err.code !== "EEXIST") {
+          throw err;
+        }
       }
     }
-    if (!lockAcquired) {
-      throw new Error(
-        `Failed to acquire IP pool lock after ${LOCK_TIMEOUT_MS}ms`
-      );
-    }
-    try {
-      return await fn();
-    } finally {
-      try {
-        fs3.unlinkSync(this.config.lockPath);
-      } catch {
-      }
-    }
+    return withFileLock(this.config.registryPath, fn);
   }
   // ============ Registry CRUD ============
   /**
@@ -1441,22 +1283,8 @@ var TapPool = class {
    * Scan for orphaned TAP devices from previous runs (matching this pool's prefix)
    */
   async scanOrphanedTaps() {
-    try {
-      const { stdout } = await execAsync4(
-        `ip -o link show type tuntap 2>/dev/null || true`
-      );
-      const orphaned = [];
-      const lines = stdout.split("\n");
-      for (const line of lines) {
-        const match = line.match(/^\d+:\s+([a-z0-9]+):/);
-        if (match && match[1] && this.isOwnTap(match[1])) {
-          orphaned.push(match[1]);
-        }
-      }
-      return orphaned;
-    } catch {
-      return [];
-    }
+    const allTaps = await scanTapDevices();
+    return Array.from(allTaps).filter((tap) => this.isOwnTap(tap));
   }
   /**
    * Initialize the TAP pool
@@ -1674,20 +1502,20 @@ var logger5 = createLogger("VM");
 var FirecrackerVM = class {
   config;
   process = null;
-  client = null;
   networkConfig = null;
   state = "created";
   workDir;
-  socketPath;
   vmOverlayPath = null;
   // Set during start()
   vsockPath;
   // Vsock UDS path for host-guest communication
+  configPath;
+  // Firecracker config file path
   constructor(config) {
     this.config = config;
-    this.workDir = config.workDir || tempPaths.vmWorkDir(config.vmId);
-    this.socketPath = path4.join(this.workDir, "firecracker.sock");
-    this.vsockPath = path4.join(this.workDir, "vsock.sock");
+    this.workDir = config.workDir;
+    this.vsockPath = vmPaths.vsock(this.workDir);
+    this.configPath = vmPaths.config(this.workDir);
   }
   /**
    * Get current VM state
@@ -1707,12 +1535,6 @@ var FirecrackerVM = class {
   getNetworkConfig() {
     return this.networkConfig;
   }
-  /**
-   * Get the socket path for Firecracker API
-   */
-  getSocketPath() {
-    return this.socketPath;
-  }
   /**
    * Get the vsock UDS path for host-guest communication
    */
@@ -1721,7 +1543,8 @@ var FirecrackerVM = class {
   }
   /**
    * Start the VM
-   * This spawns Firecracker, configures it via API, and boots the VM
+   * Uses Firecracker's static configuration mode (--config-file --no-api)
+   * for faster startup by eliminating API polling and HTTP request overhead.
    */
   async start() {
     if (this.state !== "created") {
@@ -1729,19 +1552,29 @@ var FirecrackerVM = class {
     }
     try {
       fs4.mkdirSync(this.workDir, { recursive: true });
-      if (fs4.existsSync(this.socketPath)) {
-        fs4.unlinkSync(this.socketPath);
-      }
       logger5.log(`[VM ${this.config.vmId}] Acquiring overlay...`);
       this.vmOverlayPath = await acquireOverlay();
       logger5.log(`[VM ${this.config.vmId}] Overlay acquired`);
       logger5.log(`[VM ${this.config.vmId}] Acquiring TAP+IP...`);
       this.networkConfig = await acquireTap(this.config.vmId);
       logger5.log(`[VM ${this.config.vmId}] TAP+IP acquired`);
+      const config = this.buildConfig();
+      fs4.writeFileSync(this.configPath, JSON.stringify(config, null, 2));
+      logger5.log(
+        `[VM ${this.config.vmId}] Configuring: ${this.config.vcpus} vCPUs, ${this.config.memoryMb}MB RAM`
+      );
+      logger5.log(
+        `[VM ${this.config.vmId}] Base rootfs: ${this.config.rootfsPath}`
+      );
+      logger5.log(`[VM ${this.config.vmId}] Overlay: ${this.vmOverlayPath}`);
+      logger5.log(
+        `[VM ${this.config.vmId}] Network: ${this.networkConfig.tapDevice}`
+      );
+      logger5.log(`[VM ${this.config.vmId}] Vsock: ${this.vsockPath}`);
       logger5.log(`[VM ${this.config.vmId}] Starting Firecracker...`);
       this.process = spawn(
         this.config.firecrackerBinary,
-        ["--api-sock", this.socketPath],
+        ["--config-file", this.configPath, "--no-api"],
         {
           cwd: this.workDir,
           stdio: ["ignore", "pipe", "pipe"],
@@ -1780,13 +1613,6 @@ var FirecrackerVM = class {
           }
         });
       }
-      this.client = new FirecrackerClient(this.socketPath);
-      logger5.log(`[VM ${this.config.vmId}] Waiting for API...`);
-      await this.client.waitUntilReady(1e4, 100);
-      this.state = "configuring";
-      await this.configure();
-      logger5.log(`[VM ${this.config.vmId}] Booting...`);
-      await this.client.start();
       this.state = "running";
       logger5.log(
         `[VM ${this.config.vmId}] Running at ${this.networkConfig.guestIp}`
@@ -1798,59 +1624,83 @@ var FirecrackerVM = class {
     }
   }
   /**
-   * Configure the VM via Firecracker API
-   */
-  async configure() {
-    if (!this.client || !this.networkConfig || !this.vmOverlayPath) {
+   * Build Firecracker configuration object
+   *
+   * Creates the JSON configuration for Firecracker's --config-file option.
+   * Boot args:
+   *   - console=ttyS0: serial console output
+   *   - reboot=k: use keyboard controller for reboot
+   *   - panic=1: reboot after 1 second on kernel panic
+   *   - pci=off: disable PCI bus (not needed in microVM)
+   *   - nomodules: skip module loading (not needed in microVM)
+   *   - random.trust_cpu=on: trust CPU RNG, skip entropy wait
+   *   - quiet loglevel=0: minimize kernel log output
+   *   - nokaslr: disable kernel address space randomization
+   *   - audit=0: disable kernel auditing
+   *   - numa=off: disable NUMA (single node)
+   *   - mitigations=off: disable CPU vulnerability mitigations
+   *   - noresume: skip hibernation resume check
+   *   - init=/sbin/vm-init: use vm-init (Rust binary) for filesystem setup and vsock-agent
+   *   - ip=...: network configuration (guest IP, gateway, netmask)
+   */
+  buildConfig() {
+    if (!this.networkConfig || !this.vmOverlayPath) {
       throw new Error("VM not properly initialized");
     }
-    logger5.log(
-      `[VM ${this.config.vmId}] Configuring: ${this.config.vcpus} vCPUs, ${this.config.memoryMb}MB RAM`
-    );
-    await this.client.setMachineConfig({
-      vcpu_count: this.config.vcpus,
-      mem_size_mib: this.config.memoryMb
-    });
     const networkBootArgs = generateNetworkBootArgs(this.networkConfig);
     const bootArgs = `console=ttyS0 reboot=k panic=1 pci=off nomodules random.trust_cpu=on quiet loglevel=0 nokaslr audit=0 numa=off mitigations=off noresume init=/sbin/vm-init ${networkBootArgs}`;
     logger5.log(`[VM ${this.config.vmId}] Boot args: ${bootArgs}`);
-    await this.client.setBootSource({
-      kernel_image_path: this.config.kernelPath,
-      boot_args: bootArgs
-    });
-    logger5.log(
-      `[VM ${this.config.vmId}] Base rootfs: ${this.config.rootfsPath}`
-    );
-    await this.client.setDrive({
-      drive_id: "rootfs",
-      path_on_host: this.config.rootfsPath,
-      is_root_device: true,
-      is_read_only: true
-    });
-    logger5.log(`[VM ${this.config.vmId}] Overlay: ${this.vmOverlayPath}`);
-    await this.client.setDrive({
-      drive_id: "overlay",
-      path_on_host: this.vmOverlayPath,
-      is_root_device: false,
-      is_read_only: false
-    });
-    logger5.log(
-      `[VM ${this.config.vmId}] Network: ${this.networkConfig.tapDevice}`
-    );
-    await this.client.setNetworkInterface({
-      iface_id: "eth0",
-      guest_mac: this.networkConfig.guestMac,
-      host_dev_name: this.networkConfig.tapDevice
-    });
-    logger5.log(`[VM ${this.config.vmId}] Vsock: ${this.vsockPath}`);
-    await this.client.setVsock({
-      vsock_id: "vsock0",
-      guest_cid: 3,
-      uds_path: this.vsockPath
-    });
+    return {
+      "boot-source": {
+        kernel_image_path: this.config.kernelPath,
+        boot_args: bootArgs
+      },
+      drives: [
+        // Base drive (squashfs, read-only, shared across VMs)
+        // Mounted as /dev/vda inside the VM
+        {
+          drive_id: "rootfs",
+          path_on_host: this.config.rootfsPath,
+          is_root_device: true,
+          is_read_only: true
+        },
+        // Overlay drive (ext4, read-write, per-VM)
+        // Mounted as /dev/vdb inside the VM
+        // The vm-init script combines these using overlayfs
+        {
+          drive_id: "overlay",
+          path_on_host: this.vmOverlayPath,
+          is_root_device: false,
+          is_read_only: false
+        }
+      ],
+      "machine-config": {
+        vcpu_count: this.config.vcpus,
+        mem_size_mib: this.config.memoryMb
+      },
+      "network-interfaces": [
+        {
+          iface_id: "eth0",
+          guest_mac: this.networkConfig.guestMac,
+          host_dev_name: this.networkConfig.tapDevice
+        }
+      ],
+      // Guest CID 3 is the standard guest identifier (CID 0=hypervisor, 1=local, 2=host)
+      vsock: {
+        guest_cid: 3,
+        uds_path: this.vsockPath
+      }
+    };
   }
   /**
-   * Stop the VM gracefully
+   * Stop the VM
+   *
+   * Note: With --no-api mode, we can only force kill the process.
+   * The VM doesn't have an API endpoint for graceful shutdown.
+   *
+   * TODO(#2118): Implement graceful shutdown via vsock command to guest agent.
+   * This would allow the guest to clean up before termination without
+   * adding the startup latency of API mode.
    */
   async stop() {
     if (this.state !== "running") {
@@ -1859,17 +1709,7 @@ var FirecrackerVM = class {
     }
     this.state = "stopping";
     logger5.log(`[VM ${this.config.vmId}] Stopping...`);
-    try {
-      if (this.client) {
-        await this.client.sendCtrlAltDel().catch((error) => {
-          logger5.log(
-            `[VM ${this.config.vmId}] Graceful shutdown signal failed (VM may already be stopping): ${error instanceof Error ? error.message : error}`
-          );
-        });
-      }
-    } finally {
-      await this.cleanup();
-    }
+    await this.cleanup();
   }
   /**
    * Force kill the VM
@@ -1909,7 +1749,6 @@ var FirecrackerVM = class {
     if (fs4.existsSync(this.workDir)) {
       fs4.rmSync(this.workDir, { recursive: true, force: true });
     }
-    this.client = null;
     this.state = "stopped";
     logger5.log(`[VM ${this.config.vmId}] Stopped`);
   }
@@ -1974,8 +1813,8 @@ function encodeExecPayload(command, timeoutMs) {
   cmdBuf.copy(payload, 8);
   return payload;
 }
-function encodeWriteFilePayload(path9, content, sudo) {
-  const pathBuf = Buffer.from(path9, "utf-8");
+function encodeWriteFilePayload(path7, content, sudo) {
+  const pathBuf = Buffer.from(path7, "utf-8");
   if (pathBuf.length > 65535) {
     throw new Error(`Path too long: ${pathBuf.length} bytes (max 65535)`);
   }
@@ -2832,8 +2671,8 @@ function getErrorMap() {
   return overrideErrorMap;
 }
 var makeIssue = (params) => {
-  const { data, path: path9, errorMaps, issueData } = params;
-  const fullPath = [...path9, ...issueData.path || []];
+  const { data, path: path7, errorMaps, issueData } = params;
+  const fullPath = [...path7, ...issueData.path || []];
   const fullIssue = {
     ...issueData,
     path: fullPath
@@ -2932,11 +2771,11 @@ var errorUtil;
   errorUtil2.toString = (message) => typeof message === "string" ? message : message === null || message === void 0 ? void 0 : message.message;
 })(errorUtil || (errorUtil = {}));
 var ParseInputLazyPath = class {
-  constructor(parent, value, path9, key) {
+  constructor(parent, value, path7, key) {
     this._cachedPath = [];
     this.parent = parent;
     this.data = value;
-    this._path = path9;
+    this._path = path7;
     this._key = key;
   }
   get path() {
@@ -7904,7 +7743,8 @@ import { z as z17 } from "zod";
 var c11 = initContract();
 var modelProviderTypeSchema = z17.enum([
   "claude-code-oauth-token",
-  "anthropic-api-key"
+  "anthropic-api-key",
+  "moonshot-api-key"
 ]);
 var modelProviderFrameworkSchema = z17.enum(["claude-code", "codex"]);
 var modelProviderResponseSchema = z17.object({
@@ -7913,6 +7753,7 @@ var modelProviderResponseSchema = z17.object({
   framework: modelProviderFrameworkSchema,
   credentialName: z17.string(),
   isDefault: z17.boolean(),
+  selectedModel: z17.string().nullable(),
   createdAt: z17.string(),
   updatedAt: z17.string()
 });
@@ -7922,7 +7763,8 @@ var modelProviderListResponseSchema = z17.object({
 var upsertModelProviderRequestSchema = z17.object({
   type: modelProviderTypeSchema,
   credential: z17.string().min(1, "Credential is required"),
-  convert: z17.boolean().optional()
+  convert: z17.boolean().optional(),
+  selectedModel: z17.string().optional()
 });
 var upsertModelProviderResponseSchema = z17.object({
   provider: modelProviderResponseSchema,
@@ -9218,7 +9060,7 @@ function initVMRegistry(registryPath) {
 // src/lib/proxy/proxy-manager.ts
 import { spawn as spawn2 } from "child_process";
 import fs7 from "fs";
-import path5 from "path";
+import path4 from "path";
 
 // src/lib/proxy/mitm-addon-script.ts
 var RUNNER_MITM_ADDON_SCRIPT = `#!/usr/bin/env python3
@@ -9714,7 +9556,7 @@ var ProxyManager = class {
   process = null;
   isRunning = false;
   constructor(config) {
-    const addonPath = path5.join(config.caDir, "mitm_addon.py");
+    const addonPath = path4.join(config.caDir, "mitm_addon.py");
     this.config = {
       ...DEFAULT_PROXY_OPTIONS,
       ...config,
@@ -9741,7 +9583,7 @@ var ProxyManager = class {
    * Ensure the addon script exists at the configured path
    */
   ensureAddonScript() {
-    const addonDir = path5.dirname(this.config.addonPath);
+    const addonDir = path4.dirname(this.config.addonPath);
     if (!fs7.existsSync(addonDir)) {
       fs7.mkdirSync(addonDir, { recursive: true });
     }
@@ -9757,7 +9599,7 @@ var ProxyManager = class {
     if (!fs7.existsSync(this.config.caDir)) {
       throw new Error(`Proxy CA directory not found: ${this.config.caDir}`);
     }
-    const caCertPath = path5.join(this.config.caDir, "mitmproxy-ca.pem");
+    const caCertPath = path4.join(this.config.caDir, "mitmproxy-ca.pem");
     if (!fs7.existsSync(caCertPath)) {
       throw new Error(`Proxy CA certificate not found: ${caCertPath}`);
     }
@@ -10193,7 +10035,6 @@ async function executeJob(context, config, options = {}) {
   let guestIp = null;
   logger10.log(`Starting job ${context.runId} in VM ${vmId}`);
   try {
-    const workspacesDir = path6.join(process.cwd(), "workspaces");
     const vmConfig = {
       vmId,
       vcpus: config.sandbox.vcpu,
@@ -10201,7 +10042,7 @@ async function executeJob(context, config, options = {}) {
       kernelPath: config.firecracker.kernel,
       rootfsPath: config.firecracker.rootfs,
       firecrackerBinary: config.firecracker.binary,
-      workDir: path6.join(workspacesDir, `vm0-${vmId}`)
+      workDir: runnerPaths.vmWorkDir(config.base_dir, vmId)
     };
     logger10.log(`Creating VM ${vmId}...`);
     vm = new FirecrackerVM(vmConfig);
@@ -10395,7 +10236,7 @@ function createStatusUpdater(statusFilePath, state) {
 // src/lib/runner/runner-lock.ts
 import { exec as exec5 } from "child_process";
 import fs9 from "fs";
-import path7 from "path";
+import path5 from "path";
 import { promisify as promisify5 } from "util";
 var execAsync5 = promisify5(exec5);
 var logger12 = createLogger("RunnerLock");
@@ -10425,7 +10266,7 @@ function isProcessRunning2(pid) {
 async function acquireRunnerLock(options = {}) {
   const pidFile = options.pidFile ?? DEFAULT_PID_FILE;
   const skipSudo = options.skipSudo ?? false;
-  const runDir = path7.dirname(pidFile);
+  const runDir = path5.dirname(pidFile);
   await ensureRunDir(runDir, skipSudo);
   if (fs9.existsSync(pidFile)) {
     const pidStr = fs9.readFileSync(pidFile, "utf-8").trim();
@@ -10478,7 +10319,7 @@ async function setupEnvironment(options) {
   await initOverlayPool({
     size: config.sandbox.max_concurrent + 2,
     replenishThreshold: config.sandbox.max_concurrent,
-    poolDir: dataPaths.overlayPool(config.data_dir)
+    poolDir: runnerPaths.overlayPool(config.base_dir)
   });
   logger13.log("Initializing TAP pool...");
   await initTapPool({
@@ -10798,7 +10639,7 @@ var startCommand = new Command("start").description("Start the runner").option("
     const config = loadConfig(options.config);
     validateFirecrackerPaths(config.firecracker);
     console.log("Config valid");
-    const statusFilePath = join(dirname(options.config), "status.json");
+    const statusFilePath = runnerPaths.statusFile(config.base_dir);
     const runner = new Runner(config, statusFilePath);
     await runner.start();
   } catch (error) {
@@ -10814,11 +10655,10 @@ var startCommand = new Command("start").description("Start the runner").option("
 // src/commands/doctor.ts
 import { Command as Command2 } from "commander";
 import { existsSync as existsSync4, readFileSync as readFileSync3, readdirSync as readdirSync2 } from "fs";
-import { dirname as dirname2, join as join2 } from "path";
 
 // src/lib/firecracker/process.ts
 import { readdirSync, readFileSync as readFileSync2, existsSync as existsSync3 } from "fs";
-import path8 from "path";
+import path6 from "path";
 function parseFirecrackerCmdline(cmdline) {
   const args = cmdline.split("\0");
   if (!args[0]?.includes("firecracker")) return null;
@@ -10851,7 +10691,7 @@ function findFirecrackerProcesses() {
   for (const entry of entries) {
     if (!/^\d+$/.test(entry)) continue;
     const pid = parseInt(entry, 10);
-    const cmdlinePath = path8.join(procDir, entry, "cmdline");
+    const cmdlinePath = path6.join(procDir, entry, "cmdline");
     if (!existsSync3(cmdlinePath)) continue;
     try {
       const cmdline = readFileSync2(cmdlinePath, "utf-8");
@@ -10908,7 +10748,7 @@ function findMitmproxyProcess() {
   for (const entry of entries) {
     if (!/^\d+$/.test(entry)) continue;
     const pid = parseInt(entry, 10);
-    const cmdlinePath = path8.join(procDir, entry, "cmdline");
+    const cmdlinePath = path6.join(procDir, entry, "cmdline");
     if (!existsSync3(cmdlinePath)) continue;
     try {
       const cmdline = readFileSync2(cmdlinePath, "utf-8");
@@ -10929,9 +10769,8 @@ var doctorCommand = new Command2("doctor").description("Diagnose runner health,
   async (options) => {
     try {
       const config = loadConfig(options.config);
-      const configDir = dirname2(options.config);
-      const statusFilePath = join2(configDir, "status.json");
-      const workspacesDir = join2(configDir, "workspaces");
+      const statusFilePath = runnerPaths.statusFile(config.base_dir);
+      const workspacesDir = runnerPaths.workspacesDir(config.base_dir);
       console.log(`Runner: ${config.name}`);
       let status = null;
       if (existsSync4(statusFilePath)) {
@@ -10997,7 +10836,7 @@ var doctorCommand = new Command2("doctor").description("Diagnose runner health,
       }
       console.log("");
       const processes = findFirecrackerProcesses();
-      const workspaces = existsSync4(workspacesDir) ? readdirSync2(workspacesDir).filter((d) => d.startsWith("vm0-")) : [];
+      const workspaces = existsSync4(workspacesDir) ? readdirSync2(workspacesDir).filter(runnerPaths.isVmWorkspace) : [];
       const jobs = [];
       const statusVmIds = /* @__PURE__ */ new Set();
       const allocations = getAllocations();
@@ -11072,7 +10911,7 @@ var doctorCommand = new Command2("doctor").description("Diagnose runner health,
         }
       }
       for (const ws of workspaces) {
-        const vmId = ws.replace("vm0-", "");
+        const vmId = runnerPaths.extractVmId(ws);
         if (!processVmIds.has(vmId) && !statusVmIds.has(vmId)) {
           warnings.push({
             message: `Orphan workspace: ${ws} (no matching job or process)`
@@ -11122,21 +10961,18 @@ function formatUptime(ms) {
 // src/commands/kill.ts
 import { Command as Command3 } from "commander";
 import { existsSync as existsSync5, readFileSync as readFileSync4, writeFileSync as writeFileSync3, rmSync } from "fs";
-import { dirname as dirname3, join as join3 } from "path";
 import * as readline2 from "readline";
 var killCommand = new Command3("kill").description("Force terminate a run and clean up all resources").argument("<run-id>", "Run ID (full UUID or short 8-char vmId)").option("--config <path>", "Config file path", "./runner.yaml").option("--force", "Skip confirmation prompt").action(
   // eslint-disable-next-line complexity -- TODO: refactor complex function
   async (runIdArg, options) => {
     try {
-      loadConfig(options.config);
-      const configDir = dirname3(options.config);
-      const statusFilePath = join3(configDir, "status.json");
-      const workspacesDir = join3(configDir, "workspaces");
+      const config = loadConfig(options.config);
+      const statusFilePath = runnerPaths.statusFile(config.base_dir);
       const { vmId, runId } = resolveRunId(runIdArg, statusFilePath);
       console.log(`Killing run ${vmId}...`);
       const proc = findProcessByVmId(vmId);
       const guestIp = getIPForVm(vmId);
-      const workspaceDir = join3(workspacesDir, `vm0-${vmId}`);
+      const workspaceDir = runnerPaths.vmWorkDir(config.base_dir, vmId);
       console.log("");
       console.log("Resources to clean up:");
       if (proc) {
@@ -11367,7 +11203,7 @@ var benchmarkCommand = new Command4("benchmark").description(
     await initOverlayPool({
       size: 2,
       replenishThreshold: 1,
-      poolDir: dataPaths.overlayPool(config.data_dir)
+      poolDir: runnerPaths.overlayPool(config.base_dir)
     });
     await initTapPool({ name: config.name, size: 2, replenishThreshold: 1 });
     poolsInitialized = true;
@@ -11396,7 +11232,7 @@ var benchmarkCommand = new Command4("benchmark").description(
 });
 
 // src/index.ts
-var version = true ? "3.9.2" : "0.1.0";
+var version = true ? "3.9.4" : "0.1.0";
 program.name("vm0-runner").version(version).description("Self-hosted runner for VM0 agents");
 program.addCommand(startCommand);
 program.addCommand(doctorCommand);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vm0/runner",
-  "version": "3.9.2",
+  "version": "3.9.4",
   "description": "Self-hosted runner for VM0 agents",
   "repository": {
     "type": "git",
@@ -17,6 +17,7 @@
   "dependencies": {
     "ably": "^2.17.0",
     "commander": "^14.0.0",
+    "proper-lockfile": "^4.1.2",
     "yaml": "^2.3.4",
     "zod": "^4.1.12"
   }