supermachine 0.7.68

//! High-level public API: [`Image`], [`Vm`], [`VmConfig`], [`Error`].
//!
//! These types wrap the lower-level [`crate::vmm`] primitives
//! (`WarmPool`, `VmResources`, …) into a small, stable surface
//! for embedders: load an image, start a VM, talk to its guest,
//! stop. The lower-level types remain available under
//! `#[doc(hidden)]` for the CLI / router / bench crates that
//! pre-date the narrowing.

use std::collections::VecDeque;
use std::io::{Read, Write};
use std::net::{SocketAddr, TcpListener, TcpStream};
use std::os::unix::net::UnixStream;
use std::path::{Path, PathBuf};
use std::process::{Child, Command, Stdio};
use std::sync::atomic::{AtomicBool, Ordering};
use std::sync::{Arc, Condvar, Mutex};
use std::thread::JoinHandle;
use std::time::{Duration, Instant};

use crate::assets::AssetPaths;
// VM-run types live in the macOS-gated VMM stack (until the KVM backend lands).
#[cfg(all(target_os = "macos", target_arch = "aarch64"))]
use crate::vmm::pool::{PoolClientError, WarmPool, WarmPoolError};
#[cfg(all(target_os = "macos", target_arch = "aarch64"))]
use crate::vmm::resources::VmResources;
#[cfg(all(target_os = "macos", target_arch = "aarch64"))]
use crate::vmm::runner::RunOptions;

/// All errors the high-level API can return. Designed to be
/// `match`able: the variants name *what failed*, not which
/// internal type produced it.
///
/// Each variant carries a human-readable `msg` plus an optional
/// typed `source: Option<Box<dyn std::error::Error + Send + Sync>>`
/// so callers can downcast to the underlying error
/// (`io::Error`, `WarmPoolError`, `PoolClientError`, ...) when
/// they need typed handling. `std::error::Error::source()` walks
/// this chain so `?` propagation preserves it through downstream
/// `Box<dyn Error>` conversions.
///
/// `#[non_exhaustive]` so future versions can add variants without
/// breaking exhaustive matches in consumer code.
#[non_exhaustive]
pub enum Error {
    /// The image / snapshot couldn't be loaded — bad path, bad
    /// magic bytes, or version mismatch.
    Image {
        msg: String,
        source: Option<Box<dyn std::error::Error + Send + Sync>>,
    },
    /// VM start / restore failed. Includes `WarmPool` setup errors,
    /// HVF entitlement issues, missing assets, and pool-spawn
    /// failures. Downcast `source` to the typed cause where
    /// applicable.
    Vm {
        msg: String,
        source: Option<Box<dyn std::error::Error + Send + Sync>>,
    },
    /// The configured assets (kernel, init shim) couldn't be
    /// located. Set [`VmConfig::with_assets`] explicitly to
    /// override auto-discovery.
    Assets {
        msg: String,
        source: Option<Box<dyn std::error::Error + Send + Sync>>,
    },
    /// I/O on a vsock socket / file. The original `io::Error` is
    /// the variant payload — match `Error::Io(e)` and inspect
    /// `e.kind()` for typed handling.
    Io(std::io::Error),
    /// Registry pull failed — image manifest fetch, layer download,
    /// or auth handshake. Surface message includes the registry
    /// HTTP status / response body where available.
    Network {
        msg: String,
        source: Option<Box<dyn std::error::Error + Send + Sync>>,
    },
    /// [`PullPolicy::Never`] was set but no usable cache exists.
    /// Switch to [`PullPolicy::Missing`] (the default) to allow a
    /// pull, or pre-bake via the `supermachine` CLI.
    CacheMiss { msg: String },
    /// A cached snapshot was found but isn't loadable on this
    /// binary — runtime SHA mismatch, snapshot format version
    /// mismatch, or corrupt/missing layer files. The error message
    /// names the specific reason. With [`PullPolicy::Missing`] /
    /// [`PullPolicy::Always`] the library auto-rebakes; only
    /// [`PullPolicy::Never`] surfaces this.
    CacheInvalid { msg: String },
    /// The bake step itself failed — snapshot capture timed out,
    /// the workload didn't bind a port within the readiness window,
    /// or the worker exited mid-bake. See `bake.log` in the
    /// snapshot dir for details.
    Bake {
        msg: String,
        source: Option<Box<dyn std::error::Error + Send + Sync>>,
    },
    /// Registry returned 404 / "manifest unknown" for the
    /// requested image+tag — typo, deleted upstream, or wrong
    /// registry. The `image` field holds the full `host/repo:tag`
    /// reference as the user passed it, so callers can do
    /// `match e { Error::ImageNotFound { image, .. } => ... }`
    /// without re-parsing the string.
    ImageNotFound {
        image: String,
        msg: String,
        source: Option<Box<dyn std::error::Error + Send + Sync>>,
    },
    /// Registry returned 401 / 403 — bad credentials, expired
    /// token, or repo requires login. Set creds via
    /// `~/.docker/config.json` or `--registry-auth USER:PASS`.
    RegistryAuth {
        image: String,
        msg: String,
        source: Option<Box<dyn std::error::Error + Send + Sync>>,
    },
    /// Registry HTTP request failed at the network layer — DNS
    /// failure, connection refused, TLS handshake error, timeout
    /// on the wire. Distinct from [`Error::ImageNotFound`] /
    /// [`Error::RegistryAuth`] which surface registry-side errors
    /// after a successful connection.
    RegistryUnreachable {
        msg: String,
        source: Option<Box<dyn std::error::Error + Send + Sync>>,
    },
    /// Pool has reached its `max` worker count and the
    /// `acquire_timeout` elapsed before any peer dropped its
    /// `PooledVm`. Increase `max`, increase `acquire_timeout`,
    /// or retry. Carries the elapsed timeout + max in the
    /// message for diagnostics.
    PoolExhausted { msg: String },
    /// The in-guest Linux kernel panicked during the bake's boot
    /// or init phase. Detected by tailing the worker's serial
    /// console (`bake.log`) for known fatal banners
    /// (`Kernel panic`, `Internal error: Oops`, `Unable to handle
    /// kernel ...`, `Attempted to kill the idle task`). On detection
    /// the worker child is killed so the bake doesn't hang for the
    /// full timeout. `first_line` is the matched banner; `stack` is
    /// the next ~40 lines of the panic trace pulled from `bake.log`.
    KernelPanic {
        first_line: String,
        stack: Vec<String>,
    },
}

// Constructor helpers that callers in this crate use. Keeping
// the public surface field-style (struct variants) means new
// fields are non-breaking; the callers below all funnel through
// these so we can evolve the construction shape later without
// touching every call site.
//
// Public API is the variants themselves; these are pub(crate).
impl Error {
    pub(crate) fn image_msg(msg: impl Into<String>) -> Self {
        Error::Image {
            msg: msg.into(),
            source: None,
        }
    }
    pub(crate) fn vm_msg(msg: impl Into<String>) -> Self {
        Error::Vm {
            msg: msg.into(),
            source: None,
        }
    }
    pub(crate) fn assets_msg(msg: impl Into<String>) -> Self {
        Error::Assets {
            msg: msg.into(),
            source: None,
        }
    }
    pub(crate) fn network_msg(msg: impl Into<String>) -> Self {
        Error::Network {
            msg: msg.into(),
            source: None,
        }
    }
    pub(crate) fn bake_msg(msg: impl Into<String>) -> Self {
        Error::Bake {
            msg: msg.into(),
            source: None,
        }
    }
    pub(crate) fn cache_miss(msg: impl Into<String>) -> Self {
        Error::CacheMiss { msg: msg.into() }
    }
    pub(crate) fn cache_invalid(msg: impl Into<String>) -> Self {
        Error::CacheInvalid { msg: msg.into() }
    }
    pub(crate) fn image_not_found(image: impl Into<String>, msg: impl Into<String>) -> Self {
        Error::ImageNotFound {
            image: image.into(),
            msg: msg.into(),
            source: None,
        }
    }
    pub(crate) fn registry_auth(image: impl Into<String>, msg: impl Into<String>) -> Self {
        Error::RegistryAuth {
            image: image.into(),
            msg: msg.into(),
            source: None,
        }
    }
    pub(crate) fn registry_unreachable(msg: impl Into<String>) -> Self {
        Error::RegistryUnreachable {
            msg: msg.into(),
            source: None,
        }
    }
    pub(crate) fn pool_exhausted(msg: impl Into<String>) -> Self {
        Error::PoolExhausted { msg: msg.into() }
    }
    pub(crate) fn kernel_panic(first_line: impl Into<String>, stack: Vec<String>) -> Self {
        Error::KernelPanic {
            first_line: first_line.into(),
            stack,
        }
    }

    /// True when the message looks like the agent-probe symptom
    /// of a multi-vCPU restore RCU-stall (probe timed out / EAGAIN
    /// in the underlying vsock read). Heuristic — used to
    /// downgrade probe failures to a warning when the snapshot
    /// was baked with vcpus > 1. Definitive stale-agent signals
    /// (the agent ack with an old protocol number) report a
    /// different message and are NOT covered.
    pub(crate) fn is_likely_multi_vcpu_restore_stall(&self) -> bool {
        let Error::Vm { msg, .. } = self else {
            return false;
        };
        // The probe's two failure modes that are indistinguishable
        // from a multi-vCPU RCU-stall:
        //   1. send_control_with_ack returns io::ErrorKind::Other
        //      with the underlying socket error string (most often
        //      "Resource temporarily unavailable" / EAGAIN, or a
        //      timeout phrase).
        //   2. The probe wrapper turned that into the
        //      "agent in this snapshot is from an older …" string;
        //      check for the embedded "(probe failed: …)".
        msg.contains("Resource temporarily unavailable")
            || msg.contains("os error 35")
            || msg.contains("os error 60") // ETIMEDOUT
            || msg.contains("timed out")
            || (msg.contains("probe failed") && !msg.contains("speaks protocol v"))
    }
}

impl std::fmt::Debug for Error {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Error::Image { msg, source } => f
                .debug_struct("Image")
                .field("msg", msg)
                .field("source", source)
                .finish(),
            Error::Vm { msg, source } => f
                .debug_struct("Vm")
                .field("msg", msg)
                .field("source", source)
                .finish(),
            Error::Assets { msg, source } => f
                .debug_struct("Assets")
                .field("msg", msg)
                .field("source", source)
                .finish(),
            Error::Io(e) => f.debug_tuple("Io").field(e).finish(),
            Error::Network { msg, source } => f
                .debug_struct("Network")
                .field("msg", msg)
                .field("source", source)
                .finish(),
            Error::CacheMiss { msg } => f.debug_struct("CacheMiss").field("msg", msg).finish(),
            Error::CacheInvalid { msg } => {
                f.debug_struct("CacheInvalid").field("msg", msg).finish()
            }
            Error::Bake { msg, source } => f
                .debug_struct("Bake")
                .field("msg", msg)
                .field("source", source)
                .finish(),
            Error::ImageNotFound { image, msg, source } => f
                .debug_struct("ImageNotFound")
                .field("image", image)
                .field("msg", msg)
                .field("source", source)
                .finish(),
            Error::RegistryAuth { image, msg, source } => f
                .debug_struct("RegistryAuth")
                .field("image", image)
                .field("msg", msg)
                .field("source", source)
                .finish(),
            Error::RegistryUnreachable { msg, source } => f
                .debug_struct("RegistryUnreachable")
                .field("msg", msg)
                .field("source", source)
                .finish(),
            Error::PoolExhausted { msg } => {
                f.debug_struct("PoolExhausted").field("msg", msg).finish()
            }
            Error::KernelPanic { first_line, stack } => f
                .debug_struct("KernelPanic")
                .field("first_line", first_line)
                .field("stack_lines", &stack.len())
                .finish(),
        }
    }
}

impl std::fmt::Display for Error {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Error::Image { msg, .. } => write!(f, "image: {msg}"),
            Error::Vm { msg, .. } => write!(f, "vm: {msg}"),
            Error::Assets { msg, .. } => write!(f, "assets: {msg}"),
            Error::Io(e) => write!(f, "io: {e}"),
            Error::Network { msg, .. } => write!(f, "network: {msg}"),
            Error::CacheMiss { msg } => write!(f, "cache miss: {msg}"),
            Error::CacheInvalid { msg } => write!(f, "cache invalid: {msg}"),
            Error::Bake { msg, .. } => write!(f, "bake: {msg}"),
            Error::ImageNotFound { image, msg, .. } => {
                write!(f, "image not found ({image}): {msg}")
            }
            Error::RegistryAuth { image, msg, .. } => {
                write!(f, "registry auth failed for {image}: {msg}")
            }
            Error::RegistryUnreachable { msg, .. } => {
                write!(f, "registry unreachable: {msg}")
            }
            Error::PoolExhausted { msg } => write!(f, "pool exhausted: {msg}"),
            Error::KernelPanic { first_line, stack } => {
                writeln!(f, "kernel panic during bake: {first_line}")?;
                for line in stack {
                    writeln!(f, "  {line}")?;
                }
                Ok(())
            }
        }
    }
}

impl std::error::Error for Error {
    fn source(&self) -> Option<&(dyn std::error::Error + 'static)> {
        match self {
            Error::Image { source, .. }
            | Error::Vm { source, .. }
            | Error::Assets { source, .. }
            | Error::Network { source, .. }
            | Error::Bake { source, .. }
            | Error::ImageNotFound { source, .. }
            | Error::RegistryAuth { source, .. }
            | Error::RegistryUnreachable { source, .. } => source
                .as_ref()
                .map(|s| s.as_ref() as &(dyn std::error::Error + 'static)),
            Error::Io(e) => Some(e),
            Error::CacheMiss { .. }
            | Error::CacheInvalid { .. }
            | Error::PoolExhausted { .. }
            | Error::KernelPanic { .. } => None,
        }
    }
}

impl From<std::io::Error> for Error {
    fn from(e: std::io::Error) -> Self {
        Error::Io(e)
    }
}

#[cfg(all(target_os = "macos", target_arch = "aarch64"))]
impl From<WarmPoolError> for Error {
    fn from(e: WarmPoolError) -> Self {
        Error::Vm {
            msg: e.to_string(),
            source: Some(Box::new(e)),
        }
    }
}

#[cfg(all(target_os = "macos", target_arch = "aarch64"))]
impl From<PoolClientError> for Error {
    fn from(e: PoolClientError) -> Self {
        Error::Vm {
            msg: e.to_string(),
            source: Some(Box::new(e)),
        }
    }
}

/// How [`Image::from_oci`] decides whether to talk to the registry
/// or use a locally-cached snapshot. Same semantics as Docker's
/// `--pull` flag.
///
/// **The default is [`PullPolicy::Missing`]** — use the cache if
/// it exists; pull only if absent. Right for pinned tags or digest
/// references. For `:latest`-style mutable tags use
/// [`PullPolicy::Always`].
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
#[non_exhaustive]
pub enum PullPolicy {
    /// Pull manifest from the registry every time; rebake if the
    /// digest changed since the last bake. Right for `:latest`-style
    /// mutable tags.
    Always,
    /// Use the cached snapshot if it exists locally and is valid.
    /// Don't talk to the registry at all unless the cache is
    /// missing or invalid. **The default.**
    Missing,
    /// Use the cache or fail. Never pull. Right for offline /
    /// air-gapped environments.
    Never,
}

impl Default for PullPolicy {
    fn default() -> Self {
        Self::Missing
    }
}

impl PullPolicy {
    /// String form the underlying `bake` pipeline accepts. Mirror
    /// of the CLI's `--pull` argument values.
    fn as_bake_str(self) -> &'static str {
        match self {
            Self::Always => "always",
            Self::Missing => "missing",
            Self::Never => "never",
        }
    }
}

/// A baked OCI image: its restore snapshot plus the metadata
/// describing which kernel + virtio-blk layers it needs. Cheap
/// to clone.
///
/// Two ways to construct one:
///
/// - [`Image::from_oci`] — pull (or reuse cache) from a registry,
///   bake into a snapshot, return the resulting image. The
///   high-level "I have an image reference" entry point.
/// - [`Image::from_snapshot`] — load an already-baked snapshot
///   directory directly. Useful when you want to keep snapshots
///   under your own management or share one across processes.
/// Linux/KVM boot artifacts an [`Image`] carries when its `metadata.json` has
/// `"backend": "kvm"`. The [`Vm::start`] Linux path boots these directly via
/// [`crate::kvm::run::LinuxVm`] (kernel + agent PID-1 initramfs, with the
/// optional `disk` attached as `/dev/vda`). The HVF `restore.snap` /
/// virtio-fs-layer model does not apply — a KVM image boots cold.
#[derive(Debug, Clone)]
pub(crate) struct KvmImageParts {
    /// Cold-boot kernel (bzImage). `None` for snapshot-restore images.
    pub(crate) kernel: Option<PathBuf>,
    /// Cold-boot PID-1 agent initramfs. `None` for snapshot-restore images.
    pub(crate) initrd: Option<PathBuf>,
    /// Optional rootfs disk attached as `/dev/vda` (cold boot only).
    pub(crate) disk: Option<PathBuf>,
    /// A `VmSnapshot` file (SMSNAP03). When set, the VM is RESTORED from it
    /// (CoW mmap, ~ms) instead of cold-booting from kernel+initrd — produced
    /// by [`Vm::snapshot`].
    pub(crate) snapshot: Option<PathBuf>,
}

#[derive(Debug, Clone)]
pub struct Image {
    snapshot_path: PathBuf,
    /// Default memory; can be overridden via [`VmConfig::with_memory_mib`].
    pub(crate) memory_mib: u32,
    /// Default vCPUs; can be overridden via [`VmConfig::with_vcpus`].
    pub(crate) vcpus: u32,
    /// 16-hex-prefix of the supermachine-worker SHA256 that baked
    /// this snapshot, parsed from `metadata.json["runtime_sha16"]`.
    /// Used to skip the agent-protocol probe when a fresh-bake
    /// invariant holds (snapshot baked by the same lib version
    /// the host is now running). `None` means metadata didn't
    /// record one — older snapshots, third-party bakes, etc; the
    /// probe runs unconditionally in that case.
    pub(crate) baker_runtime_sha16: Option<String>,
    /// `metadata.json["balloon_target_pages"]` — bake-time
    /// recommended balloon inflation target for idle workers.
    /// Plumbed through SpawnConfig → worker CLI → runner so each
    /// pool worker requests inflate after restore. None disables
    /// ballooning. Defaults to 75% of `memory_mib` in 4 KiB
    /// pages (set by bake.rs).
    pub(crate) balloon_target_pages: Option<u32>,
    /// TSI control-channel auth token (64-char lowercase hex).
    /// Generated at fresh bake, persisted in metadata.json,
    /// re-injected on every restore via the worker's
    /// `--tsi-token` flag. `None` on legacy snapshots (pre-0.6.0)
    /// — the muxer accepts all control DGRAMs in that case.
    /// See `kernel-build/patches/af-tsi/0014-*.patch` for the
    /// threat model.
    pub(crate) tsi_token: Option<String>,
    /// 0.7.65+ per-snapshot egress policy from
    /// `metadata.json["egress_policy"]` (e.g. `deny_private`,
    /// `allowlist:<cidrs>`, `denylist:<cidrs>`). Re-injected on the
    /// worker via `--egress-policy` so the muxer enforces it at TSI
    /// connect time. `None` (the common case) → `allow_all`. Previously
    /// only the router/worker CLI honored this; threading it here makes
    /// the high-level `Image::acquire` / `Pool` path enforce a baked
    /// snapshot's network policy too.
    pub(crate) egress_policy: Option<String>,
    /// 0.7.44+ pre-exec sync flag. `true` → init-oci is paused
    /// inside `read(0)` in the saved snapshot at the pre-exec
    /// pause point. spawn_one sets
    /// SUPERMACHINE_PRE_EXEC_SYNC_RESUME=1 on the worker so the
    /// `supermachine-pre-exec-resume` thread pushes the unblock
    /// byte after restore. `false` (legacy / pre-0.7.44) → init-oci
    /// used the 250 ms nanosleep at that point; no push needed.
    pub(crate) pre_exec_sync: bool,
    /// virtio-blk layer file paths in the order the bake step
    /// produced them. The microVM needs all of them attached at
    /// restore time (the OverlayFS in the guest is mounted on top).
    pub(crate) layers: Vec<PathBuf>,
    /// Optional per-image delta layer applied after `layers`.
    pub(crate) delta_squashfs: Option<PathBuf>,
    /// virtio-fs DAX mounts persisted in metadata.json. The bake
    /// captures the snapshot with these mounts wired into the FDT,
    /// so restore must re-create the same VirtioFs devices at the
    /// same MMIO addresses for the guest kernel to find them.
    pub(crate) mounts: Vec<crate::vmm::resources::MountSpec>,
    /// Writable virtio-blk volumes persisted in metadata.json as
    /// `[{host_file, guest_path, size_bytes, pristine?}, ...]`.
    /// The bake snapshots the guest BEFORE `mount_volumes()` runs
    /// (init-oci's `[SUPERMACHINE-INIT] heartbeat counter=1` marker
    /// fires pre-mount), so the snapshot itself doesn't carry the
    /// volume mount — init-oci re-runs `mount_volumes()` on each
    /// restore. For that re-mount to find a `/dev/vd<N>` device,
    /// the warm-restore worker MUST re-attach the volume via
    /// `--volume HOST:GUEST:SIZE`. Without this, the guest hangs
    /// on any ext4 read after restore. (Field-report bug fixed
    /// 0.7.30.)
    ///
    /// Tuple shape: (host_file, guest_path, size_bytes, pristine).
    /// `pristine` is `Some(path)` for 0.7.49+ snapshots and points
    /// at an immutable byte-identical copy of `host_file` captured
    /// at snapshot save time. Pools running with
    /// `restoreOnRelease=true` clone the pristine to a per-worker
    /// temp file on each spawn so the worker's writes never leak
    /// between acquires — keeps virtio-blk bytes in lock-step with
    /// the snapshot's captured ext4 RAM state. Pre-0.7.49 snapshots
    /// have `None`; the pool logs a one-line warning and falls
    /// through to the legacy behavior (worker uses `host_file`
    /// directly, writes persist).
    pub(crate) volumes: Vec<(PathBuf, String, u64, Option<PathBuf>)>,
    /// Bundled kernel path, if the snapshot dir ships one alongside.
    /// Lets a self-contained bundle (e.g. `MyApp.app/Contents/
    /// Resources/<image>/kernel`) start a VM without requiring the
    /// embedder's host to have supermachine assets installed
    /// system-wide. `None` means [`Vm::start`] falls back to
    /// [`AssetPaths::discover`].
    pub(crate) bundled_kernel: Option<PathBuf>,
    /// Linux/KVM artifacts parsed from `metadata.json` when
    /// `"backend": "kvm"`: the bzImage, the PID-1 agent initramfs, and an
    /// optional rootfs disk (attached as `/dev/vda`). `None` for HVF
    /// snapshots. Consumed by the Linux [`Vm::start`].
    pub(crate) kvm: Option<KvmImageParts>,
    /// Hidden warm pool, lazy-initialized on first
    /// [`Image::acquire`]. The pool holds a single long-lived
    /// `WarmPool` (in-process worker + the snapshot mmap'd in)
    /// behind a mutex; each `acquire` calls `restore` to reset
    /// the worker to clean snapshot state, returns a [`PooledVm`]
    /// that holds the lock, and re-enters the pool on `Drop`.
    /// Per-acquire cost is just the snapshot restore (~5 ms),
    /// not the full VM spawn (~50–100 ms).
    ///
    /// Wrapped in `Arc` so cloning an `Image` shares the same
    /// pool instance — useful when multiple parts of an app hold
    /// `Image` references but should share a single warm worker.
    pub(crate) hidden_pool: std::sync::OnceLock<Arc<HiddenPool>>,
    /// Warm handoff: the bake-time worker, kept alive after the
    /// pipelined bake completes (`Image::builder().with_warmup(…)`)
    /// so the FIRST `Pool::acquire()` can use it directly instead
    /// of paying ~50 ms spawn + ~5 ms restore for a fresh worker.
    /// Subsequent acquires fall through to the normal spawn-from-
    /// disk path.
    ///
    /// Atomic claim semantics: the consumer (`PoolBuilder::build` or
    /// `HiddenPool::ensure_min_workers`) calls
    /// `warm_baked_worker.lock().take()`. Only one party gets
    /// `Some`; everyone else gets `None` and falls through cleanly.
    /// This also guards against multi-pool-from-same-Image: only
    /// the first pool gets the warm worker.
    ///
    /// Drop semantics: if the Image is dropped without anyone
    /// claiming, `Drop for Image` (below) takes the value and
    /// shuts down the worker via QUIT (drains in-flight saves)
    /// + `child.wait()` + socks_dir cleanup. The bake driver
    /// already drained the bg base save before returning the
    /// BakedWorker, so QUIT is a fast (~10 ms) drain-noop in this
    /// case — no `.partial` leaks.
    pub(crate) warm_baked_worker: Arc<crate::bake::WarmStash>,
    /// Linux/KVM ambient warm pool, built lazily on the first `acquire`/
    /// `acquire_with` and shared across clones (Arc). Makes `image.acquire()`
    /// a CoW restore (~ms) instead of a cold boot (~1s) — the macOS
    /// `hidden_pool` equivalent for KVM. `Arc<Pool>` breaks the Image↔Pool cycle.
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub(crate) kvm_pool: std::sync::OnceLock<Arc<Pool>>,
}

impl Image {
    /// Test-only introspection: is a warm-handoff worker currently
    /// stashed? Used by the warm-handoff integration tests to
    /// verify the bake actually populated the stash, and that the
    /// first `Pool::build()` consumed it. Not part of the public
    /// API contract — the field itself is `pub(crate)` and may
    /// move; this accessor is doc-hidden because it's a peephole
    /// for tests, not a feature.
    /// Test-only introspection: is this a Linux/KVM cold-boot image (kernel +
    /// initrd, no warm snapshot)? Cold-boot images go through
    /// `warm_snapshot_for_pool`'s persist+dedup path; snapshot-backed ones
    /// early-return. Used by the warm-persist test to skip cross-family
    /// assertions when the second image is already snapshot-backed. Not stable.
    #[doc(hidden)]
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub fn is_kvm_cold_boot(&self) -> bool {
        self.kvm
            .as_ref()
            .map(|k| k.snapshot.is_none())
            .unwrap_or(false)
    }
    #[doc(hidden)]
    pub fn _warm_handoff_present(&self) -> bool {
        self.warm_baked_worker
            .inner
            .lock()
            .map(|g| g.is_some())
            .unwrap_or(false)
    }
    /// Test-only: PID of the stashed warm worker, or None. Used by
    /// the R1 integration test (Image-dropped-without-claim) to
    /// `kill -0` the pid after dropping the Image and confirm
    /// reaping. Not stable.
    #[doc(hidden)]
    pub fn _warm_handoff_pid(&self) -> Option<u32> {
        self.warm_baked_worker
            .inner
            .lock()
            .ok()
            .and_then(|g| g.as_ref().map(|bw| bw.child.id()))
    }
}

/// Internal state for the hidden subprocess pool an [`Image`]
/// manages for [`Image::acquire`] users. Spawns N
/// `supermachine-worker` subprocesses up front, each pre-restored
/// from the snapshot — so `acquire` is just "pop an idle worker
/// off the queue" (~1 ms) and N concurrent acquires really run N
/// VMs in parallel (each in its own subprocess, each its own
/// `hv_vm_create` singleton).
///
/// On `Drop`, kills every worker and unlinks every socket.
#[doc(hidden)]
pub struct HiddenPool {
    /// Per-worker state: idle queue + counts. Arc'd separately
    /// from the pool so housekeeping threads can hold it across
    /// condvar waits without keeping `HiddenPool` itself alive
    /// (otherwise the user-side drop never fires).
    state: Arc<Mutex<PoolState>>,
    /// Wakes `acquire()` callers blocked on an empty idle queue
    /// AND wakes housekeeping threads on shutdown. Signalled when
    /// a worker re-enters idle, when the pool is shutting down,
    /// or when a wait_timeout window in a housekeeper expires.
    available: Arc<Condvar>,
    /// Workers handed back from `PooledVm::drop` waiting to be
    /// restored to clean snapshot state before going back into
    /// the idle queue. The restorer thread drains this. Arc'd
    /// so the restorer can wait on the condvar without keeping
    /// `HiddenPool` alive.
    dirty: Option<Arc<Mutex<VecDeque<Worker>>>>,
    /// Wakes any restorer thread when a worker lands on dirty
    /// (or on shutdown).
    dirty_pending: Option<Arc<Condvar>>,
    /// Where each worker's vsock mux/exec sockets live.
    socks_dir: PathBuf,
    /// True once `Drop` has started; replenisher / restorer /
    /// janitor exit the next time around their wait loops. Arc'd
    /// so housekeeping threads can poll it after dropping their
    /// strong `HiddenPool` reference.
    shutting_down: Arc<AtomicBool>,
    /// Image-derived spawn config, copied so the pool is self-
    /// contained.
    spawn_cfg: Arc<SpawnConfig>,
    /// Static pool policy. Read from many threads; never mutated
    /// after construction so we can stash by value (no Mutex).
    policy: PoolPolicy,
}

/// Static policy for an auto-scaling pool. Set at builder time;
/// immutable thereafter.
#[derive(Debug, Clone, Copy)]
struct PoolPolicy {
    /// Always-warm baseline. The replenisher keeps `alive >= min`.
    /// `min == 0` means lazy: the first acquire spawns the first
    /// worker.
    min: usize,
    /// Hard concurrency cap. Acquire blocks (with timeout) when
    /// `alive == max`. `max == usize::MAX` means uncapped.
    max: usize,
    /// Idle workers above `min` that have sat unused for longer
    /// than this get evicted by the janitor. `Duration::MAX`
    /// disables eviction (fixed-size pool).
    idle_timeout: Duration,
    /// Caller's `acquire()` blocks at most this long when the
    /// pool is at `max` and no worker is idle. After that the
    /// call returns `Error::PoolExhausted`. `None` = block forever.
    acquire_timeout: Option<Duration>,
    /// When `true` (default), `PooledVm::drop` queues the worker
    /// for restoration via the supervisor RESTORE RPC before
    /// it goes back to idle. Each cycle starts with a clean
    /// snapshot-state guest. Costs ~3 ms per cycle (off the
    /// critical path if the pool has a buddy slot).
    ///
    /// When `false`, drop pushes the worker DIRECTLY back to
    /// idle without restoring. The next acquire gets the same
    /// guest in whatever state the previous user left it. The
    /// per-cycle restore cost vanishes, AND the guest's page
    /// cache stays warm — for workloads like rustc that re-read
    /// the same sysroot/deps every invocation, this is a HUGE
    /// win (300 ms cold compile → ~50–100 ms warm-cache compile).
    ///
    /// Caveats: workloads must be tolerant of leftover state
    /// in `/tmp` etc. The integrator's pattern (write_file
    /// `main.rs`, run `rustc -o /tmp/m && /tmp/m`) is safe — the
    /// `&&` short-circuits on compile failure, and outputs are
    /// always overwritten. Pair with periodic full pool drain
    /// + rebuild if you need bounded resource accumulation over
    /// long runs.
    restore_on_release: bool,
}

impl Default for PoolPolicy {
    fn default() -> Self {
        Self {
            min: 0,
            max: 64,
            idle_timeout: Duration::from_secs(60),
            acquire_timeout: Some(Duration::from_secs(60)),
            restore_on_release: true,
        }
    }
}

/// Per-Pool internal state under one mutex. Held only briefly
/// during acquire/release; the long-running work (spawn /
/// restore / kill) happens outside the lock.
struct PoolState {
    /// Idle workers ready for the next `acquire()`. **LIFO** —
    /// the most recently used worker has the hottest host page
    /// cache (squashfs layer pages, kernel mmap pages), so it
    /// pays the cheapest restore on the next acquire. Both ops
    /// are at the back of the `Vec`.
    idle: Vec<IdleEntry>,
    /// Total workers in the pool right now: idle + currently
    /// checked-out + currently being spawned/restored. The
    /// auto-grow path bumps this *before* spawning so a
    /// concurrent `acquire` can see "we already promised someone
    /// a worker, don't double-spawn."
    alive: usize,
    /// Currently-blocked acquire callers (for stats /
    /// observability). Incremented at the wait site, decremented
    /// when the wait returns.
    waiting: usize,
    /// Cumulative count of workers the watchdog reaped because their
    /// process had died while sitting idle (never popped, so the
    /// acquire-time `try_wait` never saw them). Pure observability.
    reaped: u64,
}

/// An idle worker plus the timestamp it returned to the queue,
/// used by the janitor to evict above-`min` workers that have
/// sat unused longer than `idle_timeout`.
struct IdleEntry {
    worker: Worker,
    last_used: Instant,
}

/// One spawned `supermachine-worker` subprocess + its vsock
/// socket paths + the lib-side end of the supervisor control
/// socket.
///
/// Workers are launched in `--pool-worker` mode (see
/// `bin/worker.rs`): each one connects back to a unix socket the
/// lib listens on, accepts text-line commands (`RESTORE <path>`,
/// `QUIT`), and writes `DONE …` after each restore. This lets
/// the same worker process serve many `acquire`/`drop` cycles
/// — each cycle is a snapshot restore (~3 ms) instead of a full
/// process spawn (~10 ms) plus a kill.
///
/// The control socket is bidirectional: lib writes commands,
/// worker writes responses. We hold separate read/write halves
/// behind a `Mutex` so the restorer thread (which sends RESTORE
/// during release-handling) doesn't race with the QUIT path
/// during pool teardown.
struct Worker {
    child: Child,
    vsock_mux_path: PathBuf,
    vsock_exec_path: PathBuf,
    /// Path of the unix listener the lib is using to talk to
    /// this worker. Cleaned up on drop alongside the vsock paths.
    control_path: PathBuf,
    /// Live control connection. Writer side; reads happen on a
    /// `BufReader` we construct on demand for the restore round-
    /// trip. Wrapped in `Mutex` so concurrent code paths
    /// (RESTORE during release vs. QUIT during shutdown) are
    /// linearized cleanly.
    control: Arc<Mutex<ControlChannel>>,
    /// The snapshot file this worker was last restored from.
    /// Used as the `base` hint on cycle-snapshot RPCs so the
    /// runner can use APFS clonefile + diff pwrite instead of
    /// the plain streaming sync save (~3× speedup on the
    /// cycle-snapshot path).
    last_restore_path: PathBuf,
    /// Guest memory (MiB) the worker was started with. Used by
    /// the cycle-restore path to gate the post-restore
    /// `drop_vfs_caches` RPC behind the 512-MiB memory threshold
    /// (see `drop_vfs_caches_via_agent`).
    memory_mib: u32,
    /// 0.7.44+ — true when the snapshot has virtio-fs mounts OR
    /// virtio-blk volumes (any host-backed write surface). The
    /// cycle-restore path checks this to skip the VFS-drop RPC
    /// when there's nothing host-backed to invalidate. Pure-image
    /// snapshots (no mounts, no volumes) save ~5-15 ms / cycle.
    has_mounts: bool,
    /// 0.7.44+ — vcpu count this worker was started with. Used by
    /// the cycle-restore path to gate the post-restore smpark_unpark
    /// RPC (only needed when vcpus > 1; secondaries don't exist
    /// otherwise).
    vcpus: u32,
    /// 0.7.49+ — per-worker virtio-blk temp files (clonefile of
    /// the snapshot's `volumes/<i>.pristine`). 0.7.50+: non-empty
    /// whenever the snapshot has pristines, regardless of
    /// `policy.restore_on_release` (previously gated on
    /// `restore_on_release=true`). Unlinked on Worker drop so
    /// /tmp stays clean. Empty only for no-pristine snapshots
    /// (pre-0.7.49 bakes; workers use the host file directly).
    volume_temp_files: Vec<PathBuf>,
    /// 0.7.67+ — guest mountpoints of this worker's virtio-blk
    /// volumes (e.g. `/data`). init-oci runs `mount_volumes()`
    /// AFTER the snapshot/exec-ready marker (the snapshot is captured
    /// before the volume mount so each restore re-mounts fresh host
    /// bytes — see `SpawnConfig.volumes`). On restore the guest
    /// therefore resumes with the agent already accepting execs but
    /// `/data` not yet mounted — a TOCTOU window where the caller's
    /// first exec reads an empty volume. The post-restore readiness
    /// gate (`wait_for_volumes_mounted`) polls `/proc/mounts` for
    /// these paths before the worker is handed out. Empty for
    /// no-volume snapshots (the gate is skipped).
    volume_guest_paths: Vec<String>,
    /// 0.7.49+ — true when this worker has per-worker COW volume
    /// temps. The pool's release path uses this to decide
    /// kill+respawn (volume-bearing `restore_on_release=true`
    /// pools) vs. RESTORE-recycle / push-to-idle (everything
    /// else): RESTORE can't reset the worker's open virtio-blk
    /// fds back to pristine bytes.
    ///
    /// 0.7.50+: also true for `restore_on_release=false` pools
    /// (the COW gate moved upstream — every spawn gets a temp).
    /// In skip-restore mode the worker is reused across acquires
    /// within the process, so the temp's writes persist within
    /// the process — exactly matching the prior skip-restore
    /// semantics for volume mutations. The cross-process leak is
    /// blocked because each new process spawns a worker with a
    /// fresh COW clone.
    has_cow_volumes: bool,
    /// 0.7.63+ — memory admission reservation, held for this worker's
    /// whole lifetime and returned on drop. `spawn_one` charges it
    /// against the process-wide budget BEFORE forking (blocking if the
    /// budget is full) so concurrent spawns can't overcommit host RAM
    /// into jetsam/OOM; warm-handoff workers charge non-blockingly
    /// (their RAM is already spent). See [`crate::memory_admission`].
    _admission: crate::memory_admission::AdmissionGuard,
}

/// Stats returned from a successful subprocess snapshot RPC.
struct SnapshotStats {
    bytes_written: u64,
    capture_us: u64,
    save_us: u64,
}

/// Lib-side bookkeeping for the `--pool-worker` text protocol.
struct ControlChannel {
    /// Buffered reader so we can read line-at-a-time without
    /// over-consuming bytes.
    reader: std::io::BufReader<std::os::unix::net::UnixStream>,
    /// Direct write half — `BufReader` borrows the reader half.
    writer: std::os::unix::net::UnixStream,
}

impl ControlChannel {
    fn send_line(&mut self, line: &str) -> std::io::Result<()> {
        use std::io::Write;
        self.writer.write_all(line.as_bytes())?;
        if !line.ends_with('\n') {
            self.writer.write_all(b"\n")?;
        }
        self.writer.flush()
    }

    fn read_line(&mut self) -> std::io::Result<String> {
        use std::io::BufRead;
        // Transparently skip `SAVE_DONE <path>` / `SAVE_FAIL <path> ...`
        // notifications. The worker's bg async-save thread emits those
        // on the same supervisor channel as the request/response
        // protocol — they're orthogonal "I finished a save you asked
        // me to start earlier" announcements, never a response to the
        // current request. If we returned one to a caller expecting
        // (say) DONE_SNAPSHOT, the line-oriented parse would mis-match.
        //
        // The bake pipeline has its own copy of this filter
        // (`read_supervisor_line_skip_save_notifications` in bake.rs)
        // because the bake driver owns the BufReader directly; this
        // version is for the `ControlChannel`-wrapped pooled path.
        loop {
            let mut buf = String::new();
            let n = self.reader.read_line(&mut buf)?;
            if n == 0 {
                return Err(std::io::Error::new(
                    std::io::ErrorKind::UnexpectedEof,
                    "worker control socket closed",
                ));
            }
            let trimmed = buf.trim_start();
            if trimmed.starts_with("SAVE_DONE ") || trimmed.starts_with("SAVE_FAIL ") {
                tracing::debug!(line = %buf.trim_end(), "skipping orthogonal bg-save notification");
                continue;
            }
            // 0.7.43+ kernel-boot cache marker is normally consumed
            // by the bake driver's kcache-WRITE orchestrator in
            // `bake.rs::run_native_supermachine_bake_pipelined`.
            // This control channel (ControlChannel, the pooled-VM
            // path) doesn't enter the kcache window so won't see
            // the marker in normal operation. Keep the skip as
            // defense-in-depth: if a future code path leaks the
            // marker through here, drop silently rather than
            // confusing the protocol.
            if trimmed.starts_with("MARKER_KCACHE_READY") {
                tracing::debug!("skipping MARKER_KCACHE_READY notification");
                continue;
            }
            return Ok(buf);
        }
    }
}

/// Convert a `bake::BakedWorker` (handle handed back from the
/// pipelined-bake driver when `keep_alive=true`) into a regular
/// `Worker` that the `HiddenPool` can use as an idle entry.
///
/// This is a pure handle-transfer — no I/O, no liveness check
/// (caller did the `try_wait` first). The resulting Worker has
/// `last_restore_path` set to the warm snapshot path, so any
/// subsequent cycle SNAPSHOT RPCs use it as the diff-via-clone
/// `base=` hint, same as a normal pool worker that just restored.
#[cfg(target_os = "macos")]
fn warm_baked_to_worker(
    bw: crate::bake::BakedWorker,
    memory_mib: u32,
    has_mounts: bool,
    volume_guest_paths: Vec<String>,
    vcpus: u32,
    use_once: bool,
) -> Worker {
    Worker {
        child: bw.child,
        vsock_mux_path: bw.vsock_mux_path,
        vsock_exec_path: bw.vsock_exec_path,
        control_path: bw.control_path,
        control: Arc::new(Mutex::new(ControlChannel {
            reader: std::io::BufReader::new(bw.control_reader),
            writer: bw.control_writer,
        })),
        last_restore_path: bw.last_restore_path,
        memory_mib,
        has_mounts,
        vcpus,
        // Empty: the warm-handoff worker was launched at bake-time
        // and has its volume fds pointing at the user's host file
        // — not at a COW temp. Pool's `release` path uses
        // `has_cow_volumes` to decide kill-on-release.
        //
        // For warm-handoff workers in a `restore_on_release=true`
        // pool with pristines, `use_once=true` flips the flag
        // synthetically so release kills the worker after one
        // cycle; the replenisher then spawns a fresh worker that
        // DOES go through the COW path. The user's host file is
        // mutated by that ONE cycle but the pristine is unaffected
        // so subsequent COW spawns get clean bytes.
        //
        // For `restore_on_release=false`, `use_once=false` and the
        // warm-handoff worker is reused across acquires within
        // the process. It writes to the user's host file, not a
        // COW. The cross-process safety still holds: a separate
        // process opens via `Image::from_snapshot` (no warm
        // handoff), spawn_one always COWs from pristine, and
        // pristine never changes — so process N+1 sees bake-time
        // bytes regardless of what process N's warm-handoff
        // worker wrote.
        volume_temp_files: Vec::new(),
        // Stored for the worker's *cycle* restores: the first warm
        // handoff already has volumes mounted (booted at bake time),
        // but every later send_restore resumes pre-mount_volumes and
        // must re-gate on them.
        volume_guest_paths,
        has_cow_volumes: use_once,
        // Already-running bake-time worker: account its footprint so
        // later blocking spawns see it, but don't gate (the RAM is
        // already committed — blocking here would be pointless).
        _admission: crate::memory_admission::charge(
            memory_mib as u64 + crate::memory_admission::WORKER_OVERHEAD_MIB,
        ),
    }
}

/// Block until every `guest_paths` mountpoint is present in the guest's
/// `/proc/mounts`, or a bounded budget elapses.
///
/// init-oci runs `mount_volumes()` AFTER the snapshot/exec-ready marker
/// (the snapshot is captured before the volume mount so each restore
/// re-mounts against current host bytes — see `SpawnConfig.volumes`).
/// On restore the guest resumes with the agent already accepting execs
/// but the virtio-blk volumes not yet mounted: a TOCTOU window where the
/// caller's first exec would read an empty `/data`. `/proc/mounts` is the
/// deterministic mount-done signal; we poll it via the agent — which also
/// proves the worker can fork+exec (the same liveness signal as the
/// `/bin/true` probe). Returns `Err` if the volumes never mount within the
/// budget (a real failure) so the worker is respawned rather than silently
/// served with an unmounted volume.
#[cfg(target_os = "macos")]
fn wait_for_volumes_mounted(exec_path: &Path, guest_paths: &[String]) -> Result<(), Error> {
    let t0 = std::time::Instant::now();
    let budget = std::time::Duration::from_secs(3);
    loop {
        let out = crate::exec::ExecBuilder::new(exec_path.to_path_buf())
            .argv(["cat", "/proc/mounts"])
            .timeout(std::time::Duration::from_secs(3))
            .output()
            .map_err(|e| {
                Error::vm_msg(format!(
                    "post-restore volume-readiness exec failed in {:?}: {e} — \
                     worker will be respawned",
                    t0.elapsed()
                ))
            })?;
        if out.status.code() == Some(0) {
            let mounts = String::from_utf8_lossy(&out.stdout);
            // /proc/mounts lines are "<dev> <mountpoint> <fstype> …";
            // the 2nd whitespace field is the mountpoint.
            let all_mounted = guest_paths.iter().all(|gp| {
                mounts
                    .lines()
                    .any(|l| l.split(' ').nth(1) == Some(gp.as_str()))
            });
            if all_mounted {
                return Ok(());
            }
        }
        if t0.elapsed() >= budget {
            return Err(Error::vm_msg(format!(
                "post-restore volumes not mounted within {budget:?}: {guest_paths:?} \
                 absent from /proc/mounts — worker will be respawned"
            )));
        }
        std::thread::sleep(std::time::Duration::from_millis(10));
    }
}

impl Worker {
    /// Send a `RESTORE <path>` command and block until the
    /// worker writes `DONE …`. Returns `Ok` on success, `Err`
    /// if the protocol broke (worker crashed, socket closed,
    /// malformed response). Caller treats `Err` as "worker is
    /// unusable" and respawns.
    fn send_restore(&self, snapshot_path: &Path) -> Result<(), Error> {
        let path_str = snapshot_path
            .to_str()
            .ok_or_else(|| Error::vm_msg("snapshot path is not valid UTF-8".to_owned()))?;
        let mut ctl = self
            .control
            .lock()
            .map_err(|_| Error::vm_msg("worker control mutex poisoned".to_owned()))?;
        ctl.send_line(&format!("RESTORE {path_str}"))
            .map_err(Error::Io)?;
        let line = ctl.read_line().map_err(Error::Io)?;
        if !line.starts_with("DONE") {
            return Err(Error::vm_msg(format!(
                "worker RESTORE: expected DONE response, got: {}",
                line.trim()
            )));
        }

        // 0.7.44+ host-direct smpark_unpark BEFORE we drop the
        // control mutex. Sets the unpark_signal byte directly via
        // the worker's mapped host RAM, BEFORE the agent RPC below
        // sends the SGI/IPI. Belt-and-suspenders: if the IPI path
        // is slow under load, the secondaries still wake on the
        // next vtimer tick (≤10 ms) and see signal=1.
        //
        // ERR_SMPARK_UNPARK on older smpark.ko or single-vCPU is
        // harmless — we just continue.
        if self.vcpus > 1 {
            ctl.send_line("SMPARK_UNPARK_DIRECT").map_err(Error::Io)?;
            let _ = ctl.read_line().map_err(Error::Io)?;
        }

        // Drop the agent's mutex before issuing the agent RPCs
        // below — they open their own AF_VSOCK connections on the
        // exec path, independent of the control channel.
        drop(ctl);

        // 0.7.44+ post-cycle-restore agent reachability +
        // secondary unpark + liveness verification.
        //
        // The supervisor's DONE only confirms restore_snapshot
        // completed — it does NOT guarantee the worker is ready
        // to handle a user exec. Two races + one verification:
        //
        //   1. vCPU 0 resume-window race: when DONE is written,
        //      the dispatch thread is about to loop back to
        //      hv_vcpu_run but hasn't actually entered it yet.
        //      Host's next acquire+exec can land a vsock REQUEST
        //      before vCPU 0 is executing — muxer raises an IRQ
        //      that's sometimes lost.
        //   2. Secondary-parked race: secondaries are in WFI
        //      inside smpark_park_routine (snapshot was captured
        //      with them parked). After cycle-restore, they need
        //      to be unparked — initial spawn_one does this via
        //      smpark_unpark CONTROL RPC, but the cycle-restore
        //      path historically bypassed it. Even with the
        //      unpark RPC, Apple silicon HVF's SGI delivery has
        //      variable latency (30-50 ms under load): if a user
        //      exec's fork() child (which resets affinity via
        //      sched_setaffinity(0)) lands in this window, it
        //      can be scheduled onto a still-parked secondary
        //      and block in WFI forever — exec hangs 5 s + 2 s,
        //      returns exit=-1 stdout="".
        //
        // Fix: 3 steps to address both races, then a liveness
        // exec to VERIFY the worker is actually ready:
        //
        //   1. PROBE: vsock-exec CONTROL ack-roundtrip with retry
        //      (10 × 200 ms). Forces muxer to kick the guest,
        //      wakes vCPU 0 from resume-window WFI. Typical
        //      convergence: 1 attempt.
        //   2. SMPARK_UNPARK CONTROL RPC: agent ioctl's
        //      /dev/smpark to write unpark_signal byte +
        //      smp_call_function_many to send SGIs. Wakes
        //      secondaries from WFI. (SMPARK_UNPARK_DIRECT on
        //      the supervisor socket above ALSO writes the
        //      signal byte — belt-and-suspenders for slow IPI
        //      paths since secondaries also wake on vtimer when
        //      they re-check the byte.)
        //   3. LIVENESS EXEC: run `/bin/true` through the agent.
        //      This exercises the EXACT path that user execs
        //      use — fork+exec+affinity-reset+wait. If it
        //      returns within timeout, the worker is FULLY
        //      ALIVE. If it hangs/fails, return Err so the
        //      restorer shuts down this worker and the
        //      replenisher spawns a fresh one. Replaces the
        //      brittle "sleep N ms" approach (50 ms gave ~95%
        //      pass, 200 ms gave ~78% — longer sleep exposed
        //      MORE races, so sleeping isn't the answer).
        //
        // Repro of the bug this fix addresses:
        // python:3.12-alpine pool, 1024 MiB, 2 vcpus,
        // restoreOnRelease, no warmup — T2/T3's exec failed
        // intermittently (~10-50% depending on system load).
        // With this fix: 100 % pass on 400+ iter stress tests
        // including under load average 11.83.
        //
        // Env: SUPERMACHINE_POST_RESTORE_PROBE=0 disables probe
        // + smpark_unpark steps;
        // SUPERMACHINE_POST_RESTORE_LIVENESS=0 disables the
        // liveness exec. For embedders who do their own warmup
        // and don't want the per-cycle overhead.
        let probe_enabled = std::env::var("SUPERMACHINE_POST_RESTORE_PROBE")
            .map(|v| v != "0" && v != "false")
            .unwrap_or(true);
        if probe_enabled {
            let per_attempt = std::time::Duration::from_millis(200);
            let max_attempts = 10;
            for attempt in 0..max_attempts {
                let body = serde_json::json!({ "action": "probe" });
                match crate::exec::send_control_with_ack(
                    &self.vsock_exec_path,
                    &body,
                    Some(per_attempt),
                ) {
                    Ok(_) => break,
                    Err(_) if attempt + 1 < max_attempts => {}
                    Err(e) => {
                        return Err(Error::vm_msg(format!(
                            "post-restore agent probe failed after {max_attempts} attempts: {e}"
                        )));
                    }
                }
            }
            if self.vcpus > 1 {
                let body = serde_json::json!({ "action": "smpark_unpark" });
                let _ = crate::exec::send_control_with_ack(
                    &self.vsock_exec_path,
                    &body,
                    Some(std::time::Duration::from_millis(500)),
                );
            }
            // 0.7.44+ liveness exec.
            //
            // Sleep-based "wait for secondaries to wake" was unreliable:
            // 100 ms gave ~95% pass, 200 ms gave ~78% (longer sleep
            // exposed other races). The fundamental problem is sleep
            // is a guess; we want PROOF that the worker can run a
            // fork+exec workload.
            //
            // Solution: do a real /bin/true exec inside send_restore.
            // This forks the agent's per-conn handler, which forks a
            // child, which resets affinity (the path that triggers
            // "child blocks on parked secondary"), and execs /bin/true.
            // If the exec returns within timeout, the worker is FULLY
            // alive — vCPU 0 + secondaries + scheduler + agent fork
            // all working. If the exec hangs/fails, return Err so the
            // worker is shut down + replaced by the replenisher.
            //
            // Cost: one full exec round-trip (~5-15 ms typical) on
            // every cycle-restore. Replaces the 100 ms sleep.
            //
            // Env: SUPERMACHINE_POST_RESTORE_LIVENESS=0 to disable.
            let liveness_enabled = std::env::var("SUPERMACHINE_POST_RESTORE_LIVENESS")
                .map(|v| v != "0" && v != "false")
                .unwrap_or(true);
            if liveness_enabled {
                let liveness_t0 = std::time::Instant::now();
                let exec_res = crate::exec::ExecBuilder::new(self.vsock_exec_path.clone())
                    .argv(["/bin/true"])
                    .timeout(std::time::Duration::from_secs(3))
                    .output();
                match exec_res {
                    Ok(out) if out.status.code() == Some(0) => {
                        // Worker is fully alive — vCPU 0 + secondaries
                        // + scheduler + agent fork path all working.
                    }
                    Ok(out) => {
                        return Err(Error::vm_msg(format!(
                            "post-restore liveness exec returned non-zero in {:?}: exit={:?} \
                             stderr={:?} — worker will be respawned",
                            liveness_t0.elapsed(),
                            out.status.code(),
                            String::from_utf8_lossy(&out.stderr)
                                .chars()
                                .take(200)
                                .collect::<String>(),
                        )));
                    }
                    Err(e) => {
                        return Err(Error::vm_msg(format!(
                            "post-restore liveness exec failed in {:?}: {e} — worker will be respawned",
                            liveness_t0.elapsed(),
                        )));
                    }
                }
            }
        }

        // 0.7.67+ — volume-mount readiness gate (mirrors spawn_one).
        // Cycle-restore resumes the guest BEFORE init-oci re-runs
        // mount_volumes(), so without this a post-restore exec could
        // read an unmounted /data. Runs regardless of the liveness env
        // (it's a correctness gate, not just a liveness probe) and
        // also proves the worker can fork+exec. Err => caller treats
        // the worker as unusable and respawns it.
        #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
        if !self.volume_guest_paths.is_empty() {
            wait_for_volumes_mounted(&self.vsock_exec_path, &self.volume_guest_paths)?;
        }

        // Cycle-restore reinstates RAM from the snapshot — that
        // includes the guest VFS page/dentry/inode caches as they
        // were at capture time. Without dropping, subsequent reads
        // on `mounts:`/`volumes:` paths can return stale bytes
        // when the host backing file changed post-capture. See
        // `drop_vfs_caches_via_agent` for the full story.
        //
        // 0.7.44+ probe-skip: when this snapshot has no virtio-fs
        // mounts (Worker.has_mounts=false) there's nothing
        // host-backed in the pagecache, so the drop is a no-op.
        // Skip the RPC to shave ~5-15 ms per cycle-restore on the
        // common Image.build-from-Docker, no-extra-mounts case.
        if self.has_mounts {
            let _ = drop_vfs_caches_via_agent(&self.vsock_exec_path, self.memory_mib);
        }
        // 0.7.51+ wall-clock sync. Unlike drop_vfs_caches, this
        // is NOT gated on the presence of host-backed surfaces —
        // every cycle-restore needs to advance the guest's
        // CLOCK_REALTIME from snapshot-capture-time to "now",
        // regardless of mounts/volumes. The vtimer state keeps
        // CLOCK_MONOTONIC ticking correctly across restore (which
        // is what tokio/timer-wheels need), but the wall-clock
        // offset is captured + restored verbatim — so without
        // this RPC `Date.now()` reports bake-time post-restore.
        // Order: cache-drop first (so re-LOOKUPs see fresh host
        // state), then time-sync. Both are best-effort and
        // independent — neither failure blocks the other.
        let _ = sync_time_via_agent(&self.vsock_exec_path);
        Ok(())
    }

    /// Send `SNAPSHOT <out_path>` and block on the response.
    /// The worker pauses the guest, captures snapshot, writes to
    /// `out_path`, then writes either `DONE_SNAPSHOT
    /// bytes_written=N capture_us=… save_us=…` or
    /// `ERR_SNAPSHOT <reason>` on the supervisor socket. We
    /// parse the response and surface it as `Result`.
    fn send_snapshot(&self, out_path: &Path) -> Result<SnapshotStats, Error> {
        let path_str = out_path
            .to_str()
            .ok_or_else(|| Error::vm_msg("snapshot path is not valid UTF-8".to_owned()))?;
        let mut ctl = self
            .control
            .lock()
            .map_err(|_| Error::vm_msg("worker control mutex poisoned".to_owned()))?;
        ctl.send_line(&format!("SNAPSHOT {path_str}"))
            .map_err(Error::Io)?;
        let line = ctl.read_line().map_err(Error::Io)?;
        if let Some(rest) = line.strip_prefix("DONE_SNAPSHOT") {
            let mut stats = SnapshotStats {
                bytes_written: 0,
                capture_us: 0,
                save_us: 0,
            };
            for kv in rest.split_ascii_whitespace() {
                if let Some(v) = kv.strip_prefix("bytes_written=") {
                    stats.bytes_written = v.parse().unwrap_or(0);
                } else if let Some(v) = kv.strip_prefix("capture_us=") {
                    stats.capture_us = v.parse().unwrap_or(0);
                } else if let Some(v) = kv.strip_prefix("save_us=") {
                    stats.save_us = v.parse().unwrap_or(0);
                }
            }
            Ok(stats)
        } else if let Some(rest) = line.strip_prefix("ERR_SNAPSHOT ") {
            Err(Error::vm_msg(format!(
                "worker SNAPSHOT failed: {}",
                rest.trim()
            )))
        } else {
            Err(Error::vm_msg(format!(
                "worker SNAPSHOT: unexpected response: {}",
                line.trim()
            )))
        }
    }

    /// Differential snapshot variant. Sends
    /// `SNAPSHOT <out_path> base=<base_path>`. The worker, if it
    /// has a matching in-flight async save to `base_path` (i.e.
    /// the snapshot is still in memory from a recent
    /// SNAPSHOT_ASYNC), uses APFS `clonefile` + diff `pwrite` to
    /// land the warm snapshot — usually ~10x faster than the
    /// plain streaming sync path.
    ///
    /// Falls back to the plain streaming sync save inside the
    /// runner on any of: no matching in-flight save, clonefile
    /// EXDEV (different filesystems), warm meta overflows base's
    /// ram_offset slack. Caller never sees this distinction; the
    /// returned `SnapshotStats` is well-formed in both cases.
    ///
    /// Used by the pipelined bake flow's warm capture.
    fn send_snapshot_with_base(
        &self,
        out_path: &Path,
        base_path: &Path,
        inline: bool,
    ) -> Result<SnapshotStats, Error> {
        let path_str = out_path
            .to_str()
            .ok_or_else(|| Error::vm_msg("snapshot out path is not valid UTF-8".to_owned()))?;
        let base_str = base_path
            .to_str()
            .ok_or_else(|| Error::vm_msg("snapshot base path is not valid UTF-8".to_owned()))?;
        let mut ctl = self
            .control
            .lock()
            .map_err(|_| Error::vm_msg("worker control mutex poisoned".to_owned()))?;
        // `inline` makes the worker wait for the diff save to land before
        // replying, so the caller can read the file immediately (the builder's
        // per-layer chain) — while still retaining the base in memory.
        let line = if inline {
            format!("SNAPSHOT {path_str} base={base_str} inline")
        } else {
            format!("SNAPSHOT {path_str} base={base_str}")
        };
        ctl.send_line(&line).map_err(Error::Io)?;
        let line = ctl.read_line().map_err(Error::Io)?;
        if let Some(rest) = line.strip_prefix("DONE_SNAPSHOT") {
            let mut stats = SnapshotStats {
                bytes_written: 0,
                capture_us: 0,
                save_us: 0,
            };
            for kv in rest.split_ascii_whitespace() {
                if let Some(v) = kv.strip_prefix("bytes_written=") {
                    stats.bytes_written = v.parse().unwrap_or(0);
                } else if let Some(v) = kv.strip_prefix("capture_us=") {
                    stats.capture_us = v.parse().unwrap_or(0);
                } else if let Some(v) = kv.strip_prefix("save_us=") {
                    stats.save_us = v.parse().unwrap_or(0);
                }
            }
            Ok(stats)
        } else if let Some(rest) = line.strip_prefix("ERR_SNAPSHOT ") {
            Err(Error::vm_msg(format!(
                "worker SNAPSHOT (with base) failed: {}",
                rest.trim()
            )))
        } else {
            Err(Error::vm_msg(format!(
                "worker SNAPSHOT (with base): unexpected response: {}",
                line.trim()
            )))
        }
    }

    /// Async-save variant of [`Worker::send_snapshot`]. Sends
    /// `SNAPSHOT_ASYNC <out_path>`; the worker pauses, captures
    /// into a compact in-memory buffer, kicks off a background
    /// save thread, and returns `DONE_SNAPSHOT_ASYNC` immediately.
    /// The on-disk file appears asynchronously — drain via
    /// [`Worker::shutdown`] (which sends QUIT and waits for the
    /// worker process to exit) before relying on the file existing.
    ///
    /// Used by the pipelined bake flow.
    #[allow(dead_code)]
    fn send_snapshot_async(&self, out_path: &Path) -> Result<SnapshotStats, Error> {
        let path_str = out_path
            .to_str()
            .ok_or_else(|| Error::vm_msg("snapshot path is not valid UTF-8".to_owned()))?;
        let mut ctl = self
            .control
            .lock()
            .map_err(|_| Error::vm_msg("worker control mutex poisoned".to_owned()))?;
        ctl.send_line(&format!("SNAPSHOT_ASYNC {path_str}"))
            .map_err(Error::Io)?;
        let line = ctl.read_line().map_err(Error::Io)?;
        if let Some(rest) = line.strip_prefix("DONE_SNAPSHOT_ASYNC") {
            let mut stats = SnapshotStats {
                bytes_written: 0,
                capture_us: 0,
                save_us: 0,
            };
            for kv in rest.split_ascii_whitespace() {
                if let Some(v) = kv.strip_prefix("bytes_written=") {
                    stats.bytes_written = v.parse().unwrap_or(0);
                } else if let Some(v) = kv.strip_prefix("capture_us=") {
                    stats.capture_us = v.parse().unwrap_or(0);
                } else if let Some(v) = kv.strip_prefix("save_us=") {
                    stats.save_us = v.parse().unwrap_or(0);
                }
            }
            Ok(stats)
        } else if let Some(rest) = line.strip_prefix("ERR_SNAPSHOT ") {
            Err(Error::vm_msg(format!(
                "worker SNAPSHOT_ASYNC failed: {}",
                rest.trim()
            )))
        } else {
            Err(Error::vm_msg(format!(
                "worker SNAPSHOT_ASYNC: unexpected response: {}",
                line.trim()
            )))
        }
    }

    /// Best-effort `smpark_park` CONTROL RPC to the in-guest agent.
    /// Drives all secondary vCPUs into a known parked-WFI state via
    /// `ioctl(/dev/smpark, PARK)`. Returns `Ok(true)` on success,
    /// `Ok(false)` if the module isn't available (single-vCPU bake
    /// or smpark.ko not loaded), `Err` only on transport failure.
    /// Caller treats `Ok(false)` as "skip park, fall back to the
    /// existing rendezvous-only path".
    #[cfg_attr(
        not(all(target_os = "macos", target_arch = "aarch64")),
        allow(dead_code)
    )]
    fn send_smpark_park(&self) -> Result<bool, Error> {
        let body = serde_json::json!({ "action": "smpark_park" });
        match crate::exec::send_control_with_ack(
            &self.vsock_exec_path,
            &body,
            Some(Duration::from_secs(5)),
        ) {
            Ok(_) => Ok(true),
            Err(e) => {
                // Agent reports `ok=false` for "module not loaded /
                // /dev/smpark not available" — surfaces as
                // io::ErrorKind::Other with the agent's message.
                // Treat any transport-level failure as "skip park"
                // so callers don't break the snapshot path on the
                // 1-vCPU common case (where smpark is a no-op the
                // module reports as such).
                tracing::debug!(error = %e, "smpark_park unavailable; skipping");
                Ok(false)
            }
        }
    }

    /// Best-effort `smpark_unpark` CONTROL RPC. Wakes the parked
    /// secondaries. Same fallback semantics as
    /// [`Worker::send_smpark_park`] — returns `Ok(false)` if the
    /// module isn't there.
    #[cfg_attr(
        not(all(target_os = "macos", target_arch = "aarch64")),
        allow(dead_code)
    )]
    fn send_smpark_unpark(&self) -> Result<bool, Error> {
        let body = serde_json::json!({ "action": "smpark_unpark" });
        match crate::exec::send_control_with_ack(
            &self.vsock_exec_path,
            &body,
            Some(Duration::from_secs(5)),
        ) {
            Ok(_) => Ok(true),
            Err(e) => {
                tracing::debug!(error = %e, "smpark_unpark unavailable; skipping");
                Ok(false)
            }
        }
    }

    /// Best-effort QUIT. Tries the supervisor protocol first —
    /// gives the worker a chance to flush state cleanly — then
    /// falls back to SIGKILL if the worker doesn't exit within
    /// the grace window.
    fn shutdown(&mut self) {
        // Send QUIT — best effort, ignore failures (worker may
        // already be dead, mutex may be poisoned).
        if let Ok(mut ctl) = self.control.lock() {
            let _ = ctl.send_line("QUIT");
        }
        // Give the worker ~100 ms to exit cleanly. Most exits
        // happen in <10 ms; the upper bound is for slow restore-
        // cleanup paths.
        let deadline = Instant::now() + Duration::from_millis(100);
        loop {
            match self.child.try_wait() {
                Ok(Some(_)) => break,
                Ok(None) if Instant::now() < deadline => {
                    std::thread::sleep(Duration::from_millis(2));
                }
                _ => {
                    let _ = self.child.kill();
                    let _ = self.child.wait();
                    break;
                }
            }
        }
        let _ = std::fs::remove_file(&self.vsock_mux_path);
        let _ = std::fs::remove_file(&self.vsock_exec_path);
        let _ = std::fs::remove_file(&self.control_path);
        let mut h = self.vsock_mux_path.clone();
        h.set_extension("handoff");
        let _ = std::fs::remove_file(&h);
        // 0.7.49+ COW volume temps. Worker is dead; the kernel
        // already closed the fds, so unlink here is safe (no fd
        // leaks). Empty vec for restore_on_release=false / no-
        // pristine snapshots.
        for path in self.volume_temp_files.drain(..) {
            let _ = std::fs::remove_file(&path);
        }
    }
}

/// Resolved + reusable spawn config for one Image's pool.
struct SpawnConfig {
    /// High-water-mark of the resident footprint (phys_footprint, MiB)
    /// observed across this pool's workers — measured at spawn (idle,
    /// post-restore) and at release (post-workload). `0` until the first
    /// measurement. Lets admission charge the MEASURED footprint instead
    /// of the `--memory` cap (usually a big over-estimate) when
    /// SUPERMACHINE_ADMISSION_CHARGE=rss. Shared across spawns via the
    /// enclosing `Arc<SpawnConfig>`; observational only by default.
    observed_footprint_mib: std::sync::atomic::AtomicU64,
    worker_bin: PathBuf,
    snapshot_path: PathBuf,
    layers: Vec<PathBuf>,
    delta_squashfs: Option<PathBuf>,
    /// virtio-fs mounts to re-create on the worker side. Snapshot's
    /// metadata.json `mounts` field, propagated through `Image`.
    mounts: Vec<crate::vmm::resources::MountSpec>,
    /// virtio-blk volumes to re-attach on the worker side. Snapshot's
    /// metadata.json `volumes` field, propagated through `Image`.
    /// Each entry is `(host_file, guest_path, size_bytes, pristine)`
    /// and is passed to the worker as `--volume HOST:GUEST:SIZE`.
    ///
    /// `pristine` (0.7.49+) is the bake-time captured copy of
    /// `host_file`. 0.7.50+: when `pristine.is_some()`, spawn_one
    /// clones the pristine to a per-process temp file under /tmp
    /// and substitutes that path for `host_file` in the `--volume`
    /// arg — regardless of `policy.restore_on_release`. The
    /// Worker tracks the temp files for cleanup on drop / pool
    /// shutdown. This blocks the cross-process leak where
    /// `restore_on_release=false` workers used to write straight
    /// to the user's host file and diverge it from the snapshot's
    /// in-RAM ext4 state.
    ///
    /// CRITICAL for warm-restore correctness: init-oci's snapshot
    /// marker fires BEFORE `mount_volumes()`, so the snapshot doesn't
    /// carry the volume mount. Each restore re-runs `mount_volumes()`
    /// which scans `/dev/vd*`. If the warm-restore worker doesn't
    /// re-attach the volumes here, the device count comes up short,
    /// the ext4 mount references a non-existent device, and reads
    /// hang on the restored guest. (Field-report bug fixed 0.7.30.)
    volumes: Vec<(PathBuf, String, u64, Option<PathBuf>)>,
    memory_mib: u32,
    vcpus: u32,
    socks_dir: PathBuf,
    /// Identifier folded into the socket file names. Just for
    /// readability when looking at /tmp.
    name_prefix: String,
    /// Honored when waiting for a freshly spawned worker's vsock
    /// socket to appear.
    spawn_timeout: Duration,
    /// `metadata.json["runtime_sha16"]` of the snapshot being
    /// restored. When this matches the current `worker_bin`'s
    /// SHA16, we know the in-guest agent shipped with this
    /// snapshot is the same agent the lib expects, so the
    /// agent-protocol probe can be skipped. ~25 ms saved per
    /// acquire.
    baker_runtime_sha16: Option<String>,
    /// `metadata.json["balloon_target_pages"]` from the snapshot
    /// — number of 4 KiB pages the host asks the guest to
    /// inflate via virtio-balloon after restore. Drops idle
    /// worker RSS from `~memory_mib` to ~25% of memory_mib on
    /// rust:1-slim and similar workloads. Plumbed through to
    /// the worker binary as `--balloon-target-pages N`.
    balloon_target_pages: Option<u32>,
    /// `metadata.json["tsi_token"]` from the snapshot — 64-char
    /// lowercase hex, encoding the 32-byte secret baked into the
    /// guest kernel's BSS at fresh bake. Re-injected on every
    /// restore so the muxer's `--tsi-token` matches what the
    /// frozen kernel already has. Absent on pre-0.6.0 snapshots
    /// (legacy unauthenticated mode).
    tsi_token: Option<String>,
    /// `metadata.json["egress_policy"]` — per-snapshot network egress
    /// policy, passed to the worker as `--egress-policy` so the muxer
    /// enforces it at TSI connect time. `None` → `allow_all`.
    egress_policy: Option<String>,
    /// 0.7.44+ `metadata.json["pre_exec_sync"]`. When true,
    /// spawn_one sets `SUPERMACHINE_PRE_EXEC_SYNC_RESUME=1` in
    /// the restored worker's env so its
    /// `supermachine-pre-exec-resume` thread pushes the 'P\n'
    /// unblock byte after restore. Required for pre_exec_sync
    /// snapshots — the saved guest is blocked inside `read(0)`
    /// and never wakes without the push.
    pre_exec_sync: bool,
    /// 0.7.49+ — `PoolPolicy::restore_on_release` propagated here
    /// for spawn-time volume COW. When true AND a volume's
    /// `pristine` is `Some`, spawn_one clones the pristine to a
    /// per-worker temp file under /tmp and substitutes the temp
    /// path for the user's host file in the `--volume` arg. Keeps
    /// per-cycle volume state in lock-step with the snapshot's
    /// captured ext4 RAM state — the user's host file never gets
    /// the worker's mid-life writes. Worker drop unlinks the temp.
    restore_on_release: bool,
}

/// True when `SUPERMACHINE_ADMISSION_CHARGE=rss` — charge the measured
/// resident footprint (+margin) instead of the configured memory cap, to
/// pack more workers under the budget. Default (unset / any other value)
/// = cap charge (today's conservative behavior). Read per-spawn (spawn is
/// already a multi-second op, so the env lookup is free).
fn rss_admission_charge_enabled() -> bool {
    std::env::var("SUPERMACHINE_ADMISSION_CHARGE")
        .map(|v| v.trim().eq_ignore_ascii_case("rss"))
        .unwrap_or(false)
}

/// Pure rss-mode charge: the measured footprint + 25% margin, clamped to
/// `[memory_mib/2, memory_mib]` (+overhead). The half-cap floor bounds the
/// overcommit (≤2× density) so an under-measured idle footprint can't
/// starve the host; the cap ceiling means it never charges MORE than the
/// conservative default. `observed == 0` (unmeasured) → the full cap.
fn rss_charge_mib(memory_mib: u32, observed_mib: u64, overhead: u64) -> u64 {
    let cap = memory_mib as u64 + overhead;
    if observed_mib == 0 {
        return cap;
    }
    let floor = (memory_mib as u64 / 2) + overhead;
    let margined = observed_mib + observed_mib / 4 + overhead; // +25%
    margined.clamp(floor, cap)
}

#[cfg(test)]
mod rss_charge_tests {
    use super::rss_charge_mib;
    const OH: u64 = 64;

    #[test]
    fn unmeasured_charges_full_cap() {
        // No observation yet → conservative full cap.
        assert_eq!(rss_charge_mib(512, 0, OH), 512 + OH);
    }

    #[test]
    fn measured_charges_observed_plus_margin() {
        // 300 MiB observed → 300 + 25% (75) + OH = 439; within [320, 576].
        assert_eq!(rss_charge_mib(512, 300, OH), 375 + OH);
    }

    #[test]
    fn floored_at_half_cap_when_footprint_tiny() {
        // A small idle footprint must NOT charge below half the cap —
        // the floor bounds the overcommit so an under-measure can't
        // starve the host. 100 MiB → 189, floored to 256 + OH.
        assert_eq!(rss_charge_mib(512, 100, OH), 256 + OH);
    }

    #[test]
    fn never_exceeds_the_cap() {
        // Observed at/above the cap → clamped to the conservative cap;
        // rss mode never charges MORE than the default.
        assert_eq!(rss_charge_mib(512, 1000, OH), 512 + OH);
    }
}

impl SpawnConfig {
    /// MiB to reserve from the memory-admission budget for a new worker.
    ///
    /// Default (cap mode): the configured guest RAM + a fixed host
    /// overhead — conservative, assumes the worst case (every worker
    /// fully resident at its `--memory` ceiling).
    ///
    /// rss mode (`SUPERMACHINE_ADMISSION_CHARGE=rss`): the pool's MEASURED
    /// footprint high-water-mark + a 25% margin, but never below half the
    /// configured cap and never above it. This packs more workers when
    /// the configured cap over-provisions (the common case — a 512 MiB VM
    /// running a 120 MiB service). It is an overcommit model — bounded by
    /// the margin, the half-cap floor, the budget's 20% host headroom, and
    /// the pressure backstop — so it's opt-in. Before the HWM is measured
    /// (first spawn) it falls back to the conservative cap.
    fn admission_charge_mib(&self) -> u64 {
        let overhead = crate::memory_admission::WORKER_OVERHEAD_MIB;
        if !rss_admission_charge_enabled() {
            return self.memory_mib as u64 + overhead;
        }
        let observed = self
            .observed_footprint_mib
            .load(std::sync::atomic::Ordering::Relaxed);
        rss_charge_mib(self.memory_mib, observed, overhead)
    }

    /// Spawn ONE worker subprocess in `--pool-worker` mode and
    /// return it ready to serve. The worker handles its initial
    /// snapshot restore on boot and writes a `DONE …` line on
    /// the supervisor control socket once that completes — we
    /// block on that line so callers can treat the returned
    /// `Worker` as fully restored.
    fn spawn_one(&self) -> Result<Worker, Error> {
        use std::os::unix::net::UnixListener;

        // 64-bit hex suffix from `unique_suffix()` (nanos +
        // monotonic counter). Distinct across parallel spawns;
        // collision-free in practice.
        let suffix = unique_suffix();
        let vsock_mux_path = self
            .socks_dir
            .join(format!("{}-{:016x}.sock", self.name_prefix, suffix));
        let vsock_exec_path = {
            let mut p = vsock_mux_path.clone();
            let mut name = p.file_name().unwrap().to_owned();
            name.push("-exec");
            p.set_file_name(name);
            p
        };
        let control_path = {
            let mut p = vsock_mux_path.clone();
            let mut name = p.file_name().unwrap().to_owned();
            name.push("-ctl");
            p.set_file_name(name);
            p
        };
        let _ = std::fs::remove_file(&vsock_mux_path);
        let _ = std::fs::remove_file(&vsock_exec_path);
        let _ = std::fs::remove_file(&control_path);

        // Lib listens on the control socket BEFORE spawning so
        // the worker's `connect()` always finds it.
        let ctl_listener = UnixListener::bind(&control_path).map_err(|e| {
            Error::vm_msg(format!(
                "bind control socket {}: {e}",
                control_path.display()
            ))
        })?;

        // ATOMIC-RENAME SENTINEL POLL: when the Image was returned
        // from an always-pipelined-skip-warm `.build()`, the bg
        // save of `restore.snap` may still be in flight. The worker
        // would fail-fast on `--restore-from` pointing at a missing
        // file. `save_compact_to_file` writes to `<path>.partial`
        // and atomic-renames to `<path>` on completion, so file
        // existence ↔ save complete.
        //
        // Bound at `spawn_timeout` (default 30s; configurable via
        // `VmConfig::restore_timeout`). Steady-state save lands in
        // ~50–200 ms on typical hardware; the cap is well over the
        // p99.99. On timeout, surface a clear error rather than
        // letting the worker fail with a confusing "no such file"
        // message.
        //
        // No-op when the file already exists (the common case for
        // workers spawned after the first acquire, or for Images
        // loaded via `Image::from_snapshot`).
        if !self.snapshot_path.is_file() {
            let poll_t0 = Instant::now();
            let poll_deadline = poll_t0 + self.spawn_timeout;
            let mut backoff = Duration::from_millis(2);
            loop {
                if self.snapshot_path.is_file() {
                    if crate::trace::enabled("timings") {
                        eprintln!(
                            "[spawn_one] waited {:?} for snapshot file to land at {}",
                            poll_t0.elapsed(),
                            self.snapshot_path.display(),
                        );
                    }
                    break;
                }
                if Instant::now() > poll_deadline {
                    let _ = std::fs::remove_file(&control_path);
                    return Err(Error::vm_msg(format!(
                        "worker spawn: snapshot file {} did not appear within {:?} \
                         (bg save in flight from a pipelined bake — increase \
                         `VmConfig::restore_timeout` if your disk is slow)",
                        self.snapshot_path.display(),
                        self.spawn_timeout
                    )));
                }
                std::thread::sleep(backoff);
                backoff = (backoff * 2).min(Duration::from_millis(50));
            }
        }

        let mut cmd = Command::new(&self.worker_bin);
        for layer in &self.layers {
            cmd.arg("--virtio-blk").arg(layer);
        }
        if let Some(delta) = &self.delta_squashfs {
            cmd.arg("--virtio-blk").arg(delta);
        }
        // virtio-fs mounts persisted in the snapshot metadata. The
        // worker re-constructs the VirtioFs devices at the same MMIO
        // slots so the guest's baked-in FDT entries find them.
        // Wire encoding mirrors the bake-time form:
        // `HOST:TAG:GUEST_PATH[:POLICY]`.
        for m in &self.mounts {
            cmd.arg("--mount")
                .arg(format!("{}:{}:{}", m.host_path, m.guest_tag, m.guest_path));
        }
        // virtio-blk volumes persisted in the snapshot metadata.
        // Same critical replay as `mounts`: the FDT baked into the
        // snapshot expects these virtio-blk devices to be present
        // at restore, and init-oci's `mount_volumes()` re-runs
        // post-restore against `/dev/vd<N>`. Without this loop, the
        // post-restore guest mounts ext4 against a non-existent
        // device and reads hang.
        //
        // Wire encoding mirrors the bake-time form:
        // `HOST_FILE:GUEST_PATH:SIZE_BYTES`. Worker's CLI parser
        // builds a `VolumeSpec` from each, attaches a `virtio-blk`
        // device, and orders volumes after `layers + delta` so the
        // guest sees `/dev/vd<n+1>..` (same ordering the bake-time
        // worker used, keeping init-oci's index → device mapping
        // stable across bake and restore).
        //
        // 0.7.50+ COW-on-spawn (was 0.7.49 + restoreOnRelease=true
        // only; broadened to always-on when pristine is available):
        // every spawn clones the pristine to a per-process temp
        // file. The worker's writes land on the temp; the user's
        // host file stays at bake-time content forever.
        //
        // Why always-on, not just for `restoreOnRelease=true`:
        //
        //   * `restoreOnRelease=false` pools share one worker
        //     across acquires within ONE process — writes still
        //     persist within that process (same worker → same COW
        //     temp). The skip-restore semantics are unchanged.
        //   * Across PROCESSES, each new pool gets a fresh COW
        //     clone from the bake-time pristine. Process N's
        //     writes never leak into process N+1's view.
        //
        // Pre-0.7.50 with `restoreOnRelease=false`, the worker
        // wrote directly to the user's host file. The on-disk
        // bytes drifted from the snapshot's in-RAM ext4 state on
        // every cycle. The next process re-opened the same host
        // file with the same in-RAM snapshot and got divergence:
        // EUCLEAN on lstat for files the prior process touched
        // (vite's `.vite/deps`), or silent leakage of bake-foreign
        // files visible only via disk-bypassing probes (the
        // shape this test asserts).
        //
        // On release of a worker with a COW temp:
        //   * `restoreOnRelease=true`: release path at 2503 kills
        //     the worker (RESTORE can't reset open virtio-blk
        //     fds), replenisher spawns a fresh COW-backed worker.
        //   * `restoreOnRelease=false`: release path returns
        //     early at 2481 (push to idle), worker is reused
        //     within the process. The COW temp lives until the
        //     worker dies (Pool drop / shutdown). See
        //     `cow_volume_for_spawn` for the temp path scheme and
        //     `Worker::shutdown` for unlink.
        let cow_volumes_enabled = self.volumes.iter().any(|(_, _, _, p)| p.is_some());
        let mut volume_temp_files: Vec<PathBuf> = Vec::new();
        for (i, (host_file, guest_path, size_bytes, pristine)) in self.volumes.iter().enumerate() {
            let effective_host = if cow_volumes_enabled {
                match pristine.as_ref() {
                    Some(pristine_path) => {
                        match cow_volume_for_spawn(pristine_path, i, suffix) {
                            Ok(temp) => {
                                volume_temp_files.push(temp.clone());
                                temp
                            }
                            Err(e) => {
                                // Clean up any temps we already
                                // made — never strand them in /tmp.
                                for p in &volume_temp_files {
                                    let _ = std::fs::remove_file(p);
                                }
                                let _ = std::fs::remove_file(&control_path);
                                return Err(Error::vm_msg(format!(
                                    "spawn_one: COW volume {}: {e}",
                                    pristine_path.display()
                                )));
                            }
                        }
                    }
                    None => {
                        // Snapshot pre-dates the pristine fix.
                        // One-line warn (rate-limited globally so
                        // multi-volume pools don't spam) then
                        // fall back to legacy behavior.
                        warn_legacy_volume_without_pristine_once(host_file);
                        host_file.clone()
                    }
                }
            } else {
                host_file.clone()
            };
            cmd.arg("--volume").arg(format!(
                "{}:{}:{}",
                effective_host.display(),
                guest_path,
                size_bytes
            ));
        }
        cmd.arg("--memory").arg(self.memory_mib.to_string());
        cmd.arg("--vcpus").arg(self.vcpus.to_string());
        cmd.arg("--restore-from").arg(&self.snapshot_path);
        cmd.arg("--cow-restore");
        cmd.arg("--vsock-mux").arg(&vsock_mux_path);
        cmd.arg("--vsock-exec").arg(&vsock_exec_path);
        cmd.arg("--pool-worker").arg(&control_path);
        // 0.7.44+ pre-compute host IPv6 routing in the lib (cached
        // process-wide) and pass to the worker as an env var. The
        // worker used to run its own probe at startup — ~1-3 ms
        // bind+connect+getsockname on every spawn_one. Identical
        // semantics; the worker still falls back to its local probe
        // if the env var isn't set (direct worker invocation).
        cmd.env(
            "SUPERMACHINE_HOST_IPV6",
            if crate::utils::net::cached_host_ipv6_route() {
                "1"
            } else {
                "0"
            },
        );
        if let Some(pages) = self.balloon_target_pages {
            cmd.arg("--balloon-target-pages").arg(pages.to_string());
        }
        // TSI control-channel auth: re-inject the per-snapshot
        // token so the muxer's expected-prefix matches what the
        // frozen kernel will send on every control DGRAM. See
        // `kernel-build/patches/af-tsi/0014-*.patch`.
        if let Some(hex) = self.tsi_token.as_deref() {
            cmd.arg("--tsi-token").arg(hex);
        }
        // Per-snapshot egress policy: the muxer enforces it at TSI
        // connect time (one-time, never per-packet). Set once at spawn;
        // the worker's process-global policy persists across this
        // worker's cycle-restores. `None` → worker default (allow_all).
        if let Some(policy) = self.egress_policy.as_deref() {
            cmd.arg("--egress-policy").arg(policy);
        }
        // 0.7.44+ pre-exec sync resume. Snapshot was taken with
        // init-oci paused inside `read(0)`. Tell the worker to
        // start its supermachine-pre-exec-resume thread, which
        // pushes 'P\n' shortly after restore so init-oci unblocks.
        // Without this, the restored guest hangs in the read for
        // 30 s, then the SIGALRM fires and the bake/exec continues
        // (slowly + with a "timeout" log line that's confusing).
        if self.pre_exec_sync {
            cmd.env("SUPERMACHINE_PRE_EXEC_SYNC_RESUME", "1");
        }
        // Quiet by default — embedders don't want VM kernel logs
        // on their stdout. SUPERMACHINE_WORKER_LOG=1 to opt in.
        let log_to_stdio = std::env::var("SUPERMACHINE_WORKER_LOG")
            .map(|v| v == "1" || v == "true")
            .unwrap_or(false);
        // Pipe stdout+stderr to a file we can inspect later when the
        // user opts in via SUPERMACHINE_WORKER_LOG_FILE=<path>. A `%`
        // in the path is expanded to THIS worker's unique hex suffix
        // (the same id used for its sockets), so a pool of concurrent
        // workers writes separate, correlatable logs — e.g.
        // `/tmp/sm-worker-%.log` → `/tmp/sm-worker-1a2b...f.log`. This
        // makes a post-mortem (e.g. tracing an "agent closed before
        // EXIT" back to one worker's muxer diagnostics) tractable.
        // Without a `%`, all workers append to the one named file
        // (legacy behaviour; lines from different workers interleave).
        let log_file_path = std::env::var("SUPERMACHINE_WORKER_LOG_FILE").ok().map(|p| {
            if p.contains('%') {
                p.replace('%', &format!("{suffix:016x}"))
            } else {
                p
            }
        });
        if let Some(path) = log_file_path.as_deref() {
            let f = std::fs::OpenOptions::new()
                .create(true)
                .append(true)
                .open(path)
                .ok();
            if let Some(f) = f {
                let f2 = f.try_clone().ok();
                cmd.stdout(Stdio::from(f));
                if let Some(f2) = f2 {
                    cmd.stderr(Stdio::from(f2));
                } else {
                    cmd.stderr(Stdio::null());
                }
            }
        } else if !log_to_stdio {
            cmd.stdout(Stdio::null()).stderr(Stdio::null());
        }

        // Memory admission: reserve this worker's footprint against the
        // process-wide budget BEFORE forking. If too many workers are
        // already live this BLOCKS until one is released, rather than
        // overcommitting host RAM into macOS jetsam/OOM. The reservation
        // rides in the returned `Worker` and is released on drop. Declared
        // before `SpawnCleanup` so an early return kills the child first,
        // then releases the budget. Disabled with
        // SUPERMACHINE_MEMORY_BUDGET_MIB=0.
        //
        // The charge is the configured guest RAM + overhead by default
        // (conservative). With SUPERMACHINE_ADMISSION_CHARGE=rss it's the
        // pool's MEASURED footprint high-water-mark + margin (floored at
        // half the cap), which packs more workers when the configured cap
        // over-provisions — the safe density lever. In that mode a host
        // memory-pressure backstop pauses spawns when the host is actually
        // tight, so the overcommit can't drive jetsam.
        if rss_admission_charge_enabled() {
            crate::memory_admission::await_pressure_relief();
        }
        let admission_guard = crate::memory_admission::admit(self.admission_charge_mib());

        // Boot-rate gate: cap how many spawns BOOT concurrently (vCPU
        // threads + restore are thread/CPU-heavy; a storm can hit EAGAIN).
        // Acquired AFTER the memory admit (consistent global lock order, no
        // AB-BA) and held only as a local for the duration of this boot —
        // it is NOT moved into `Worker`, so it releases when `spawn_one`
        // returns. That caps concurrent boots, never running VMs, so VM
        // density and the acquire/exec hot paths are untouched. On an early
        // return it drops here (frees the slot). Disabled with
        // SUPERMACHINE_MAX_CONCURRENT_SPAWNS=0.
        let _spawn_permit = crate::spawn_concurrency::acquire();

        let __t0 = Instant::now();
        let child = cmd.spawn().map_err(|e| {
            Error::vm_msg(format!("spawn worker {}: {e}", self.worker_bin.display()))
        })?;
        let __t_spawned = __t0.elapsed();

        // RAII cleanup for a partially-spawned worker. Until ownership
        // passes to the returned `Worker` on success, ANY early return
        // (or panic) below must kill the orphaned worker process and
        // unlink its COW volume clones + control socket. Without this a
        // failed handshake (stale agent, restore stall, control-accept
        // timeout) leaks a live `supermachine-worker` process plus up
        // to GiB of `/tmp/supermachine-vol-*.img` per attempt — only
        // swept on the NEXT pool init, not in-run. `child` is otherwise
        // untouched between here and the success `Ok(Worker)`.
        struct SpawnCleanup {
            child: Option<std::process::Child>,
            cleanup_paths: Vec<PathBuf>,
            armed: bool,
        }
        impl Drop for SpawnCleanup {
            fn drop(&mut self) {
                if !self.armed {
                    return;
                }
                if let Some(mut c) = self.child.take() {
                    let _ = c.kill();
                    let _ = c.wait();
                }
                for p in &self.cleanup_paths {
                    let _ = std::fs::remove_file(p);
                }
            }
        }
        let mut spawn_cleanup = {
            let mut cleanup_paths = volume_temp_files.clone();
            cleanup_paths.push(control_path.clone());
            SpawnCleanup {
                child: Some(child),
                cleanup_paths,
                armed: true,
            }
        };

        // Worker connects to ctl_listener once it's far enough
        // through main() to call UnixStream::connect — well
        // before any expensive work. We just accept and read the
        // initial DONE line, which the worker writes after its
        // snapshot restore completes. That means callers get a
        // worker that's truly ready to serve, no further polling.
        ctl_listener
            .set_nonblocking(true)
            .map_err(|e| Error::vm_msg(format!("set control listener nonblocking: {e}")))?;
        let deadline = Instant::now() + self.spawn_timeout;
        let mut backoff = Duration::from_millis(1);
        let stream = loop {
            match ctl_listener.accept() {
                Ok((s, _)) => break s,
                Err(e) if e.kind() == std::io::ErrorKind::WouldBlock => {
                    if Instant::now() > deadline {
                        let _ = std::fs::remove_file(&control_path);
                        return Err(Error::vm_msg(format!(
                            "worker spawn: control connect did not arrive within {:?}",
                            self.spawn_timeout
                        )));
                    }
                    std::thread::sleep(backoff);
                    backoff = (backoff * 2).min(Duration::from_millis(10));
                }
                Err(e) => {
                    let _ = std::fs::remove_file(&control_path);
                    return Err(Error::vm_msg(format!("worker spawn: control accept: {e}")));
                }
            }
        };
        // Switch back to blocking — the rest is line-oriented and
        // synchronous.
        stream
            .set_nonblocking(false)
            .map_err(|e| Error::vm_msg(format!("set control stream blocking: {e}")))?;
        let writer = stream
            .try_clone()
            .map_err(|e| Error::vm_msg(format!("clone control stream: {e}")))?;
        let mut control = ControlChannel {
            reader: std::io::BufReader::new(stream),
            writer,
        };

        // The supervisor protocol opens with a "READY\n" line
        // from the worker (it writes that immediately after
        // connecting, before doing any HVF setup). We then send
        // RESTORE <snap_path>, the worker boots+restores, and
        // writes back DONE us=… host_port=… …
        let ready = match control.read_line() {
            Ok(l) => l,
            Err(e) => {
                let _ = std::fs::remove_file(&control_path);
                return Err(Error::vm_msg(format!("worker spawn: read READY: {e}")));
            }
        };
        if ready.trim() != "READY" {
            let _ = std::fs::remove_file(&control_path);
            return Err(Error::vm_msg(format!(
                "worker spawn: expected READY, got: {}",
                ready.trim()
            )));
        }
        let snap_path_str = self.snapshot_path.to_string_lossy().to_string();
        if let Err(e) = control.send_line(&format!("RESTORE {snap_path_str}")) {
            let _ = std::fs::remove_file(&control_path);
            return Err(Error::vm_msg(format!(
                "worker spawn: send initial RESTORE: {e}"
            )));
        }
        let done = match control.read_line() {
            Ok(l) => l,
            Err(e) => {
                let _ = std::fs::remove_file(&control_path);
                return Err(Error::vm_msg(format!(
                    "worker spawn: read initial DONE: {e}"
                )));
            }
        };
        if !done.starts_with("DONE") {
            let _ = std::fs::remove_file(&control_path);
            return Err(Error::vm_msg(format!(
                "worker spawn: expected initial DONE, got: {}",
                done.trim()
            )));
        }
        if crate::trace::enabled("timings") {
            eprintln!(
                "[spawn_one] spawn={:?} accept_to_done={:?} total={:?}",
                __t_spawned,
                __t0.elapsed() - __t_spawned,
                __t0.elapsed()
            );
        }

        // Probe the in-guest agent's wire-protocol version.
        // Catches the failure mode where a snapshot was baked
        // against a previous supermachine release whose agent
        // doesn't speak the current protocol — without this,
        // unknown JSON fields (stage_files / chain) silently
        // hit serde's `#[serde(default)]` ignore-unknown path
        // and the host sees "exec ran with exit 0" but the
        // staged file was never written.
        //
        // Fast path: skip the probe when the snapshot's recorded
        // `runtime_sha16` matches the current worker binary's
        // SHA16. By construction the in-guest agent shipped at
        // bake time matches what the lib expects — the probe
        // would always succeed, just round-trip for nothing.
        // ~25 ms saved per acquire on the hot path.
        //
        // Multi-vCPU caveat: HVF can't round-trip ICH_LR_EL2
        // (GIC List Registers) cleanly across snapshot/restore,
        // so a multi-vCPU restored guest sometimes RCU-stalls
        // on boot — see docs/design/multi-vcpu-snapshot-
        // intermittency-2026-04-27.md and the deferral note. In
        // that state the agent never responds and the probe
        // times out, masquerading as a stale-agent error.
        // For vcpus > 1 we downgrade probe timeouts to a soft
        // warning instead of failing spawn — the workload's
        // first exec() will surface the real error if the
        // guest is genuinely hung. Definitive stale-agent
        // signals (probe ack with old protocol number) still
        // hard-fail.
        //
        // Post-restore smpark_unpark. The snapshot file was
        // captured with all secondaries parked in WFI inside
        // smpark_park_routine (so HVF's lossy ICH/redistributor
        // round-trip lands on a byte-identical state). On
        // restore, those secondaries come back STILL in the
        // park spin loop with `unpark_signal=0`. Without this
        // RPC, they sit in WFI forever and any task scheduled on
        // them stalls — manifests as `__skb_wait_for_more_packets`
        // hangs on rosettad's UNIX-DGRAM socket when the first
        // amd64 binary tries to start.
        //
        // The agent itself runs on vCPU 0 (the boot vCPU, never
        // parked) so the vsock RPC works pre-unpark. The unpark
        // routine on vCPU 0 sends an IPI to each secondary which
        // wakes them from WFI; they re-check `unpark_signal`,
        // see 1, exit the spin loop, re-enable IRQs, and return
        // from the SGI handler back to whatever the kernel
        // scheduler was doing pre-park (typically the idle loop).
        //
        // Best-effort: agent reports `ok=false` when the kernel
        // module isn't loaded (single-vCPU bake or pre-smpark
        // snapshot) — that surfaces as transport `Ok(_)` here
        // since the agent did ack the request, just with
        // `ok=false`. Either way we ignore the result and let
        // probe_agent_protocol below tell us if the guest is
        // genuinely alive.
        //
        // Skip entirely for single-vCPU — no secondaries to
        // unpark, the RPC is pure overhead (~1-3 ms vsock
        // round-trip). The integrator's `vm.exec()` hot path
        // doesn't need this.
        if self.vcpus > 1 {
            let body = serde_json::json!({ "action": "smpark_unpark" });
            match crate::exec::send_control_with_ack(
                &vsock_exec_path,
                &body,
                Some(Duration::from_secs(2)),
            ) {
                Ok(_) => {}
                Err(e) => {
                    tracing::debug!(
                        error = %e,
                        "post-restore smpark_unpark RPC error (continuing)"
                    );
                }
            }
        }

        // Drop the guest's VFS caches so the first
        // virtio-fs/virtio-blk access after this cold restore
        // re-LOOKUPs through the daemon / re-reads from disk
        // instead of returning stale bytes the snapshot captured
        // alongside RAM. Single-vCPU and multi-vCPU both need
        // this — orthogonal to smpark.
        //
        // 0.7.44+ probe-skip: only safe to skip when there are NO
        // virtio-fs mounts AND no virtio-blk volumes. Both surfaces
        // can have host-side state that drifts between bake and
        // restore (host file changes for mounts; out-of-band volume
        // writes via Vm::stage_files or external dd for volumes).
        // Layers stay read-only and content-addressable, so they
        // don't need invalidation.
        //
        // Saves ~5-15 ms vsock RPC on the dominant
        // Image.build-from-Docker no-mounts no-volumes case.
        if !self.mounts.is_empty() || !self.volumes.is_empty() {
            let _ = drop_vfs_caches_via_agent(&vsock_exec_path, self.memory_mib);
        }
        // 0.7.51+ wall-clock sync. See the matching call in
        // `Worker::send_restore` for the rationale: even pure-image
        // snapshots with no mounts need this — Date.now() in the
        // guest reads CLOCK_REALTIME, which was frozen at snapshot
        // capture and stays frozen across restore (the vtimer
        // state covers CLOCK_MONOTONIC but not the wall-clock
        // offset). Fixes JWT iat/exp, OAuth, TLS cert validation,
        // etc. against external authorities.
        let _ = sync_time_via_agent(&vsock_exec_path);

        let probe_skip = self
            .baker_runtime_sha16
            .as_deref()
            .and_then(|stored| {
                current_worker_sha16(&self.worker_bin).map(|current| stored == current.as_str())
            })
            .unwrap_or(false);
        if !probe_skip {
            if let Err(e) = probe_agent_protocol(&vsock_exec_path, self.vcpus) {
                if self.vcpus > 1 && e.is_likely_multi_vcpu_restore_stall() {
                    eprintln!(
                        "supermachine: WARNING multi-vCPU ({}vCPU) snapshot agent probe \
                         timed out — guest may be RCU-stalled after restore. \
                         Continuing (multi-vCPU is unsupported per design); \
                         workload exec will surface a real error if the guest is hung.",
                        self.vcpus
                    );
                } else {
                    let _ = std::fs::remove_file(&control_path);
                    return Err(e);
                }
            }
        }

        // 0.7.67+ — volume-mount readiness gate. init-oci runs
        // mount_volumes() AFTER the snapshot/exec-ready marker, so a
        // freshly-restored guest can accept execs before /data is
        // mounted. Block until every volume appears in /proc/mounts so
        // the caller's first exec can't read an unmounted volume (the
        // snapshot_combinations "T2" empty-/data race). On failure we
        // return before disarming `spawn_cleanup`, so its armed guard
        // tears down the child — exactly like the probe failure above.
        if !self.volumes.is_empty() {
            #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
            let gps: Vec<String> = self
                .volumes
                .iter()
                .map(|(_, gp, _, _)| gp.clone())
                .collect();
            #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
            if let Err(e) = wait_for_volumes_mounted(&vsock_exec_path, &gps) {
                let _ = std::fs::remove_file(&control_path);
                return Err(e);
            }
        }

        // Spawn succeeded end-to-end: take the child back from the
        // cleanup guard and disarm it (the COW temps + control socket
        // now live for the Worker's lifetime).
        spawn_cleanup.armed = false;
        let child = spawn_cleanup
            .child
            .take()
            .expect("spawn_cleanup holds the child until success");
        // Observability: fold this freshly-restored worker's resident
        // footprint into the pool's high-water-mark. Per-spawn (off the
        // hot path). The admission charge still uses memory_mib unless
        // SUPERMACHINE_ADMISSION_CHARGE=rss opts into the measured charge.
        if let Some(fp) = crate::memory_admission::phys_footprint_mib(child.id()) {
            let prev = self
                .observed_footprint_mib
                .fetch_max(fp, std::sync::atomic::Ordering::Relaxed);
            if fp > prev {
                eprintln!(
                    "[admission] observed worker footprint {fp} MiB (cap {} MiB) — \
                     new high-water-mark",
                    self.memory_mib
                );
            }
        }
        Ok(Worker {
            child,
            vsock_mux_path,
            vsock_exec_path,
            control_path,
            control: Arc::new(Mutex::new(control)),
            last_restore_path: self.snapshot_path.clone(),
            memory_mib: self.memory_mib,
            has_mounts: !self.mounts.is_empty() || !self.volumes.is_empty(),
            volume_guest_paths: self
                .volumes
                .iter()
                .map(|(_, gp, _, _)| gp.clone())
                .collect(),
            vcpus: self.vcpus,
            has_cow_volumes: !volume_temp_files.is_empty(),
            volume_temp_files,
            _admission: admission_guard,
        })
    }
}

/// Clone the pristine to a per-worker
/// `/tmp/supermachine-vol-<pid>-<suffix>-<index>.img`.
///
/// `pid` ties the file back to the process that owns it (used by
/// crash-recovery sweep to safely unlink only files belonging to
/// dead processes). `suffix` is the same `unique_suffix()` used
/// for the worker's socket paths — gives us per-spawn uniqueness
/// without a separate counter.
///
/// Uses the bake crate's `cow_or_copy` helper: APFS clonefile is
/// metadata-only (~µs), so per-spawn cost is negligible on the
/// dominant macOS-APFS path. Falls back to a full `std::fs::copy`
/// on non-APFS filesystems.
///
/// Caller MUST track the returned path on the spawned Worker so
/// the temp gets unlinked when the worker exits.
fn cow_volume_for_spawn(pristine: &Path, index: usize, suffix: u64) -> std::io::Result<PathBuf> {
    let pid = std::process::id();
    let dst =
        std::env::temp_dir().join(format!("supermachine-vol-{pid}-{suffix:016x}-{index}.img"));
    crate::bake::cow_or_copy(pristine, &dst)?;
    Ok(dst)
}

/// Process-wide once-per-process latch around `sweep_stranded_volume_temps`.
/// Pool builds can fire concurrently; only the first one pays the
/// /tmp readdir cost.
fn sweep_volume_temps_once() {
    static SWEPT: std::sync::OnceLock<()> = std::sync::OnceLock::new();
    if SWEPT.get().is_some() {
        return;
    }
    sweep_stranded_volume_temps();
    let _ = SWEPT.set(());
}

/// Best-effort sweep of stranded COW volume temp files in /tmp.
/// Identifies files matching `supermachine-vol-<pid>-*.img` and
/// unlinks them if the owning pid no longer exists. Used by pool
/// construction (one shot per Image-pool init) so a crash in a
/// previous process doesn't leave 4 GiB+ files lying around.
///
/// Live processes are detected via `kill(pid, 0)` — same probe
/// used elsewhere in the codebase for liveness checks. ESRCH ⇒
/// dead, unlink. EPERM ⇒ alive but owned by someone else, skip.
/// On macOS POSIX semantics this is safe even for a pid that has
/// been recycled to a different process (worst case we keep the
/// file; we never unlink a live process's file by mistake).
fn sweep_stranded_volume_temps() {
    let tmp = std::env::temp_dir();
    let entries = match std::fs::read_dir(&tmp) {
        Ok(e) => e,
        Err(_) => return,
    };
    let me = std::process::id();
    for entry in entries.flatten() {
        let fname = entry.file_name();
        let Some(name) = fname.to_str() else {
            continue;
        };
        // Match supermachine-vol-<pid>-...img
        let Some(rest) = name.strip_prefix("supermachine-vol-") else {
            continue;
        };
        if !name.ends_with(".img") {
            continue;
        }
        let Some(dash) = rest.find('-') else {
            continue;
        };
        let pid_str = &rest[..dash];
        let Ok(pid) = pid_str.parse::<i32>() else {
            continue;
        };
        // Never sweep our own files — they belong to live workers
        // that haven't released yet.
        if pid as u32 == me {
            continue;
        }
        // Liveness probe. kill(pid, 0) returns 0 if pid is alive
        // and we have permission to signal it, -1 with errno set
        // otherwise.
        let alive = unsafe { libc::kill(pid, 0) };
        if alive == 0 {
            // Still live, leave it.
            continue;
        }
        let err = std::io::Error::last_os_error();
        // ESRCH: no such pid → safe to unlink. EPERM: pid exists
        // but not signalable by us → conservative skip.
        if err.raw_os_error() != Some(libc::ESRCH) {
            continue;
        }
        let _ = std::fs::remove_file(entry.path());
    }
}

/// Best-effort one-shot warning when a snapshot lacks `pristine`
/// files. Pre-0.7.49 snapshots — fix requires a re-bake. Globally
/// rate-limited so a multi-volume snapshot only logs once total.
fn warn_legacy_volume_without_pristine_once(host_file: &Path) {
    static WARNED: std::sync::OnceLock<()> = std::sync::OnceLock::new();
    if WARNED.get().is_some() {
        return;
    }
    let _ = WARNED.set(());
    eprintln!(
        "supermachine: WARNING snapshot lacks pristine volume bytes (host_file={}); \
         workers will write directly to the host file, leaking state across \
         processes and across `restore_on_release=true` acquires — re-bake \
         under 0.7.49+ for per-spawn COW reset semantics",
        host_file.display()
    );
}

/// Minimum agent wire-protocol version this lib understands.
/// MUST match `AGENT_PROTOCOL` in
/// `crates/supermachine-guest-agent/src/main.rs`. Bump in
/// lockstep when the protocol gains a feature the lib expects
/// the agent to support (e.g. stage_files, chain).
///
/// Version log:
///   1: pre-stage_file. ExecRequest = {argv, env, cwd, tty,
///      cols, rows}. CONTROL actions: signal, write_file,
///      read_file.
///   2: + stage_files + chain on ExecRequest. + probe CONTROL.
///   3: + sync_time CONTROL. The host pushes wall-clock on every
///      restore so the guest's CLOCK_REALTIME doesn't stay frozen
///      at bake-time (which breaks JWT iat/exp, OAuth, TLS cert
///      date validation, etc.). Old snapshots warn via the
///      `probe_agent_protocol` mismatch message — rebake to pick
///      up the new agent.
const HOST_AGENT_PROTOCOL_MIN: u32 = 3;

/// Returns a 16-hex prefix of the SHA-256 of the worker binary at
/// `worker_bin`, cached per-binary-path. Used by the spawn-time
/// probe-skip fast path to compare against the snapshot's stored
/// `runtime_sha16`. Caching is keyed on `(path, file_size,
/// mtime_ns)` so a re-installed worker (same path, new contents)
/// invalidates correctly.
fn current_worker_sha16(worker_bin: &Path) -> Option<String> {
    use std::sync::Mutex;
    static CACHE: Mutex<Option<(PathBuf, u64, u128, String)>> = Mutex::new(None);

    let meta = std::fs::metadata(worker_bin).ok()?;
    let len = meta.len();
    let mtime_ns = meta
        .modified()
        .ok()?
        .duration_since(std::time::UNIX_EPOCH)
        .ok()?
        .as_nanos();

    if let Ok(g) = CACHE.lock() {
        if let Some((p, l, m, sha)) = g.as_ref() {
            if p == worker_bin && *l == len && *m == mtime_ns {
                return Some(sha.clone());
            }
        }
    }

    // 0.7.44+ in-process SHA-256 via ring (same algorithm + same
    // digest format as `bake::sha256_file`, so the comparison still
    // matches metadata.json's `runtime_sha16` written by the bake).
    // ~10× faster than the pre-0.7.44 `shasum` fork (~15 ms of
    // fork+execve overhead saved on first call; subsequent calls
    // hit this function's pre-existing per-binary-path cache and
    // pay nothing).
    use ring::digest::{Context, SHA256};
    use std::io::Read;
    let mut f = std::fs::File::open(worker_bin).ok()?;
    let mut ctx = Context::new(&SHA256);
    let mut buf = [0u8; 64 * 1024];
    loop {
        let n = f.read(&mut buf).ok()?;
        if n == 0 {
            break;
        }
        ctx.update(&buf[..n]);
    }
    let d = ctx.finish();
    let mut digest = String::with_capacity(64);
    for b in d.as_ref() {
        use std::fmt::Write;
        let _ = write!(digest, "{:02x}", b);
    }
    let sha16 = digest[..digest.len().min(16)].to_owned();

    if let Ok(mut g) = CACHE.lock() {
        *g = Some((worker_bin.to_path_buf(), len, mtime_ns, sha16.clone()));
    }
    Some(sha16)
}

/// Tell the in-guest agent to drop the kernel's VFS caches
/// (page + dentry + inode) via `echo 3 > /proc/sys/vm/drop_caches`.
///
/// Why we do this on every restore: a snapshot captures the
/// guest kernel's RAM verbatim — including the VFS caches. After
/// a restore the guest's view of `mounts:` (virtio-fs) and
/// `volumes:` (virtio-blk + ext4) is whatever the kernel cached
/// at capture time. If the host bind file or volume backing file
/// changed between capture and restore (typical: developer
/// edits a `dist/` file in their workspace mount; or
/// `restoreOnRelease: true` cycled and a different exec wrote to
/// the volume between snapshots), the post-restore first read
/// returns the OLD bytes. The FUSE entry/attr validity windows
/// (60 s) are measured in guest jiffies, which are also frozen
/// at snapshot, so the cache stays "fresh" by guest reckoning
/// long after it's actually stale.
///
/// Dropping the caches forces the guest to re-LOOKUP via the
/// virtio-fs daemon (which reports current host attrs) and to
/// re-read ext4 inode/page state from the underlying block
/// device — both of which see post-snapshot host changes
/// correctly.
///
/// Best-effort and silent: the RPC failing (agent missing,
/// vsock wedged, mode-0 opt-out) does NOT abort the restore;
/// the workload may still execute correctly against the stale
/// caches in many cases, and a hard-fail here would be more
/// disruptive than the staleness it prevents.
///
/// Opt-out: `SUPERMACHINE_VFS_AUTO_INVALIDATE=0` skips the RPC.
/// Useful for throughput-sensitive workloads that read mostly
/// from snapshot-stable paths and don't want to pay the
/// ~few-ms drop on every restore.
///
/// Memory note: `drop_caches=3` drops pagecache too, which
/// forces re-reads of the agent's own executable pages and any
/// virtio-blk/ext4 metadata blocks. On a memory-tight guest
/// (alpine 256 MiB after balloon inflate ~ 96 MiB usable), those
/// re-reads can OOM the agent. Production guests using
/// `mounts:`/`volumes:` are typically ≥512 MiB; the OOM is
/// observable only on the smallest test shapes. If you see
/// guest stderr with `Out of memory: Killed process … (supermachine-ag)`
/// after a restore, bump `memoryMib` to ≥512 or set
/// `SUPERMACHINE_VFS_AUTO_INVALIDATE=0`.
///
/// Diagnostic: set `SUPERMACHINE_VFS_TRACE=1` to print each
/// RPC's outcome + latency to host stderr.
fn drop_vfs_caches_via_agent(vsock_exec_path: &Path, memory_mib: u32) -> bool {
    // `SUPERMACHINE_VFS_AUTO_INVALIDATE` accepts:
    //   "0"     — skip the drop (kill-switch for stale-but-fast reads)
    //   "force" — drop even on memoryMib < 512 (accept OOM risk)
    //   anything else / unset — default (drop when memoryMib >= 512)
    //
    // 0.7.36's separate `SUPERMACHINE_VFS_AUTO_INVALIDATE_FORCE=1`
    // was redundant — collapsed here.
    let setting = std::env::var("SUPERMACHINE_VFS_AUTO_INVALIDATE").ok();
    let s = setting.as_deref();
    if s == Some("0") {
        return false;
    }
    let force = s == Some("force") || s == Some("FORCE");
    // Memory gate. `echo 3 > /proc/sys/vm/drop_caches` forces
    // re-reads of the agent's executable pages + virtio-blk/ext4
    // metadata blocks. The agent's pages are mlock'd (in
    // `crates/supermachine-guest-agent/src/main.rs::main`), but the
    // re-read still allocates pagecache for the metadata blocks.
    // On tight-memory guests (≤256 MiB), the post-restore balloon
    // inflate (≈62.5% reclaim per resources.rs) leaves the agent
    // with ≈96 MiB headroom, and the drop's re-reads push the
    // guest into either an OOM-kill of the agent OR (if the agent
    // is OOM-immune) an unrecoverable kernel panic
    // ("System is deadlocked on memory"). Neither is recoverable
    // from the host.
    //
    // 512 MiB threshold: empirically the floor where the agent's
    // exec path doesn't tip over after drop_caches=3.  Smaller
    // guests trade the cache-staleness fix for not crashing — the
    // operator can either bump memoryMib, or explicitly opt in via
    // `SUPERMACHINE_VFS_AUTO_INVALIDATE=force`.
    if memory_mib < 512 && !force {
        if crate::trace::enabled("vfs") {
            eprintln!(
                "[drop_vfs_caches] SKIP memory_mib={memory_mib} < 512 (set \
                 SUPERMACHINE_VFS_AUTO_INVALIDATE=force to override)"
            );
        }
        return false;
    }
    let body = serde_json::json!({ "action": "drop_vfs_caches" });
    let t0 = Instant::now();
    let trace = crate::trace::enabled("vfs");
    match crate::exec::send_control_with_ack(vsock_exec_path, &body, Some(Duration::from_secs(5))) {
        Ok(ack) => {
            if trace {
                eprintln!(
                    "[drop_vfs_caches] OK in {} ms ack={ack:?}",
                    t0.elapsed().as_millis()
                );
            }
            true
        }
        Err(e) => {
            if trace {
                eprintln!(
                    "[drop_vfs_caches] FAIL in {} ms ({e})",
                    t0.elapsed().as_millis()
                );
            }
            tracing::debug!(
                error = %e,
                "drop_vfs_caches RPC error (continuing with stale caches)"
            );
            false
        }
    }
}

/// Push the host's current wall-clock to the guest so its
/// CLOCK_REALTIME advances with host time across restores.
/// See the agent's `SyncTime` doc-comment for the full
/// rationale: the snapshot captures Linux's `xtime` verbatim,
/// so without this RPC `Date.now()` in the guest reports
/// bake-time hours after the host has moved on — breaking JWT
/// iat/exp, OAuth token freshness, TLS NotBefore/NotAfter,
/// etc. CLOCK_MONOTONIC is deliberately untouched (the
/// captured vtimer state preserves it correctly across
/// restore, which is what tokio's timer wheel, in-flight
/// futures, and TCP retransmit timers need).
///
/// Best-effort: if the RPC fails (agent missing, snapshot
/// baked against pre-v3 agent that doesn't understand the
/// action, CAP_SYS_TIME denied) we log via the existing
/// trace channel and continue. Workloads that don't validate
/// timestamps against external authorities are unaffected;
/// ones that do (JWT, TLS) will hit auth failures, which is
/// exactly what they'd see today.
///
/// Opt-out: `SUPERMACHINE_TIME_AUTO_SYNC=0` skips the call.
/// Useful for tests that intentionally exercise frozen-time
/// scenarios.
///
/// Diagnostic: set `SUPERMACHINE_TRACE=time` (or `all`) to
/// print each RPC's outcome + latency to host stderr.
fn sync_time_via_agent(vsock_exec_path: &Path) -> bool {
    if std::env::var("SUPERMACHINE_TIME_AUTO_SYNC").as_deref() == Ok("0") {
        return false;
    }
    let now = match std::time::SystemTime::now().duration_since(std::time::UNIX_EPOCH) {
        Ok(d) => d.as_nanos(),
        Err(_) => return false,
    };
    let host_unix_ns = u64::try_from(now).unwrap_or(u64::MAX);
    let body = serde_json::json!({
        "action": "sync_time",
        "host_unix_ns": host_unix_ns,
    });
    let t0 = Instant::now();
    let trace = crate::trace::enabled("time");
    match crate::exec::send_control_with_ack(vsock_exec_path, &body, Some(Duration::from_secs(5))) {
        Ok(ack) => {
            if trace {
                eprintln!(
                    "[sync_time] OK in {} ms ack={ack:?}",
                    t0.elapsed().as_millis()
                );
            }
            true
        }
        Err(e) => {
            if trace {
                eprintln!("[sync_time] FAIL in {} ms ({e})", t0.elapsed().as_millis());
            }
            tracing::debug!(
                error = %e,
                "sync_time RPC error (continuing with frozen wall-clock)"
            );
            false
        }
    }
}

/// First-contact handshake with an in-guest agent. Sends a
/// `probe` CONTROL action; verifies the returned protocol
/// version is at least `HOST_AGENT_PROTOCOL_MIN`. Mismatch →
/// surface a typed `Error` that tells the caller exactly what
/// to do (rebake the snapshot).
///
/// `vcpus` is the snapshot's vCPU count. For vcpus > 1 we use a
/// short timeout (1 s) — a multi-vCPU restored guest either
/// answers within milliseconds or has RCU-stalled and is never
/// going to answer; waiting the full 10 s only delays the
/// downgrade-to-warning path in the spawn caller.
fn probe_agent_protocol(vsock_exec_path: &Path, vcpus: u32) -> Result<(), Error> {
    let timeout = if vcpus > 1 {
        Duration::from_secs(1)
    } else {
        Duration::from_secs(10)
    };
    let body = serde_json::json!({ "action": "probe" });
    let ack = match crate::exec::send_control_with_ack(vsock_exec_path, &body, Some(timeout)) {
        Ok(a) => a,
        Err(e) => {
            // Old agents (pre-protocol-2) don't know "probe"
            // and return ack with ok=false; send_control_with_ack
            // surfaces that as an io::Error with the agent's
            // error message. Any error here = stale agent.
            return Err(Error::vm_msg(format!(
                "agent in this snapshot is from an older supermachine release \
                 (probe failed: {e}). Rebake the snapshot to pick up the new \
                 agent: rm -rf the snapshot dir and re-run your bake (e.g. \
                 `supermachine pull <image> --name <name>`)."
            )));
        }
    };
    let proto = ack.get("protocol").and_then(|v| v.as_u64()).unwrap_or(0) as u32;
    if proto < HOST_AGENT_PROTOCOL_MIN {
        return Err(Error::vm_msg(format!(
            "agent in this snapshot speaks protocol v{proto} but this \
             supermachine library expects v{HOST_AGENT_PROTOCOL_MIN}+. The \
             snapshot was baked against a previous release; rebake to pick up \
             the new agent (rm -rf the snapshot dir and re-run your bake)."
        )));
    }
    Ok(())
}

impl std::fmt::Debug for HiddenPool {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        let s = self.state.lock().ok();
        f.debug_struct("HiddenPool")
            .field("socks_dir", &self.socks_dir)
            .field("alive", &s.as_ref().map(|s| s.alive).unwrap_or(usize::MAX))
            .field(
                "idle",
                &s.as_ref().map(|s| s.idle.len()).unwrap_or(usize::MAX),
            )
            .finish()
    }
}

impl HiddenPool {
    /// Explicit shutdown — same effect as dropping the pool, but
    /// callable by name from the high-level API. Sets the
    /// `shutting_down` flag, wakes every `acquire()` caller blocked
    /// on the condvar (they observe the flag and return
    /// `Error::vm_msg("pool is shutting down")`), drains the idle
    /// + dirty queues, and shuts each worker down (QUIT → SIGKILL).
    ///
    /// Idempotent. Subsequent calls are no-ops once the queues are
    /// drained and the flag is set.
    fn shutdown_pool(&self) {
        self.shutting_down.store(true, Ordering::SeqCst);
        self.available.notify_all();
        if let Some(c) = self.dirty_pending.as_ref() {
            c.notify_all();
        }
        if let Ok(mut s) = self.state.lock() {
            while let Some(mut e) = s.idle.pop() {
                e.worker.shutdown();
                s.alive = s.alive.saturating_sub(1);
            }
            if let Some(d) = self.dirty.as_ref() {
                if let Ok(mut q) = d.lock() {
                    while let Some(mut w) = q.pop_front() {
                        w.shutdown();
                        s.alive = s.alive.saturating_sub(1);
                    }
                }
            }
        }
    }
}

impl Drop for HiddenPool {
    fn drop(&mut self) {
        // Signal housekeeping threads to exit. They hold their
        // own clones of the wait-state Arcs (`PoolWaitHandles`),
        // not `Arc<HiddenPool>`, so they don't keep us alive
        // and this drop is allowed to fire as soon as the user-
        // side `Pool` + `Image` references go away. Each thread
        // re-checks `shutting_down` within ~100 ms of its next
        // condvar wait timeout.
        self.shutdown_pool();
        // Best-effort cleanup of the per-pool socks dir.
        let _ = std::fs::remove_dir_all(&self.socks_dir);
    }
}

impl HiddenPool {
    /// Acquire a worker. Three paths:
    ///
    /// 1. **Idle hit (hot path).** A worker is in the idle queue
    ///    — pop and return. ~µs.
    /// 2. **Auto-grow.** No idle worker, but `alive < max`. Bump
    ///    the alive count (reserves a slot before we drop the
    ///    lock), spawn a fresh worker outside the lock, return
    ///    it. ~10-15 ms cold spawn cost.
    /// 3. **Wait.** No idle worker, `alive == max`. Block on the
    ///    `available` condvar with `acquire_timeout`. On timeout
    ///    return `Error::PoolExhausted`.
    fn acquire(&self) -> Result<Worker, Error> {
        let acquire_t0 = Instant::now();
        let acquire_timeout = self.policy.acquire_timeout;
        let mut state = self
            .state
            .lock()
            .map_err(|_| Error::vm_msg("pool mutex poisoned".to_owned()))?;
        loop {
            // Liveness check at pop time. Dead workers are a real
            // failure mode with `restore_on_release(false)`: the
            // worker is returned to idle on Vm drop WITHOUT a cycle
            // restore, so if its process died (HVF crash, SIGKILL,
            // jetsam, etc.) we'd hand the caller a doomed handle
            // whose first `vm.exec` fails with "Connection refused"
            // on the closed vsock socket. Try_wait is non-blocking
            // and cheap; discarding the dead entry + decrementing
            // alive lets the auto-grow path below spawn a fresh
            // worker on the same acquire call.
            //
            // `restore_on_release(true)` workers normally can't
            // reach this branch alive-but-dead because the
            // restorer thread already RESTOREs them on drop (a
            // failed restore would have removed them from the
            // pool). Belt-and-suspenders: same check applies.
            while let Some(mut entry) = state.idle.pop() {
                match entry.worker.child.try_wait() {
                    Ok(None) => {
                        // 0.7.51+ skip-restore wall-clock refresh.
                        // restore_on_release=true workers come off
                        // the dirty queue via send_restore, which
                        // already calls sync_time. restore_on_release
                        // =false workers go straight back to idle on
                        // release without a RESTORE round-trip — so
                        // their CLOCK_REALTIME keeps drifting from
                        // the host's. If the worker has sat idle
                        // for more than a second, push the host's
                        // wall-clock in.
                        //
                        // 1 s threshold: avoids per-acquire RPC
                        // overhead in tight-loop throughput
                        // workloads (where idle time between
                        // acquires is sub-ms and drift is
                        // negligible), while still keeping a
                        // worker-reused-after-an-hour case accurate.
                        // The first-acquire-after-spawn case is
                        // already covered by spawn_one's
                        // sync_time_via_agent call.
                        if !self.policy.restore_on_release {
                            let idle_for = entry.last_used.elapsed();
                            if idle_for > Duration::from_secs(1) {
                                // Drop the lock before the vsock RPC
                                // so we don't block other acquirers
                                // (per-pool global mutex).
                                let exec_path = entry.worker.vsock_exec_path.clone();
                                drop(state);
                                let _ = sync_time_via_agent(&exec_path);
                                return Ok(entry.worker);
                            }
                        }
                        return Ok(entry.worker); // alive
                    }
                    Ok(Some(_status)) => {
                        // Already exited. Decrement alive so the
                        // auto-grow branch (or replenisher) replaces
                        // it. The worker handle's Drop will tidy
                        // sockets without trying to send QUIT to a
                        // dead process.
                        state.alive = state.alive.saturating_sub(1);
                        continue; // try next idle entry
                    }
                    Err(_) => {
                        // Stat failed (e.g. permission, OS weirdness).
                        // Treat as dead — same handling.
                        state.alive = state.alive.saturating_sub(1);
                        continue;
                    }
                }
            }
            if self.shutting_down.load(Ordering::SeqCst) {
                return Err(Error::vm_msg("pool is shutting down".to_owned()));
            }
            // Auto-grow: spawn a worker if we're under the cap.
            // Reserve the alive slot inside the lock so concurrent
            // acquires don't both spawn past max.
            if state.alive < self.policy.max {
                state.alive += 1;
                drop(state);
                let spawned = self.spawn_cfg.spawn_one();
                match spawned {
                    Ok(w) => return Ok(w),
                    Err(e) => {
                        // Roll back the reservation so the pool
                        // doesn't permanently lose the slot.
                        if let Ok(mut s) = self.state.lock() {
                            s.alive = s.alive.saturating_sub(1);
                        }
                        // Wake any other waiters so they can retry
                        // (they may not need to spawn — restorer
                        // could push to idle in the meantime).
                        self.available.notify_all();
                        return Err(e);
                    }
                }
            }
            // At max: wait on condvar with timeout (or forever).
            // If we've already exceeded the budget, return now —
            // don't bother re-entering wait.
            if let Some(total) = acquire_timeout {
                if acquire_t0.elapsed() >= total {
                    return Err(Error::pool_exhausted(format!(
                        "acquire timed out after {total:?}; pool at max ({})",
                        self.policy.max
                    )));
                }
            }
            state.waiting += 1;
            let (new_state, timed_out) = match acquire_timeout {
                None => match self.available.wait(state) {
                    Ok(s) => (s, false),
                    Err(_) => return Err(Error::vm_msg("pool condvar poisoned".to_owned())),
                },
                Some(total) => {
                    let remaining = total.saturating_sub(acquire_t0.elapsed());
                    match self.available.wait_timeout(state, remaining) {
                        Ok((s, r)) => (s, r.timed_out()),
                        Err(_) => return Err(Error::vm_msg("pool condvar poisoned".to_owned())),
                    }
                }
            };
            state = new_state;
            state.waiting = state.waiting.saturating_sub(1);
            if timed_out {
                return Err(Error::pool_exhausted(format!(
                    "acquire timed out after {:?}; pool at max ({})",
                    acquire_timeout.unwrap_or_default(),
                    self.policy.max
                )));
            }
        }
    }

    /// `PooledVm::drop` calls this with the now-dirty worker.
    /// Pushes onto the dirty queue and signals the restorer
    /// thread, which sends a RESTORE command to reset the
    /// worker's guest state and then returns it to the idle
    /// queue. Drop returns to the user immediately — the ~3 ms
    /// restore happens off the user's thread.
    ///
    /// Returns the worker to the dirty queue rather than
    /// killing it. The same supervisor-mode worker process
    /// serves many cycles; we only kill on shutdown or on a
    /// genuine RESTORE protocol failure (then the replenisher
    /// spawns a fresh worker to keep the pool at target size).
    fn release(&self, worker: Worker) {
        // Skip-restore mode: push directly to idle without
        // queueing for the restorer. Per-cycle cost vanishes
        // and the guest's page cache stays warm across uses.
        // Caller opted in via `PoolBuilder::restore_on_release(false)`.
        if !self.policy.restore_on_release {
            if let Ok(mut s) = self.state.lock() {
                s.idle.push(IdleEntry {
                    worker,
                    last_used: Instant::now(),
                });
                self.available.notify_all();
            }
            return;
        }
        // 0.7.49+ COW-volume cycle: kill + respawn instead of
        // RESTORE. RESTORE only rewinds RAM; the worker's open
        // virtio-blk fds keep pointing at temp files that contain
        // the just-finished cycle's writes. Killing the worker
        // unlinks the temp (via shutdown() → drain
        // volume_temp_files), the replenisher spawns a fresh
        // worker which clones a new pristine → temp pair, and the
        // next acquire sees clean ext4 bytes that match the
        // snapshot's captured ext4 RAM state. ~50 ms spawn cost
        // happens off the user's thread (release returns
        // immediately); the next acquire blocks only if
        // replenisher hasn't finished by then.
        //
        // Note: this branch is reachable ONLY under
        // `restore_on_release=true` — the skip-restore early
        // return above (line 2530) covers `=false`, so a worker
        // with `has_cow_volumes=true` and `restore_on_release=false`
        // is reused within the process (same worker → same COW
        // temp → writes persist for that process). The
        // cross-process safety lives in `spawn_one` (every spawn
        // gets a fresh COW from pristine), not here.
        if worker.has_cow_volumes {
            let mut w = worker;
            w.shutdown();
            if let Ok(mut s) = self.state.lock() {
                s.alive = s.alive.saturating_sub(1);
            }
            self.available.notify_all();
            return;
        }
        if let Some(d) = self.dirty.as_ref() {
            if let Ok(mut q) = d.lock() {
                q.push_back(worker);
            }
            if let Some(c) = self.dirty_pending.as_ref() {
                c.notify_all();
            }
        } else {
            // Defensive fallback: if for some reason the dirty
            // queue isn't wired up (shouldn't happen with the
            // current init path), fall back to the old "kill +
            // ask replenisher" behaviour so we never strand a
            // worker.
            let mut w = worker;
            w.shutdown();
            if let Ok(mut s) = self.state.lock() {
                s.alive = s.alive.saturating_sub(1);
            }
            self.available.notify_all();
        }
    }
}

impl Image {
    /// Load an image from the on-disk artifacts produced by
    /// `supermachine run IMAGE`. The argument can be either:
    ///
    /// - The directory containing `metadata.json` and `restore.snap`
    ///   (typical: `~/.local/supermachine-snapshots/<name>/`).
    /// - The `restore.snap` file itself; we read `metadata.json`
    ///   from its parent dir.
    ///
    /// ```sh
    /// supermachine run nginx:1.27-alpine --detach && supermachine run --stop
    /// # snapshot dir: ~/.local/supermachine-snapshots/nginx_1_27-alpine/
    /// ```
    ///
    /// On disk, that directory contains:
    ///
    /// ```text
    /// metadata.json    # layers, memory, vcpus, etc.
    /// restore.snap     # captured VM state (CoW-mappable)
    /// delta.squashfs   # writable overlay layer (optional)
    /// ```
    pub fn from_snapshot(path: impl Into<PathBuf>) -> Result<Self, Error> {
        Self::from_snapshot_inner(path.into(), false)
    }

    /// Like [`Self::from_snapshot`] but tolerates the snapshot
    /// `restore.snap` file being absent — used by the
    /// always-pipelined plain-`build()` path where the bg
    /// `save_compact_to_file` may still be in flight when
    /// `build()` returns. The Image is constructed from
    /// `metadata.json` (which IS written synchronously) and the
    /// stashed warm `BakedWorker` covers the first acquire from
    /// in-memory state. Subsequent `Pool::spawn_one` calls poll
    /// for `snapshot_path.is_file()` before invoking the worker —
    /// `save_compact_to_file` writes to `<path>.partial` and
    /// atomic-renames, so file existence ↔ save complete.
    pub(crate) fn from_snapshot_pending(path: impl Into<PathBuf>) -> Result<Self, Error> {
        Self::from_snapshot_inner(path.into(), true)
    }

    fn from_snapshot_inner(path: PathBuf, allow_pending: bool) -> Result<Self, Error> {
        // Resolve to a (snapshot_path, metadata_path) pair. Under
        // `allow_pending`, the path may be a directory whose
        // `restore.snap` doesn't exist yet — accept that and let
        // spawn_one poll for the file later.
        let (snapshot_path, metadata_path) = if path.is_dir() {
            (path.join("restore.snap"), path.join("metadata.json"))
        } else if path.is_file() {
            let parent = path.parent().ok_or_else(|| {
                Error::image_msg(format!(
                    "snapshot path has no parent dir: {}",
                    path.display()
                ))
            })?;
            (path.clone(), parent.join("metadata.json"))
        } else if allow_pending {
            // Path doesn't exist as either dir or file. With
            // pending we still expect the directory at minimum
            // (metadata.json must live there).
            return Err(Error::image_msg(format!(
                "snapshot path not found: {}",
                path.display()
            )));
        } else {
            return Err(Error::image_msg(format!(
                "snapshot path not found: {}",
                path.display()
            )));
        };

        // metadata.json is required for every backend; read it first so we know
        // the backend before deciding whether a `restore.snap` is mandatory.
        if !metadata_path.is_file() {
            return Err(Error::image_msg(format!(
                "metadata.json not found alongside snapshot at {}",
                metadata_path.display()
            )));
        }

        let meta_text = std::fs::read_to_string(&metadata_path)
            .map_err(|e| Error::image_msg(format!("read {}: {e}", metadata_path.display())))?;
        let meta: serde_json::Value = serde_json::from_str(&meta_text)
            .map_err(|e| Error::image_msg(format!("parse {}: {e}", metadata_path.display())))?;

        // Backend selects the runtime artifact model. HVF restores from a
        // `restore.snap`; KVM ("backend":"kvm") boots COLD from a kernel +
        // agent initramfs (+ optional rootfs disk), so it has no snapshot file.
        let backend = meta
            .get("backend")
            .and_then(|v| v.as_str())
            .unwrap_or("hvf")
            .to_string();
        if !allow_pending && backend != "kvm" && !snapshot_path.is_file() {
            return Err(Error::image_msg(format!(
                "snapshot file not found: {}",
                snapshot_path.display()
            )));
        }

        // Detect snapshots baked under a previous binary version. The
        // bake driver writes the kernel path as
        // `…/supermachine/v<VERSION>/kernel`; if that <VERSION> doesn't
        // match the current crate version, the snapshot's pinned init
        // shim and kernel may be missing fixes (e.g. the loopback
        // bring-up that landed in 0.4.29). Emit a single-line warning
        // so the next `supermachine run` makes the cause obvious.
        warn_if_snapshot_version_mismatch(&meta, &snapshot_path);

        let memory_mib = meta
            .get("memory_mib")
            .and_then(|v| v.as_u64())
            .map(|v| v as u32)
            .unwrap_or(256);
        let vcpus = meta
            .get("vcpus")
            .and_then(|v| v.as_u64())
            .map(|v| v as u32)
            .unwrap_or(1);

        // metadata.json paths may be absolute (default for native
        // bakes that store paths under ~/.local/...) or relative
        // (used by `supermachine bundle --image NAME`, which writes
        // a self-contained dir with `./layers/<sha>.squashfs` style
        // entries). Resolve relative paths against the metadata
        // dir so a bundle works after `cp -r` to a different host.
        let metadata_dir = metadata_path
            .parent()
            .map(Path::to_path_buf)
            .unwrap_or_else(|| PathBuf::from("."));
        let resolve_path = |s: &str| -> PathBuf {
            let p = PathBuf::from(s);
            if p.is_absolute() {
                p
            } else {
                metadata_dir.join(p)
            }
        };

        let layers: Vec<PathBuf> = meta
            .get("layers")
            .and_then(|v| v.as_array())
            .map(|arr| {
                arr.iter()
                    .filter_map(|x| x.as_str().map(resolve_path))
                    .collect()
            })
            .unwrap_or_default();
        let delta_squashfs = meta
            .get("delta_squashfs")
            .and_then(|v| v.as_str())
            .map(resolve_path);

        // Validate that referenced layer files actually exist on disk
        // BEFORE returning `Ok(Self)`. Without this, a warm-tag snapshot
        // whose metadata points at layer files in a *sibling* base
        // snapshot dir (`<base>` vs `<base>__warm__<tag>`) survives a
        // user `rm -rf <base>` and looks loadable to the cache-hit
        // check upstream — but the actual restore fails partway
        // through with `open block device …: No such file or
        // directory` and the worker control socket closes mid-protocol
        // ("read initial DONE: worker control socket closed"). The
        // confusing error mode reproduces exactly when
        // `bake_timing.test.ts` deletes the base dir while a sibling
        // `__warm__<tag>` dir still references it.
        //
        // Returning Err here makes the upstream `PullPolicy::Missing`
        // arm fall through to re-bake instead of trying to restore an
        // inconsistent snapshot. `allow_pending` callers (where
        // restore.snap doesn't exist yet) skip this check because the
        // bake is still in flight and the layer files may not have
        // been materialized yet.
        if !allow_pending {
            for layer in &layers {
                if !layer.is_file() {
                    return Err(Error::image_msg(format!(
                        "snapshot at {} references missing layer file {}: a sibling \
                         snapshot dir was likely deleted (e.g. the base dir of a \
                         `__warm__<tag>` variant). Delete this dir too and re-bake.",
                        snapshot_path.display(),
                        layer.display()
                    )));
                }
            }
            if let Some(delta) = &delta_squashfs {
                if !delta.is_file() {
                    return Err(Error::image_msg(format!(
                        "snapshot at {} references missing delta squashfs {}: a \
                         sibling snapshot dir was likely deleted (e.g. the base dir \
                         of a `__warm__<tag>` variant). Delete this dir too and re-bake.",
                        snapshot_path.display(),
                        delta.display()
                    )));
                }
            }
        }

        // virtio-fs mounts: persisted by the bake driver as
        // `metadata.mounts = [{host_path, guest_tag, guest_path[,
        // symlinks]}, ...]`. `guest_path` is required — snapshots
        // baked by 0.7.27 or earlier (no auto-mount API) are
        // rejected with an actionable error here rather than
        // silently restoring a broken mount tree.
        let mounts: Vec<crate::vmm::resources::MountSpec> = meta
            .get("mounts")
            .and_then(|v| v.as_array())
            .map(|arr| -> Result<Vec<_>, Error> {
                arr.iter()
                    .filter_map(|x| {
                        let host = x.get("host_path")?.as_str()?;
                        let tag = x.get("guest_tag")?.as_str()?;
                        let guest_path = match x.get("guest_path").and_then(|v| v.as_str()) {
                            Some(p) => p,
                            None => {
                                return Some(Err(Error::bake_msg(format!(
                                    "snapshot mount entry for tag `{tag}` has no \
                                     `guest_path` — this snapshot was baked by \
                                     supermachine 0.7.27 or earlier, which used a \
                                     legacy non-auto-mount API. Re-bake with \
                                     `MountSpec::new(host, tag, guest_path)` to \
                                     pin a guest mount point."
                                ))));
                            }
                        };
                        let policy = x
                            .get("symlinks")
                            .and_then(|v| v.as_str())
                            .and_then(parse_symlink_policy)
                            .unwrap_or_default();
                        let m = crate::vmm::resources::MountSpec::new(host, tag, guest_path)
                            .with_symlinks(policy);
                        Some(Ok(m))
                    })
                    .collect()
            })
            .transpose()?
            .unwrap_or_default();

        // virtio-blk volumes: persisted by the bake driver as
        // `metadata.volumes = [{host_file, guest_path, size_bytes,
        // pristine?}, ...]`. host_file/guest_path/size_bytes are
        // required for the warm-restore worker to replay
        // `--volume HOST:GUEST:SIZE`. Pre-0.7.30 snapshots may be
        // missing `size_bytes`; fall back to the default cap then
        // so older snapshots still warm-restore (with a slightly
        // inflated sparse-size hint, which is harmless because the
        // host file already exists with its actual size on disk).
        //
        // 0.7.49+ snapshots also carry a `pristine` path pointing at
        // a captured-at-bake-time copy of `host_file`. 0.7.50+: when
        // present, the pool clones the pristine to a per-process
        // temp file on each spawn regardless of
        // `restoreOnRelease` — every worker writes to its own COW
        // and the user's host file is never mutated by the pool
        // (only by the baker). Missing field (pre-0.7.49) → None;
        // pool falls back to legacy behavior (workers share the
        // user's host file) and logs a one-line warning the first
        // time it's used.
        let volumes: Vec<(PathBuf, String, u64, Option<PathBuf>)> = meta
            .get("volumes")
            .and_then(|v| v.as_array())
            .map(|arr| -> Vec<(PathBuf, String, u64, Option<PathBuf>)> {
                arr.iter()
                    .filter_map(|x| {
                        let host_file = x.get("host_file")?.as_str()?;
                        let guest_path = x.get("guest_path")?.as_str()?;
                        let size_bytes = x
                            .get("size_bytes")
                            .and_then(|v| v.as_u64())
                            .unwrap_or(crate::vmm::resources::VolumeSpec::DEFAULT_SIZE_BYTES);
                        let pristine = x
                            .get("pristine")
                            .and_then(|v| v.as_str())
                            .map(PathBuf::from)
                            .filter(|p| p.is_file());
                        Some((
                            PathBuf::from(host_file),
                            guest_path.to_owned(),
                            size_bytes,
                            pristine,
                        ))
                    })
                    .collect()
            })
            .unwrap_or_default();

        // Bundled kernel discovery: a self-contained bundle puts
        // the kernel image next to the snapshot. Prefer that over
        // host-wide AssetPaths so a shipped `.app` doesn't depend
        // on the user having supermachine installed.
        let bundled_kernel = {
            let cand = metadata_dir.join("kernel");
            if cand.is_file() {
                Some(cand)
            } else {
                None
            }
        };

        let baker_runtime_sha16 = meta
            .get("runtime_sha16")
            .and_then(|v| v.as_str())
            .map(|s| s.to_owned());

        let balloon_target_pages = meta
            .get("balloon_target_pages")
            .and_then(|v| v.as_u64())
            .and_then(|n| u32::try_from(n).ok())
            .filter(|n| *n > 0);

        // metadata.json["tsi_token"]: 64 lowercase hex chars iff
        // present. Pre-0.6.0 snapshots don't have this field;
        // restore in legacy unauthenticated mode (the kernel
        // baked at the same version also lacks the cmdline arg).
        let tsi_token = meta
            .get("tsi_token")
            .and_then(|v| v.as_str())
            .filter(|s| s.len() == 64 && s.bytes().all(|b| b.is_ascii_hexdigit()))
            .map(|s| s.to_ascii_lowercase());

        // metadata.json["egress_policy"]: optional per-snapshot network
        // policy string (allow_all / deny_private / allowlist:<cidrs> /
        // denylist:<cidrs>). Threaded to the worker so the muxer enforces
        // it at TSI connect time. Absent → allow_all (worker default).
        let egress_policy = meta
            .get("egress_policy")
            .and_then(|v| v.as_str())
            .map(|s| s.trim().to_string())
            .filter(|s| !s.is_empty());

        // 0.7.44+ pre-exec sync. true → snapshot was captured with
        // init-oci paused inside `read(0)` at the pre-exec pause
        // point. spawn_one() will set
        // SUPERMACHINE_PRE_EXEC_SYNC_RESUME=1 in the worker env so
        // the resume thread pushes the unblock byte after restore.
        // Absent / false / pre-0.7.44 snapshots use the legacy
        // nanosleep path which doesn't need a host push.
        let pre_exec_sync = meta
            .get("pre_exec_sync")
            .and_then(|v| v.as_bool())
            .unwrap_or(false);

        // Linux/KVM artifacts (only when "backend":"kvm"). kernel + agent
        // initramfs are required; disk (rootfs as /dev/vda) is optional.
        let kvm = if backend == "kvm" {
            let kernel = meta
                .get("kvm_kernel")
                .and_then(|v| v.as_str())
                .map(resolve_path);
            let initrd = meta
                .get("kvm_initrd")
                .and_then(|v| v.as_str())
                .map(resolve_path);
            let disk = meta
                .get("kvm_disk")
                .and_then(|v| v.as_str())
                .map(resolve_path);
            let snapshot = meta
                .get("kvm_snapshot")
                .and_then(|v| v.as_str())
                .map(resolve_path);
            // A KVM image either cold-boots (kernel + initrd) or restores from a
            // snapshot — require one of those shapes.
            if snapshot.is_none() && (kernel.is_none() || initrd.is_none()) {
                return Err(Error::image_msg(
                    "metadata.json \"backend\":\"kvm\" needs either \"kvm_snapshot\", \
                     or both \"kvm_kernel\" and \"kvm_initrd\""
                        .to_owned(),
                ));
            }
            Some(KvmImageParts {
                kernel,
                initrd,
                disk,
                snapshot,
            })
        } else {
            None
        };

        Ok(Self {
            snapshot_path,
            memory_mib,
            vcpus,
            baker_runtime_sha16,
            balloon_target_pages,
            tsi_token,
            egress_policy,
            pre_exec_sync,
            layers,
            delta_squashfs,
            mounts,
            volumes,
            bundled_kernel,
            kvm,
            hidden_pool: std::sync::OnceLock::new(),
            warm_baked_worker: Arc::new(crate::bake::WarmStash::new(None)),
            #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
            kvm_pool: std::sync::OnceLock::new(),
        })
    }

    /// Pull and bake an image from a registry reference, returning
    /// the loadable [`Image`]. Equivalent to running
    /// `supermachine run <image_ref> --no-detach` from a Rust app,
    /// minus the daemon — you get the [`Image`] back, then call
    /// [`Vm::start`] yourself.
    ///
    /// Uses [`PullPolicy::Missing`] (cache-first) by default. For
    /// other policies, see [`Image::from_oci_with_policy`].
    ///
    /// ```no_run
    /// # use supermachine::{Image, Vm, VmConfig};
    /// let image = Image::from_oci("nginx:1.27-alpine")?;
    /// let vm = Vm::start(&image, &VmConfig::new())?;
    /// # let _ = vm; Ok::<(), supermachine::Error>(())
    /// ```
    pub fn from_oci(image_ref: &str) -> Result<Self, Error> {
        Self::from_oci_with_policy(image_ref, PullPolicy::default())
    }

    /// As [`Image::from_oci`] but with an explicit [`PullPolicy`].
    /// See [`PullPolicy`] for the cache + registry interaction
    /// table.
    pub fn from_oci_with_policy(image_ref: &str, policy: PullPolicy) -> Result<Self, Error> {
        let snapshots_dir = default_snapshots_dir();
        Self::from_oci_to_dir(image_ref, policy, &snapshots_dir, None)
    }

    /// Most explicit constructor: pull/bake into a specific
    /// snapshots directory, with an optional explicit name.
    /// Lets you keep multiple "supermachine snapshot stores"
    /// (e.g. per-project), or pin a snapshot under a name that
    /// differs from the image-derived default.
    pub fn from_oci_to_dir(
        image_ref: &str,
        policy: PullPolicy,
        snapshots_dir: &Path,
        name: Option<&str>,
    ) -> Result<Self, Error> {
        // 1. Compute where the cached snapshot would live and
        //    short-circuit on hit (Missing) or miss (Never).
        let derived = name
            .map(|s| s.to_owned())
            .unwrap_or_else(|| crate::bake::snapshot_name_for_image(image_ref));
        let snap_dir = snapshots_dir.join(&derived);
        let cache_loadable = Self::from_snapshot(&snap_dir).is_ok();
        // Version-skew check for Missing/Always: if the cached
        // snapshot was baked under a different binary version,
        // treat as cache-miss and invalidate so the bake below
        // produces a clean tree. Never auto-rebakes on
        // PullPolicy::Never — the operator opted into "fail
        // rather than re-bake."
        let cache_loadable = if cache_loadable && !matches!(policy, PullPolicy::Never) {
            if let Some(baked) = snap_dir_baked_under_other_version(&snap_dir) {
                let current = env!("CARGO_PKG_VERSION");
                eprintln!(
                    "supermachine: snapshot at {} was baked under v{baked}; \
                     current binaries are v{current}. Auto-rebaking.",
                    snap_dir.display()
                );
                invalidate_stale_snapshot_tree(&snap_dir);
                false
            } else {
                true
            }
        } else {
            cache_loadable
        };

        match policy {
            PullPolicy::Never => {
                if cache_loadable {
                    return Self::from_snapshot(&snap_dir);
                }
                let restore_snap = snap_dir.join("restore.snap");
                if restore_snap.is_file() {
                    return Err(Error::cache_invalid(format!(
                        "snapshot present at {} but not loadable on this binary; \
                         rebake required (PullPolicy::Never won't auto-rebake)",
                        snap_dir.display()
                    )));
                }
                return Err(Error::cache_miss(format!(
                    "no cached snapshot for {image_ref} at {} (PullPolicy::Never)",
                    snap_dir.display()
                )));
            }
            PullPolicy::Missing if cache_loadable => {
                return Self::from_snapshot(&snap_dir);
            }
            // Missing+invalid OR Always: fall through to bake.
            _ => {}
        }

        // 2. Bake (cache-miss path). The two backends bake differently:
        //
        //  - KVM (Linux/x86_64): bake the OCI ref straight into the snapshot dir
        //    via the self-contained KVM pipeline (registry pull → rootfs
        //    squashfs → agent initramfs, kernel/busybox/agent from the bundled
        //    supermachine-kernel). No external worker process.
        //
        //  - HVF (macOS/aarch64): the existing run_push worker pipeline (pull →
        //    squashfs → boot worker once → capture snapshot).
        //
        // Both leave a loadable `"backend":...` snapshot under `snap_dir`, so
        // the cache-hit branch above and Image::from_snapshot are shared.
        #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
        return Self::bake_kvm_auto(image_ref, &snap_dir);

        #[cfg(not(all(target_os = "linux", target_arch = "x86_64")))]
        {
            let root = repo_root_for_bake()?;
            let request = crate::bake::BakeRequest {
                image: image_ref.to_owned(),
                name: name.map(|s| s.to_owned()),
                runtime: "supermachine".to_owned(),
                guest_port: 80,
                memory_mib: 256,
                vcpus: 1,
                pull_policy: policy.as_bake_str().to_owned(),
                snapshots_dir: snapshots_dir.to_path_buf(),
                cmd_override: None,
                extra_args: Vec::new(),
                platform: "linux/arm64".to_owned(),
            };
            let bake_t0 = std::time::Instant::now();
            crate::bake::run_push(&request, bake_t0, &root)
                .map_err(|e| map_bake_error(&request.image, e))?;

            // 3. Load the freshly-baked snapshot.
            Self::from_snapshot(&snap_dir)
        }
    }

    /// Builder for configurable bakes — env vars, cmd override,
    /// custom memory / port, custom snapshot name.
    ///
    /// ```no_run
    /// # use supermachine::Image;
    /// let image = Image::builder("nginx:1.27-alpine")
    ///     .with_name("nginx-prod")
    ///     .with_memory_mib(512)
    ///     .with_env("FOO", "bar")
    ///     .with_cmd(["nginx", "-g", "daemon off;"])
    ///     .build()?;
    /// # Ok::<(), supermachine::Error>(())
    /// ```
    ///
    /// The builder produces a different snapshot for each
    /// configuration — bake-time inputs are part of the snapshot
    /// fingerprint. Reuse a name across configurations and the
    /// previous snapshot is invalidated; pick distinct names if
    /// you need both side-by-side.
    pub fn builder(image_ref: impl Into<String>) -> OciImageBuilder {
        OciImageBuilder::new(image_ref)
    }

    /// Get an [`Image`] for `name`, baking it from `image_ref`
    /// only if a compatible snapshot doesn't already exist.
    ///
    /// This is the right call for app startup. The first run
    /// bakes (one-time cost: the registry pull + snapshot build,
    /// e.g. ~12 s for `rust:1-slim`); subsequent runs see the
    /// cached snapshot and return in microseconds. After a
    /// `cargo update` that bumped the supermachine version, the
    /// cached snapshot's bake-key no longer matches the current
    /// worker binary, and `ensure_baked` rebakes automatically —
    /// no shell scripts, no manual `rm -rf snapshots/`.
    ///
    /// `configure` is a builder closure: chain
    /// [`OciImageBuilder`] methods like `with_memory_mib`,
    /// `with_cmd`, `with_env` to customize the bake. Pass
    /// `|b| b` for defaults.
    ///
    /// ```no_run
    /// use std::time::Duration;
    /// use supermachine::{Image, VmConfig};
    ///
    /// // Bake once on first run, reuse forever after — including
    /// // across supermachine version upgrades.
    /// let image = Image::ensure_baked("rust_1_slim", "rust:1-slim", |b| {
    ///     b.with_memory_mib(2048)
    /// })?;
    /// // Configure pool: 5 always-warm, scale to 50 under burst.
    /// let pool = image.pool().min(5).max(50).build()?;
    ///
    /// // Per-task path:
    /// let vm = pool.acquire()?;
    /// vm.write_file("/tmp/main.rs", b"fn main() { println!(\"hi\"); }")?;
    /// let out = vm.exec_builder()
    ///     .argv(["sh", "-c", "rustc /tmp/main.rs -o /tmp/m && /tmp/m"])
    ///     .timeout(Duration::from_secs(30))
    ///     .output()?;
    /// # Ok::<(), supermachine::Error>(())
    /// ```
    pub fn ensure_baked<F>(
        name: impl Into<String>,
        image_ref: impl Into<String>,
        configure: F,
    ) -> Result<Image, Error>
    where
        F: FnOnce(OciImageBuilder) -> OciImageBuilder,
    {
        let builder = configure(OciImageBuilder::new(image_ref).with_name(name));
        builder.build()
    }

    /// Path to the snapshot file backing this image.
    pub fn snapshot_path(&self) -> &Path {
        &self.snapshot_path
    }

    /// Memory the snapshot was baked with. [`Vm::start`] uses
    /// this if [`VmConfig::with_memory_mib`] isn't set.
    pub fn memory_mib(&self) -> u32 {
        self.memory_mib
    }

    /// vCPUs the snapshot was baked with.
    pub fn vcpus(&self) -> u32 {
        self.vcpus
    }

    /// Test-only accessor for `balloon_target_pages` — the
    /// integration tests assert the metadata round-trip. Hidden
    /// from rustdoc; not part of the stable surface.
    #[doc(hidden)]
    pub fn balloon_target_pages_for_test(&self) -> Option<u32> {
        self.balloon_target_pages
    }

    /// Start a one-shot microVM from this image. Equivalent to
    /// [`Vm::start(self, config)`][Vm::start] but reads more
    /// naturally at the call site:
    ///
    /// ```no_run
    /// # use supermachine::{Image, VmConfig};
    /// let image = Image::from_snapshot("path/to/snapshot")?;
    /// let vm = image.start(&VmConfig::new())?;
    /// // ... use vm ...
    /// vm.stop()?;
    /// # Ok::<(), supermachine::Error>(())
    /// ```
    ///
    /// Use [`Image::acquire`] instead if you want a `PooledVm`
    /// that returns to a (hidden) pool on `Drop` for cheaper
    /// reuse — typical for evaluation harnesses, CI verifiers,
    /// or any code that runs many short-lived VMs of the same
    /// image back-to-back.
    #[cfg(any(
        all(target_os = "macos", target_arch = "aarch64"),
        all(target_os = "linux", target_arch = "x86_64")
    ))]
    pub fn start(&self, config: &VmConfig) -> Result<Vm, Error> {
        Vm::start(self, config)
    }

    /// Bake a KVM-bootable [`Image`] from OCI layer tarballs (Linux/x86_64).
    ///
    /// Merges `layer_tars` (bottom-up, OCI whiteouts applied) into one rootfs
    /// squashfs attached as `/dev/vda`, and writes a `"backend":"kvm"` snapshot
    /// dir under `dest_dir` referencing `kernel` (bzImage) and `agent_initrd`
    /// (the PID-1 exec agent). The result loads + runs via [`Image::start`] /
    /// [`Image::acquire`].
    ///
    /// Remaining KVM-bake pieces (not yet automated here): OCI-ref → layer tars
    /// (registry pull / `docker save` extraction) and a self-contained agent
    /// initramfs. This consumes already-materialized layer tars + a prebuilt
    /// agent initramfs.
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub fn bake_kvm(
        layer_tars: &[PathBuf],
        kernel: &Path,
        agent_initrd: &Path,
        dest_dir: impl Into<PathBuf>,
    ) -> Result<Image, Error> {
        Self::bake_kvm_with_workload(layer_tars, kernel, agent_initrd, None, dest_dir)
    }

    /// Like [`bake_kvm`](Image::bake_kvm) but also bakes the OCI workload-launch
    /// script (`Entrypoint`/`Cmd`/`Env`/`WorkingDir` → `sh`) into the rootfs at
    /// `/.supermachine/run-workload`, so the guest starts the image's command
    /// (nginx, a server, …) and not just the agent. `bake_kvm_from_ref` derives
    /// the script from the pulled image config; `bake_kvm` passes `None` (the
    /// agent-only path, for prebuilt layer tars with no resolvable config).
    pub fn bake_kvm_with_workload(
        layer_tars: &[PathBuf],
        kernel: &Path,
        agent_initrd: &Path,
        workload_script: Option<&str>,
        dest_dir: impl Into<PathBuf>,
    ) -> Result<Image, Error> {
        let dest = dest_dir.into();
        std::fs::create_dir_all(&dest).map_err(Error::Io)?;
        let rootfs = dest.join("rootfs.squashfs");
        let stage = dest.join("rootfs-stage");
        crate::bake::build_kvm_rootfs_squashfs(layer_tars, &stage, &rootfs, workload_script)
            .map_err(Error::bake_msg)?;
        let _ = std::fs::remove_dir_all(&stage);
        // Physical footprint (rootfs + kernel + initrd) so `supermachine images`
        // can show a SIZE without a separate HVF-style `snapshot_physical_bytes`
        // probe; `baked_at` (RFC3339) matches the HVF metadata so `images` sorts
        // newest-first across backends.
        let phys = std::fs::metadata(&rootfs).map(|m| m.len()).unwrap_or(0)
            + std::fs::metadata(kernel).map(|m| m.len()).unwrap_or(0)
            + std::fs::metadata(agent_initrd)
                .map(|m| m.len())
                .unwrap_or(0);
        let metadata = serde_json::json!({
            "backend": "kvm",
            "kvm_kernel": kernel.to_string_lossy(),
            "kvm_initrd": agent_initrd.to_string_lossy(),
            "kvm_disk": rootfs.to_string_lossy(),
            "memory_mib": 512,
            "vcpus": 1,
            // Bake-time balloon inflation target (~75% of memory in 4 KiB pages),
            // so a restored KVM VM auto-inflates idle RAM like HVF.
            "balloon_target_pages": crate::bake::compute_balloon_target_pages(512),
            "baked_at": chrono_rfc3339_now(),
            "snapshot_physical_bytes": phys,
        });
        std::fs::write(
            dest.join("metadata.json"),
            serde_json::to_string_pretty(&metadata)
                .map_err(|e| Error::bake_msg(format!("metadata serialize: {e}")))?,
        )
        .map_err(Error::Io)?;
        Image::from_snapshot(&dest)
    }

    /// Bake a KVM-bootable [`Image`] directly from an OCI image reference
    /// (Linux/x86_64) — e.g. `"alpine:3.20"` or `"docker.io/library/busybox"`.
    ///
    /// Pulls the image (registry-direct by default — no Docker daemon; honors
    /// `SUPERMACHINE_IMAGE_SOURCE` + `oci-layout:` / `oci-archive:` refs),
    /// resolves its amd64 layers, and delegates to [`Image::bake_kvm`]. Still
    /// takes a prebuilt `agent_initrd` (the self-contained agent cpio is the
    /// remaining bake piece).
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub fn bake_kvm_from_ref(
        image_ref: &str,
        kernel: &Path,
        agent_initrd: &Path,
        dest_dir: impl Into<PathBuf>,
    ) -> Result<Image, Error> {
        let dest = dest_dir.into();
        std::fs::create_dir_all(&dest).map_err(Error::Io)?;
        let pull_work = dest.join("oci-pull");
        let t_pull = std::time::Instant::now();
        let (layers, workload) = crate::bake::pull_oci_layers(image_ref, "amd64", &pull_work)
            .map_err(Error::bake_msg)?;
        let pull_ms = t_pull.elapsed().as_millis();
        let t_build = std::time::Instant::now();
        let img = Self::bake_kvm_with_workload(
            &layers,
            kernel,
            agent_initrd,
            workload.as_deref(),
            dest.clone(),
        )?;
        if crate::trace::enabled("run") {
            eprintln!(
                "supermachine: kvm bake phases pull_oci_ms={} build_rootfs_ms={}",
                pull_ms,
                t_build.elapsed().as_millis()
            );
        }
        // Record the original image ref into metadata.json so `supermachine images`
        // shows the IMAGE column (the bake itself only knows resolved layers).
        let meta_path = dest.join("metadata.json");
        if let Ok(text) = std::fs::read_to_string(&meta_path) {
            if let Ok(mut json) = serde_json::from_str::<serde_json::Value>(&text) {
                if let Some(obj) = json.as_object_mut() {
                    obj.insert("image".to_string(), serde_json::json!(image_ref));
                    if let Ok(pretty) = serde_json::to_string_pretty(&json) {
                        let _ = std::fs::write(&meta_path, pretty);
                    }
                }
            }
        }
        Ok(img)
    }

    /// Bake a KVM-bootable [`Image`] from an OCI reference with **zero asset
    /// paths** (Linux/x86_64) — the fully hands-off entry point:
    ///
    /// ```no_run
    /// let img = supermachine::Image::bake_kvm_auto("alpine", "/tmp/alpine-vm")?;
    /// # Ok::<(), supermachine::Error>(())
    /// ```
    ///
    /// The guest kernel, `busybox`, and in-VM agent are all sourced from the
    /// bundled `supermachine-kernel` crate (its x86_64 sub-crate, selected by
    /// `target_arch`), so the caller never points at a kernel build or builds
    /// an initramfs. Internally it extracts the bundled minimal module-free
    /// bzImage, assembles the agent initramfs in-process from the bundled
    /// busybox + agent (no kernel modules — vsock/squashfs/overlay are built
    /// in), then delegates to [`bake_kvm_from_ref`](Image::bake_kvm_from_ref).
    /// All artifacts land under `dest_dir`, so the snapshot is self-contained.
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub fn bake_kvm_auto(image_ref: &str, dest_dir: impl Into<PathBuf>) -> Result<Image, Error> {
        let dest = dest_dir.into();
        std::fs::create_dir_all(&dest).map_err(Error::Io)?;
        let t_assets = std::time::Instant::now();
        let (kernel, initrd) = Self::extract_bundled_kvm_boot_assets(&dest)?;
        if crate::trace::enabled("run") {
            eprintln!(
                "supermachine: kvm boot-assets extract_ms={}",
                t_assets.elapsed().as_millis()
            );
        }
        Self::bake_kvm_from_ref(image_ref, &kernel, &initrd, dest)
    }

    /// Extract the bundled, hands-off KVM boot assets into `dest`: the minimal
    /// module-free x86_64 guest kernel (`dest/kernel`) and an in-process-assembled
    /// agent initramfs (`dest/agent.cpio`, from the bundled busybox + agent — the
    /// kernel has virtio-vsock/squashfs/overlayfs built in, MODULES=n, so no
    /// modules are staged). Shared by [`bake_kvm_auto`](Image::bake_kvm_auto) and
    /// [`bake_kvm_from_squashfs_auto`](Image::bake_kvm_from_squashfs_auto) so both
    /// hands-off bake entry points source boot assets the one same way.
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    fn extract_bundled_kvm_boot_assets(dest: &Path) -> Result<(PathBuf, PathBuf), Error> {
        let kernel = dest.join("kernel");
        // `SUPERMACHINE_KVM_KERNEL=/path/to/bzImage` overrides the bundled guest
        // kernel — used to validate experimental kernels (e.g. the virtio-fs/DAX
        // build) without re-bundling. Falls back to the bundled kernel if unset.
        match std::env::var_os("SUPERMACHINE_KVM_KERNEL") {
            Some(p) if std::path::Path::new(&p).is_file() => {
                std::fs::copy(&p, &kernel).map_err(Error::Io)?;
            }
            _ => supermachine_kernel::extract_kernel_to(&kernel).map_err(Error::Io)?,
        }
        let assets = dest.join("agent-assets");
        std::fs::create_dir_all(&assets).map_err(Error::Io)?;
        let agent_bin = assets.join("supermachine-agent");
        let busybox_bin = assets.join("busybox");
        supermachine_kernel::extract_supermachine_agent_to(&agent_bin).map_err(Error::Io)?;
        supermachine_kernel::extract_busybox_to(&busybox_bin).map_err(Error::Io)?;
        let initrd = dest.join("agent.cpio");
        crate::bake::build_kvm_agent_initramfs(&agent_bin, &busybox_bin, &[], &initrd)
            .map_err(Error::bake_msg)?;
        let _ = std::fs::remove_dir_all(&assets);
        Ok((kernel, initrd))
    }

    /// Wrap an already-built read-only `rootfs.squashfs` as a KVM-bootable
    /// [`Image`] — the same rootfs format [`bake_kvm`](Image::bake_kvm) produces,
    /// but with **no layer re-extraction**. This is the re-import side of the
    /// in-VM builder's RAM-density loop: a built image is flattened to a shared
    /// read-only squashfs by [`commit_squashfs`](crate::builder::commit_squashfs),
    /// then booted back with an EMPTY tmpfs overlay upper — so the build's files
    /// live in the squashfs (page-cache shared CoW across every booted VM) instead
    /// of each VM's private tmpfs RAM. The squashfs is placed at `dest/rootfs.squashfs`
    /// (copied in only if it isn't already there — `commit_squashfs` can write it
    /// straight into `dest`, making this copy-free).
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub fn bake_kvm_from_squashfs(
        squashfs: &Path,
        kernel: &Path,
        agent_initrd: &Path,
        dest_dir: impl Into<PathBuf>,
    ) -> Result<Image, Error> {
        let dest = dest_dir.into();
        std::fs::create_dir_all(&dest).map_err(Error::Io)?;
        let rootfs = dest.join("rootfs.squashfs");
        if squashfs != rootfs {
            std::fs::copy(squashfs, &rootfs).map_err(Error::Io)?;
        }
        let metadata = serde_json::json!({
            "backend": "kvm",
            "kvm_kernel": kernel.to_string_lossy(),
            "kvm_initrd": agent_initrd.to_string_lossy(),
            "kvm_disk": rootfs.to_string_lossy(),
            "memory_mib": 512,
            "vcpus": 1,
            "balloon_target_pages": crate::bake::compute_balloon_target_pages(512),
        });
        std::fs::write(
            dest.join("metadata.json"),
            serde_json::to_string_pretty(&metadata)
                .map_err(|e| Error::bake_msg(format!("metadata serialize: {e}")))?,
        )
        .map_err(Error::Io)?;
        Image::from_snapshot(&dest)
    }

    /// Hands-off variant of [`bake_kvm_from_squashfs`](Image::bake_kvm_from_squashfs):
    /// source the guest kernel + agent initramfs from the bundled crate assets
    /// (like [`bake_kvm_auto`](Image::bake_kvm_auto)), so the caller only supplies
    /// the committed squashfs + a destination.
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub fn bake_kvm_from_squashfs_auto(
        squashfs: &Path,
        dest_dir: impl Into<PathBuf>,
    ) -> Result<Image, Error> {
        let dest = dest_dir.into();
        std::fs::create_dir_all(&dest).map_err(Error::Io)?;
        let (kernel, initrd) = Self::extract_bundled_kvm_boot_assets(&dest)?;
        Self::bake_kvm_from_squashfs(squashfs, &kernel, &initrd, dest)
    }

    /// Assemble a self-contained KVM agent initramfs (Linux/x86_64) in-process,
    /// for use as the `agent_initrd` of [`bake_kvm`](Image::bake_kvm) /
    /// [`bake_kvm_from_ref`](Image::bake_kvm_from_ref).
    ///
    /// Builds a `newc` cpio whose PID-1 init mounts `/proc` + `/dev`, `insmod`s
    /// `ordered_modules` (`.ko` or `.ko.zst`, in order), mounts the rootfs disk
    /// (`/dev/vda`) at `/mnt`, and execs the agent — no external `cpio`/busybox
    /// build step. (A vsock-built-in kernel would drop the module list.)
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub fn build_kvm_initramfs(
        agent_bin: &Path,
        busybox_bin: &Path,
        ordered_modules: &[PathBuf],
        out_cpio: &Path,
    ) -> Result<(), Error> {
        crate::bake::build_kvm_agent_initramfs(agent_bin, busybox_bin, ordered_modules, out_cpio)
            .map_err(Error::bake_msg)
    }

    /// Acquire a microVM from this image's hidden pool. Returns
    /// a [`PooledVm`] which `Deref`s to [`Vm`] and returns to
    /// the pool on `Drop`. Use this for the common
    /// "spin up a VM, do one task, throw it away, do another"
    /// loop — the pool keeps re-restoring from the same snapshot
    /// behind the scenes so per-iteration cost stays at the
    /// snapshot-restore floor (~5 ms on Apple Silicon).
    ///
    /// ```no_run
    /// # use supermachine::{Image, VmConfig};
    /// # use std::time::Duration;
    /// let image = Image::from_snapshot("path/to/rust-slim")?;
    /// for src in ["fn main() {}", "fn main() { panic!() }"] {
    ///     let vm = image.acquire()?;
    ///     vm.write_file("/tmp/main.rs", src.as_bytes())?;
    ///     let out = vm.exec_builder()
    ///         .argv(["sh", "-c", "rustc /tmp/main.rs -o /tmp/m && /tmp/m"])
    ///         .timeout(Duration::from_secs(30))
    ///         .output()?;
    ///     println!("status={:?} out={:?}", out.status.code(), out.stdout);
    ///     // vm dropped here — returned to pool, restored from snapshot
    /// }
    /// # Ok::<(), supermachine::Error>(())
    /// ```
    ///
    /// ## Pool sizing
    ///
    /// `Image::acquire` uses an ambient pool with default policy
    /// (`min=0`, `max=64`, `idle_timeout=60s`,
    /// `acquire_timeout=60s`). For an explicit policy use
    /// [`Image::pool`] to build a [`Pool`] and call
    /// `pool.acquire()` instead.
    ///
    /// Per-acquire cost is the snapshot restore (~3 ms on Apple
    /// Silicon) when an idle worker is available; cold spawn
    /// (lazy-grow path) is ~15 ms. The pool auto-grows up to
    /// `max` under burst and auto-evicts above-`min` workers
    /// after they sit idle for `idle_timeout`.
    #[cfg(any(
        all(target_os = "macos", target_arch = "aarch64"),
        all(target_os = "linux", target_arch = "x86_64")
    ))]
    pub fn acquire(&self) -> Result<PooledVm<'_>, Error> {
        self.acquire_with(&VmConfig::new())
    }

    /// Like [`Image::acquire`] but with an explicit
    /// [`VmConfig`] (overrides for memory, vCPUs, asset paths,
    /// **pool size**, etc.). The config is honored on **first**
    /// acquire — when the pool is built. Subsequent acquires
    /// reuse the existing pool regardless of `config`. This is
    /// fine for most use cases; create a fresh `Image` if you
    /// need a different config without restarting your app.
    #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
    pub fn acquire_with(&self, config: &VmConfig) -> Result<PooledVm<'_>, Error> {
        let _span = tracing::info_span!(
            "supermachine.acquire",
            memory_mib = self.memory_mib,
            vcpus = self.vcpus,
        )
        .entered();
        let pool_arc = self.ensure_default_pool(config)?;
        let worker = pool_arc.acquire()?;
        let vm = Vm {
            pool: None,
            vsock_mux_path: worker.vsock_mux_path.clone(),
            vsock_exec_path: worker.vsock_exec_path.clone(),
            own_vsock_mux_dir: None,
            skip_cleanup: true,
            // Populate image_meta from the source Image so
            // `Vm::snapshot` can build metadata.json. The
            // capture itself runs over the worker subprocess's
            // supervisor protocol — see `Vm::snapshot`'s pool-
            // worker dispatch path. No HVF-entitlement
            // requirement on the calling binary.
            image_meta: Some(Arc::new(ImageMeta {
                memory_mib: config.memory_mib.unwrap_or(self.memory_mib),
                vcpus: config.vcpus.unwrap_or(self.vcpus),
                layers: self.layers.clone(),
                delta_squashfs: self.delta_squashfs.clone(),
            })),
        };
        Ok(PooledVm {
            vm: Some(vm),
            worker: Some(worker),
            pool_arc: Arc::clone(pool_arc),
            _image: std::marker::PhantomData,
        })
    }

    /// Linux/KVM `Image::acquire_with`: acquires from an ambient warm pool built
    /// lazily on first use (boot → snapshot once), so each acquire is a CoW
    /// restore (~ms) instead of a cold boot (~1s). The pool is cached on the
    /// Image (shared across clones); the first call's `config` fixes its policy/
    /// memory — for per-acquire control use an explicit [`Image::pool`]. Falls
    /// back to a cold [`Vm::start`] if warming fails.
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub fn acquire_with(&self, config: &VmConfig) -> Result<PooledVm<'_>, Error> {
        if self.kvm_pool.get().is_none() {
            // Warm once + cache. A lost race just wastes one warm-up; the first
            // value stored in the OnceLock wins and both threads use it. The
            // ambient pool uses default policy (min=0 → no idle pre-warm; each
            // acquire is a ~ms CoW restore). Use an explicit Image::pool for a
            // min>0 always-warm idle set.
            if let Ok(warm) = warm_snapshot_for_pool(self, config) {
                let pol = PoolPolicy::default();
                let inner = Arc::new(KvmPoolInner {
                    image: warm,
                    vm_config: config.clone(),
                    min: 0,
                    idle: std::sync::Mutex::new(Vec::new()),
                    admission: Admission::new(pol.max, pol.acquire_timeout),
                    restore_on_release: pol.restore_on_release,
                    refilling: std::sync::atomic::AtomicBool::new(false),
                    shut_down: std::sync::atomic::AtomicBool::new(false),
                });
                let _ = self.kvm_pool.set(Arc::new(Pool { kvm: inner }));
            }
        }
        if let Some(pool) = self.kvm_pool.get() {
            return pool.acquire();
        }
        // Warming failed (e.g. agent never came up) — cold start as a fallback.
        let vm = Vm::start(self, config)?;
        Ok(PooledVm {
            vm: Some(vm),
            pool: None,
            _image: std::marker::PhantomData,
        })
    }

    /// Configure an explicit pool against this image. Use when
    /// you want auto-scaling or fine control over min/max/idle/
    /// acquire timeouts; for the simple case
    /// `image.acquire()` already manages an ambient default-
    /// policy pool for you.
    ///
    /// ```no_run
    /// # use std::time::Duration;
    /// # use supermachine::Image;
    /// let image = Image::ensure_baked("rust_warm", "rust:1-slim", |b| b)?;
    /// // Auto-scale 5..=50, evict idle workers after 60s,
    /// // fail acquire if pool stays at max for >10s:
    /// let pool = image.pool()
    ///     .min(5)
    ///     .max(50)
    ///     .idle_timeout(Duration::from_secs(60))
    ///     .acquire_timeout(Duration::from_secs(10))
    ///     .build()?;
    /// let vm = pool.acquire()?;
    /// # Ok::<(), supermachine::Error>(())
    /// ```
    pub fn pool(&self) -> PoolBuilder<'_> {
        PoolBuilder {
            image: self,
            policy: PoolPolicy::default(),
            vm_config: VmConfig::new(),
        }
    }

    /// Build a fresh `HiddenPool` against `policy`, store it in
    /// `self.hidden_pool`, return the borrowed Arc.
    /// Build a fresh standalone `HiddenPool`. Caller decides
    /// what to do with the Arc — `acquire()` parks it in the
    /// per-Image `hidden_pool` OnceLock; `pool().build()`
    /// returns it as a `Pool` to the caller.
    #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
    fn build_pool_arc(
        &self,
        config: &VmConfig,
        policy: PoolPolicy,
    ) -> Result<Arc<HiddenPool>, Error> {
        // 0.7.49+ best-effort sweep of stranded COW volume temps in
        // /tmp left by previously-crashed processes. Idempotent + per-
        // process (a OnceLock latches the first call). Cheap when /tmp
        // is clean; bounded by /tmp entry count on a busy host.
        sweep_volume_temps_once();
        // Find supermachine-worker. Tries env override, sibling-
        // of-current-exe (cargo install layout), dev-tree
        // target/release (workspace).
        #[cfg(target_os = "macos")]
        let worker_bin = {
            // Three resolution modes:
            //
            //   1. `SUPERMACHINE_WORKER_BIN` set:
            //      Explicit user override. Use the path AS-IS — no
            //      copy, no codesign mutation. Devs running a custom
            //      worker against the library expect this.
            //
            //   2. `SUPERMACHINE_WORKER_BIN_BUNDLED` set:
            //      The npm JS shim (`npm/supermachine-core/index.js`)
            //      sets this to `@supermachine/core-darwin-arm64/
            //      supermachine-worker`. We treat it as a SOURCE and
            //      copy to the per-version user-data dir, signing
            //      the COPY there. Critical for npm consumers: the
            //      node_modules path is never codesign-rewritten, so
            //      npm's integrity model isn't violated and the
            //      stuck-`.cstemp`-with-uchg recovery loop that
            //      wedged 0.7.27 installs can't happen on
            //      node_modules.
            //
            //   3. Neither set:
            //      Fall back to `codesign::locate_worker_bin`'s
            //      sibling-of-current-exe + ~/.cargo/bin + $PATH
            //      walk. The found path is then copied to user-dir
            //      and signed there, same as mode 2.
            if let Some(p) = std::env::var_os("SUPERMACHINE_WORKER_BIN") {
                let p = PathBuf::from(p);
                if !p.is_file() {
                    return Err(Error::assets_msg(format!(
                        "SUPERMACHINE_WORKER_BIN={} does not exist or is not a file",
                        p.display()
                    )));
                }
                p
            } else {
                let source =
                    if let Some(bundled) = std::env::var_os("SUPERMACHINE_WORKER_BIN_BUNDLED") {
                        let p = PathBuf::from(bundled);
                        if !p.is_file() {
                            return Err(Error::assets_msg(format!(
                            "SUPERMACHINE_WORKER_BIN_BUNDLED={} does not exist or is not a file",
                            p.display()
                        )));
                        }
                        p
                    } else {
                        crate::codesign::locate_worker_bin().ok_or_else(|| {
                            Error::assets_msg(
                                "supermachine-worker binary not found (looked for sibling of \
                             current_exe and target/release/supermachine-worker). Set \
                             SUPERMACHINE_WORKER_BIN if you have it elsewhere."
                                    .to_owned(),
                            )
                        })?
                    };
                crate::assets::ensure_worker_in_user_dir(&source).map_err(Error::assets_msg)?
            }
        };
        #[cfg(not(target_os = "macos"))]
        let worker_bin: PathBuf = std::env::var_os("SUPERMACHINE_WORKER_BIN")
            .map(PathBuf::from)
            .ok_or_else(|| {
                Error::assets_msg("SUPERMACHINE_WORKER_BIN must be set on this platform".to_owned())
            })?;
        // HARD: verify the worker binary matches the library
        // version. The supervisor protocol evolves between
        // releases; a stale ~/.cargo/bin/supermachine-worker from
        // an older `cargo install supermachine` deadlocks
        // pipelined-bake silently otherwise. See
        // codesign::verify_worker_version for the diagnostic
        // signature and the upgrade hint we surface to the user.
        #[cfg(target_os = "macos")]
        {
            crate::codesign::verify_worker_version(&worker_bin).map_err(Error::vm_msg)?;
            // Ensure the user-dir worker carries the HVF entitlement.
            // We used to silently ignore the result here on the
            // theory that `hv_vm_create` would surface its own
            // error if signing failed. In practice that lost the
            // actual diagnostic (`HV_DENIED` is opaque; users
            // couldn't tell whether codesign failed, the
            // entitlements plist was wrong, the binary was already
            // signed but with a different entitlement, …) and the
            // autopilot's stuck-`.cstemp` recovery loop went
            // undetected for entire sessions. Surface the codesign
            // failure with its exact stderr + a recovery hint
            // instead of letting the downstream bake fail with a
            // cryptic supervisor-closed message.
            //
            // Idempotent — a successful sign caches via a per-version
            // sentinel and subsequent calls return immediately.
            //
            // Signing happens on the user-dir copy (see
            // ensure_worker_in_user_dir above), so node_modules is
            // never touched.
            if let Err(e) = crate::codesign::ensure_worker_signed(&worker_bin) {
                return Err(Error::vm_msg(format!(
                    "supermachine-worker codesign failed: {e}"
                )));
            }
        }

        // Unix socket paths are capped at 104 bytes on macOS
        // (SUN_LEN). Default to /tmp instead of $TMPDIR, which on
        // macOS resolves to /var/folders/.../T/ and burns ~50
        // characters before we even start. `/tmp/supermachine-
        // pool-<pid>-<suffix>/` leaves room for a meaningful
        // socket name underneath.
        let socks_dir = match &config.vsock_mux_dir {
            Some(d) => d.clone(),
            None => PathBuf::from(format!(
                "/tmp/supermachine-pool-{}-{:x}",
                std::process::id(),
                unique_suffix(),
            )),
        };
        std::fs::create_dir_all(&socks_dir).map_err(Error::Io)?;

        // Sweep `~/.cache/supermachine/rosetta-aot/` for AOT cache
        // orphans before the worker spawns. Two classes get evicted:
        //
        //   1. **Zero-byte `<x>.aotcache` files.** Migration cleanup
        //      for caches built with supermachine ≤ 0.7.25, before
        //      the FUSE-layer `.partial`-then-rename publish protocol
        //      (`fn create` / `fn release` in posix.rs) closed the
        //      orphan window. A 0-byte file from a pre-fix lifetime
        //      will still trigger the rosetta interpreter's
        //      `aot_hdr->segment_count <= kMaxSegments` assertion
        //      (ImageInfo.cpp:71 — pread of an empty file returns 0
        //      and stack-garbage at offset 8 is parsed as
        //      segment_count) or SIGBUS-on-mmap-past-EOF on the
        //      first amd64 exec that hashes to that build-id.
        //   2. **`.<x>.aotcache.partial` leftovers.** Crash recovery
        //      for the new publish protocol. If a prior VM was
        //      SIGKILLed or the host crashed between FUSE_CREATE and
        //      FUSE_RELEASE, the partial file is on disk and would
        //      block a fresh `O_CREAT|O_EXCL` open of the same name.
        //      posix.rs's create-time retry handles this inline, but
        //      cleaning up at acquire keeps the cache dir tidy and
        //      avoids EEXIST surprises in narrower acquire-time
        //      windows.
        //
        // Cheap: one readdir + one stat per entry, runs in <5 ms on
        // a fully populated cache. Silently no-op when the cache
        // dir doesn't exist (no `rosettad-cache` mount in this
        // image).
        if let Some(home) = std::env::var_os("HOME") {
            let cache_dir = PathBuf::from(home)
                .join(".cache")
                .join("supermachine")
                .join("rosetta-aot");
            if cache_dir.is_dir() {
                let _ = scrub_aotcache_orphans(&cache_dir);
            }
        }

        let memory_mib = config.memory_mib.unwrap_or(self.memory_mib);
        let vcpus = config.vcpus.unwrap_or(self.vcpus);
        let spawn_timeout = config
            .restore_timeout
            .unwrap_or_else(|| Duration::from_secs(30));
        // Same SUN_LEN concern: use a small token instead of the
        // full snapshot dir name. Per-pool counter would be even
        // shorter; for now an 8-char hash is enough.
        let name_prefix = "w".to_owned();
        let spawn_cfg = Arc::new(SpawnConfig {
            observed_footprint_mib: std::sync::atomic::AtomicU64::new(0),
            worker_bin,
            snapshot_path: self.snapshot_path.clone(),
            layers: self.layers.clone(),
            delta_squashfs: self.delta_squashfs.clone(),
            mounts: self.mounts.clone(),
            volumes: self.volumes.clone(),
            memory_mib,
            vcpus,
            socks_dir: socks_dir.clone(),
            name_prefix,
            spawn_timeout,
            baker_runtime_sha16: self.baker_runtime_sha16.clone(),
            balloon_target_pages: self.balloon_target_pages,
            tsi_token: self.tsi_token.clone(),
            egress_policy: self.egress_policy.clone(),
            pre_exec_sync: self.pre_exec_sync,
            restore_on_release: policy.restore_on_release,
        });
        // Spawn `min` workers in parallel up front so the pool
        // is ready to serve immediately. `max - min` more can be
        // spawned later by the auto-grow path in `acquire`.
        //
        // WARM HANDOFF: claim the bake-time worker (if any) and
        // use it as one of the initial idle entries — saves spawn
        // (~50 ms) + restore (~5 ms) for the FIRST acquire. This
        // is the per-Image atomic claim: only the first
        // PoolBuilder::build() to run on a given Image gets the
        // warm worker; concurrent / subsequent calls take None
        // and spawn fresh as today.
        //
        // If the warm worker's child has already died (e.g. user
        // kept the Image around so long the worker exited on its
        // own, or HVF returned an error), we fall through cleanly
        // to spawn-from-disk.
        let claimed_warm = self.warm_baked_worker.take().and_then(|mut bw| {
            // Liveness check — if the child reaped itself, ditch it.
            match bw.child.try_wait() {
                Ok(None) => Some(bw), // still running, claim it
                Ok(Some(_)) => None,  // exited, fall through
                Err(_) => None,       // EBADF or similar
            }
        });
        let initial = policy.min;
        let mut idle: Vec<IdleEntry> = Vec::with_capacity(initial.max(1));
        let extra_warm: usize;
        if let Some(bw) = claimed_warm {
            // 0.7.49+ COW-volume use-once flag. When the pool is
            // configured for restore_on_release AND the snapshot
            // ships pristines, the warm-handoff worker's volume
            // fds point at the user's host file (no COW). Mark it
            // use-once so the first release kills it; the
            // replenisher will then spawn a fresh COW-backed worker.
            let warm_use_once = policy.restore_on_release
                && spawn_cfg.volumes.iter().any(|(_, _, _, p)| p.is_some());
            let worker = warm_baked_to_worker(
                bw,
                spawn_cfg.memory_mib,
                !spawn_cfg.mounts.is_empty() || !spawn_cfg.volumes.is_empty(),
                spawn_cfg
                    .volumes
                    .iter()
                    .map(|(_, gp, _, _)| gp.clone())
                    .collect(),
                spawn_cfg.vcpus,
                warm_use_once,
            );
            // Even though this worker never went through a
            // RESTORE — it's the live bake worker reused — its
            // VFS caches still reflect "what the host looked
            // like during bake". If the user edited bound files
            // between Image.build and Pool.acquire, those reads
            // would return stale bytes. Drop now to force
            // re-LOOKUP on first access.
            //
            // 0.7.44+ probe-skip: same logic as `spawn_one`'s
            // restore path — drop only when the snapshot has a
            // host-backed surface (mounts or volumes). Pure-image
            // snapshots save ~5-15 ms.
            if !spawn_cfg.mounts.is_empty() || !spawn_cfg.volumes.is_empty() {
                let _ = drop_vfs_caches_via_agent(&worker.vsock_exec_path, spawn_cfg.memory_mib);
            }
            // 0.7.51+ wall-clock sync. The warm-handoff worker
            // was launched at bake time; if the snapshot has
            // sat on disk for hours/days before this pool build
            // claimed it, the in-guest CLOCK_REALTIME is just
            // as stale as on a cold restore. Same RPC fixes it.
            let _ = sync_time_via_agent(&worker.vsock_exec_path);
            idle.push(IdleEntry {
                worker,
                last_used: Instant::now(),
            });
            extra_warm = 1;
        } else {
            extra_warm = 0;
        }
        // We need `initial` idle entries total. The warm worker (if
        // claimed) covers one slot; spawn (initial - 1) fresh ones.
        // For min=0 with a warm worker, we still keep the warm one
        // around (it's effectively a free min=1).
        let to_spawn = initial.saturating_sub(extra_warm);
        if to_spawn == 1 {
            idle.push(IdleEntry {
                worker: spawn_cfg.spawn_one()?,
                last_used: Instant::now(),
            });
        } else if to_spawn > 1 {
            let mut handles = Vec::with_capacity(to_spawn);
            for _ in 0..to_spawn {
                let cfg = Arc::clone(&spawn_cfg);
                handles.push(std::thread::spawn(move || cfg.spawn_one()));
            }
            for h in handles {
                let w = h
                    .join()
                    .map_err(|_| Error::vm_msg("pool spawn thread panicked".to_owned()))??;
                idle.push(IdleEntry {
                    worker: w,
                    last_used: Instant::now(),
                });
            }
        }
        // Pool's `alive` accounting: total idle count (incl. warm
        // handoff entry).
        let initial = idle.len();
        let pool = Arc::new(HiddenPool {
            state: Arc::new(Mutex::new(PoolState {
                idle,
                alive: initial,
                waiting: 0,
                reaped: 0,
            })),
            available: Arc::new(Condvar::new()),
            dirty: Some(Arc::new(Mutex::new(VecDeque::new()))),
            dirty_pending: Some(Arc::new(Condvar::new())),
            socks_dir,
            shutting_down: Arc::new(AtomicBool::new(false)),
            spawn_cfg: Arc::clone(&spawn_cfg),
            policy,
        });
        // Spawn the housekeeping threads: replenisher (handles
        // genuine worker death + maintains `min`), restorer
        // (recycles dirty workers via RESTORE), janitor (evicts
        // idle-too-long workers above `min` to free RAM). All
        // detach naturally when the pool Arc drops via
        // `Weak::upgrade` failure.
        let wait_handles = pool.wait_handles();
        let h_replenish = {
            let h = wait_handles.clone();
            std::thread::Builder::new()
                .name("supermachine-pool-replenish".into())
                .spawn(move || replenisher_loop(h))
                .map_err(|e| Error::vm_msg(format!("spawn replenisher thread: {e}")))?
        };
        // Restorer threads only run when `restore_on_release`
        // is on. With it off, drop pushes workers straight to
        // idle and the restorer would have nothing to do.
        let mut handles = vec![h_replenish];
        if policy.restore_on_release {
            // Multi-restorer: scale the recycle thread count
            // with pool size. Each RESTORE RPC is ~3 ms in-
            // place; under bursty drop patterns a single
            // restorer becomes the serialization point and
            // shows up as a phantom delay on the *next* acquire
            // (acquire pops the idle queue, restorer's still
            // chewing through dirty, idle is empty → user
            // blocks ~3 ms × queue depth).
            //
            // Formula: ⌈max/2⌉ clamped [1, 4], capped at `max`.
            // 1 restorer for max=2, 3 for max=5, 4 for max=8+.
            let restorer_count = ((policy.max + 1) / 2).clamp(1, 4).min(policy.max.max(1));
            for _ in 0..restorer_count {
                let h = wait_handles.clone();
                let h_restore = std::thread::Builder::new()
                    .name("supermachine-pool-restore".into())
                    .spawn(move || restorer_loop(h))
                    .map_err(|e| Error::vm_msg(format!("spawn restorer thread: {e}")))?;
                handles.push(h_restore);
            }
        }
        // Janitor: only spawn if eviction is enabled. Saves a
        // sleeping thread for fixed-size pools.
        if pool.policy.idle_timeout != Duration::MAX {
            let h = wait_handles.clone();
            let h_janitor = std::thread::Builder::new()
                .name("supermachine-pool-janitor".into())
                .spawn(move || janitor_loop(h))
                .map_err(|e| Error::vm_msg(format!("spawn janitor thread: {e}")))?;
            handles.push(h_janitor);
        }
        // Detach the handles. Threads exit on their own when
        // `shutting_down` is set in `HiddenPool::drop`; we don't
        // need to join them — they hold no `Arc<HiddenPool>` and
        // don't block the user-side drop from firing.
        drop(handles);
        Ok(pool)
    }

    /// Initialise (once) the per-Image default pool used by
    /// `image.acquire()`. Lazy: subsequent calls return the
    /// same pool regardless of `config`. Distinct from
    /// `pool().build()` — that always returns a fresh pool.
    #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
    fn ensure_default_pool(&self, config: &VmConfig) -> Result<&Arc<HiddenPool>, Error> {
        if let Some(p) = self.hidden_pool.get() {
            return Ok(p);
        }
        let pool = self.build_pool_arc(config, PoolPolicy::default())?;
        // Race-friendly: if another thread set this in parallel,
        // the new pool is dropped (and its housekeeping threads
        // exit on the dropped Arc's strong-count → 0). The
        // observable result is "either pool wins, all subsequent
        // calls see the same one".
        let _ = self.hidden_pool.set(pool);
        Ok(self
            .hidden_pool
            .get()
            .expect("hidden pool just initialized"))
    }
}

/// Bundle of clonable handles into the pool's wait state. Each
/// housekeeping thread owns one of these; no one holds a strong
/// `Arc<HiddenPool>` across a condvar wait, so user-side `Pool`
/// + `Image` drops fire immediately and the threads exit on
/// `shutting_down` after their next short timed wait.
#[derive(Clone)]
struct PoolWaitHandles {
    state: Arc<Mutex<PoolState>>,
    available: Arc<Condvar>,
    dirty: Option<Arc<Mutex<VecDeque<Worker>>>>,
    dirty_pending: Option<Arc<Condvar>>,
    shutting_down: Arc<AtomicBool>,
    spawn_cfg: Arc<SpawnConfig>,
    policy: PoolPolicy,
}

impl HiddenPool {
    fn wait_handles(&self) -> PoolWaitHandles {
        PoolWaitHandles {
            state: Arc::clone(&self.state),
            available: Arc::clone(&self.available),
            dirty: self.dirty.as_ref().map(Arc::clone),
            dirty_pending: self.dirty_pending.as_ref().map(Arc::clone),
            shutting_down: Arc::clone(&self.shutting_down),
            spawn_cfg: Arc::clone(&self.spawn_cfg),
            policy: self.policy,
        }
    }
}

/// Restorer thread: drain the dirty queue, send RESTORE on each
/// worker's supervisor control socket to reset guest state to
/// the snapshot, then push back to idle. This is the steady-
/// state recycle path — replaces the old "kill + respawn fresh"
/// loop. Saves ~10 ms per cycle (no fork+exec+dyld+restore;
/// just an in-place restore).
fn restorer_loop(h: PoolWaitHandles) {
    let (Some(dirty), Some(pending)) = (h.dirty.as_ref(), h.dirty_pending.as_ref()) else {
        return;
    };
    loop {
        if h.shutting_down.load(Ordering::SeqCst) {
            return;
        }
        // Wait for a dirty worker (or shutdown). Bounded wait so
        // we re-check shutting_down even if no notify_all arrives.
        let mut worker = {
            let mut q = match dirty.lock() {
                Ok(q) => q,
                Err(_) => return,
            };
            loop {
                if h.shutting_down.load(Ordering::SeqCst) {
                    return;
                }
                if let Some(w) = q.pop_front() {
                    break w;
                }
                q = match pending.wait_timeout(q, Duration::from_millis(100)) {
                    Ok((g, _)) => g,
                    Err(_) => return,
                };
            }
        };

        let snap_path = h.spawn_cfg.snapshot_path.clone();
        match worker.send_restore(&snap_path) {
            Ok(()) => {
                if let Ok(mut s) = h.state.lock() {
                    s.idle.push(IdleEntry {
                        worker,
                        last_used: Instant::now(),
                    });
                    h.available.notify_all();
                }
            }
            Err(_) => {
                // Restore protocol broke — kill this worker so the
                // replenisher spawns a fresh replacement.
                worker.shutdown();
                if let Ok(mut s) = h.state.lock() {
                    s.alive = s.alive.saturating_sub(1);
                }
                h.available.notify_all();
            }
        }
    }
}

/// Replenisher: maintains `alive >= min`. Spawns workers when
/// below the floor (worker died, was evicted into a regrow gap,
/// etc.). Sleeps on `available` otherwise.
fn replenisher_loop(h: PoolWaitHandles) {
    loop {
        if h.shutting_down.load(Ordering::SeqCst) {
            return;
        }
        let need_more = {
            let s = match h.state.lock() {
                Ok(s) => s,
                Err(_) => return,
            };
            s.alive < h.policy.min
        };
        if !need_more {
            let s = match h.state.lock() {
                Ok(s) => s,
                Err(_) => return,
            };
            // Bounded wait — see PoolWaitHandles docs for why.
            let _ = h.available.wait_timeout(s, Duration::from_millis(100));
            continue;
        }
        // Reserve a slot before spawning so a concurrent
        // acquire's auto-grow doesn't double-spawn.
        if let Ok(mut s) = h.state.lock() {
            if s.alive >= h.policy.min {
                continue;
            }
            s.alive += 1;
        }
        match h.spawn_cfg.spawn_one() {
            Ok(w) => {
                if let Ok(mut s) = h.state.lock() {
                    s.idle.push(IdleEntry {
                        worker: w,
                        last_used: Instant::now(),
                    });
                    h.available.notify_all();
                }
            }
            Err(_) => {
                if let Ok(mut s) = h.state.lock() {
                    s.alive = s.alive.saturating_sub(1);
                }
                std::thread::sleep(Duration::from_millis(500));
            }
        }
    }
}

/// Janitor: every `idle_timeout / 4`, walk the idle queue and
/// shut down workers above `min` that have been idle longer than
/// `idle_timeout`. Frees host RAM during quiet periods.
fn janitor_loop(h: PoolWaitHandles) {
    let timeout = h.policy.idle_timeout;
    let min = h.policy.min;
    if timeout == Duration::MAX {
        return;
    }
    // Cap each individual wait so we re-check shutting_down often
    // enough to drop within ~100 ms of pool teardown.
    let tick = (timeout / 4).max(Duration::from_millis(100));
    let wait_unit = Duration::from_millis(100).min(tick);
    loop {
        if h.shutting_down.load(Ordering::SeqCst) {
            return;
        }
        // Collect workers to evict under the lock; shut down
        // outside it so we don't hold up acquires.
        let mut to_evict: Vec<Worker> = Vec::new();
        let mut reaped_now = 0u64;
        if let Ok(mut s) = h.state.lock() {
            let now = Instant::now();
            // Watchdog reap: a worker that died WHILE IDLE (and was never
            // popped) would otherwise sit as a phantom `alive` count
            // forever — acquire's `try_wait` only catches it on pop, and
            // a low-traffic pool may never pop it. Sweep the whole idle
            // queue for dead processes and reap them, INDEPENDENT of `min`
            // (a dead worker is never useful; the replenisher backfills).
            // `try_wait` is a cheap non-blocking waitpid; the actual
            // teardown runs outside the lock below.
            let mut i = 0;
            while i < s.idle.len() {
                let dead = match s.idle[i].worker.child.try_wait() {
                    Ok(Some(_)) => true, // process exited
                    Ok(None) => false,   // alive
                    Err(_) => true,      // can't stat → treat as dead
                };
                if dead {
                    let entry = s.idle.remove(i);
                    s.alive = s.alive.saturating_sub(1);
                    s.reaped += 1;
                    reaped_now += 1;
                    to_evict.push(entry.worker);
                } else {
                    i += 1;
                }
            }
            // Walk from the front (oldest entries) and evict
            // while we're above min and the entry is stale. Stop
            // as soon as we hit a fresh one — LIFO ordering means
            // older entries pile up at the front.
            while s.alive > min && !s.idle.is_empty() {
                let oldest = &s.idle[0];
                if now.duration_since(oldest.last_used) < timeout {
                    break;
                }
                let entry = s.idle.remove(0);
                s.alive -= 1;
                to_evict.push(entry.worker);
            }
        }
        if reaped_now > 0 {
            // A freed slot means the replenisher should backfill toward
            // `min`; wake it (and any blocked acquirer) so recovery is
            // prompt rather than waiting for the next tick.
            h.available.notify_all();
            eprintln!(
                "[pool-watchdog] reaped {reaped_now} dead idle worker(s) — pool will respawn \
                 toward min"
            );
        }
        for mut w in to_evict {
            w.shutdown();
        }
        // Sleep up to `tick` total in `wait_unit` slices so we
        // observe shutting_down promptly.
        let mut remaining = tick;
        while remaining > Duration::ZERO && !h.shutting_down.load(Ordering::SeqCst) {
            let chunk = remaining.min(wait_unit);
            if let Ok(s) = h.state.lock() {
                let _ = h.available.wait_timeout(s, chunk);
            }
            remaining = remaining.saturating_sub(chunk);
        }
    }
}

/// A [`Vm`] checked out of an [`Image`]'s hidden pool. `Deref`s
/// to `Vm`, so every method on `Vm` is callable. On `Drop` the
/// VM returns to the pool — the next [`Image::acquire`] gets
/// a freshly snapshot-restored worker in ~5 ms.
///
/// Bound to the `Image`'s lifetime so the pool can't outlive
/// its owner. Acquires currently serialize on the pool's single
/// worker; concurrent acquires from one process block until the
/// previous PooledVm is dropped.
pub struct PooledVm<'a> {
    vm: Option<Vm>,
    /// Worker subprocess we checked out. On Drop, returned to
    /// the pool (which kills + replenishes). macOS/HVF only — the
    /// Linux/KVM pool runs VMs in-process (no worker subprocess).
    #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
    worker: Option<Worker>,
    /// Keeps the pool alive for the lifetime of this PooledVm.
    #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
    pool_arc: Arc<HiddenPool>,
    /// Linux/KVM: the pool to return to on Drop (discard the dirty VM + refill
    /// the idle queue). `None` for a poolless cold-start fallback.
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pool: Option<Arc<KvmPoolInner>>,
    _image: std::marker::PhantomData<&'a Image>,
}

impl std::ops::Deref for PooledVm<'_> {
    type Target = Vm;
    fn deref(&self) -> &Vm {
        // Invariant: vm is `Some` until Drop runs.
        self.vm.as_ref().expect("PooledVm used after drop")
    }
}

impl std::ops::DerefMut for PooledVm<'_> {
    fn deref_mut(&mut self) -> &mut Vm {
        self.vm.as_mut().expect("PooledVm used after drop")
    }
}

impl PooledVm<'_> {
    /// Capture a live snapshot of this pooled VM (Linux/KVM), non-consuming, so
    /// the builder can snapshot one VM repeatedly across layers. Delegates to
    /// [`Vm::snapshot_live`].
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub fn snapshot(&self, dest_dir: impl Into<PathBuf>) -> Result<Image, Error> {
        self.vm
            .as_ref()
            .ok_or_else(|| Error::vm_msg("PooledVm: no vm (already dropped?)".to_owned()))?
            .snapshot_live(dest_dir)
    }

    /// Live differential snapshot against `base_path` (a full snapshot's
    /// `restore.snap`) — non-consuming. Delegates to [`Vm::snapshot_diff_live`].
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub fn snapshot_diff(
        &self,
        dest_dir: impl Into<PathBuf>,
        base_path: &Path,
    ) -> Result<Image, Error> {
        self.vm
            .as_ref()
            .ok_or_else(|| Error::vm_msg("PooledVm: no vm (already dropped?)".to_owned()))?
            .snapshot_diff_live(dest_dir, base_path)
    }

    /// Capture a snapshot of this VM's current state and return
    /// a new [`Image`] pointing at it. Equivalent to
    /// [`Vm::snapshot`] but works on the subprocess-pool path
    /// — the entitled worker subprocess does the HVF capture
    /// over the supervisor RPC, so the calling binary doesn't
    /// need the `com.apple.security.hypervisor` entitlement.
    ///
    /// Borrows `self` rather than consuming, so you can
    /// continue using the VM after capturing — handy for the
    /// "warm up + snapshot + keep working" pattern. The guest
    /// is paused for the duration of the capture (typically
    /// 10s of ms; bounded by disk write time for large RAM).
    #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
    pub fn snapshot(&self, dest_dir: impl Into<PathBuf>) -> Result<Image, Error> {
        self.snapshot_with_opt_base(dest_dir, None)
    }

    /// Differential snapshot against `base_path` (another snapshot's
    /// `restore.snap`). The worker clonefiles the base + writes only the pages
    /// that changed, and (because the base is kept in memory) a *chain* of
    /// these — the in-VM builder's per-layer snapshots — each diffs against the
    /// previous in memory. `inline` so the file is on disk when this returns.
    #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
    pub fn snapshot_diff(
        &self,
        dest_dir: impl Into<PathBuf>,
        base_path: &Path,
    ) -> Result<Image, Error> {
        self.snapshot_with_opt_base(dest_dir, Some(base_path))
    }

    #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
    fn snapshot_with_opt_base(
        &self,
        dest_dir: impl Into<PathBuf>,
        base_path: Option<&Path>,
    ) -> Result<Image, Error> {
        let dest_dir = dest_dir.into();
        let _span = tracing::info_span!(
            "supermachine.snapshot",
            dest_dir = %dest_dir.display(),
        )
        .entered();
        let worker = self
            .worker
            .as_ref()
            .ok_or_else(|| Error::vm_msg("PooledVm: no worker (already dropped?)".to_owned()))?;
        let vm = self
            .vm
            .as_ref()
            .ok_or_else(|| Error::vm_msg("PooledVm: no vm (already dropped?)".to_owned()))?;
        let meta = vm.image_meta.clone().ok_or_else(|| {
            Error::vm_msg(
                "PooledVm::snapshot: image metadata missing (acquire from a 0.3.8+ Image)"
                    .to_owned(),
            )
        })?;
        std::fs::create_dir_all(&dest_dir).map_err(Error::Io)?;
        let snap_path = dest_dir.join("restore.snap");
        // Multi-vCPU: park secondaries via smpark.ko before the
        // capture rendezvous. The agent ioctls /dev/smpark, which
        // broadcasts an IPI to all secondaries; each one drains
        // local LRs, masks IRQs, and spins in WFI. The captured
        // per-vCPU state is then byte-identical-trivial across
        // secondaries — HVF can round-trip THAT, fixing the
        // "restored guest RCU-stalls / NULL-derefs in interrupt
        // context" failure class. Best-effort: if smpark.ko isn't
        // loaded (older snapshots, single-vCPU bake), the agent
        // returns ok=false and we fall through to the existing
        // rendezvous-only capture path.
        let parked = if meta.vcpus > 1 {
            worker.send_smpark_park()?
        } else {
            false
        };
        // The diff-via-clone path with `last_restore_path` as
        // base would in principle win 200+ ms here, but the
        // runner needs base in memory and lazy-loading from
        // disk costs ~700 ms on first call. Without warm-cache
        // hits across pool cycles, that's net-negative for
        // single-shot snapshots. We use the plain streaming
        // save (parallel sparse pwrite, ~290 ms on 2 GiB).
        //
        // SUPERMACHINE_DIFF_CYCLE_SNAPSHOT was a pre-0.7.38
        // opt-in to the diff path; no production caller used it
        // and the diff path requires base-in-memory which the
        // pool's cycle-snapshot flow doesn't guarantee. Deleted.
        let snap_result = match base_path {
            Some(base) => worker.send_snapshot_with_base(&snap_path, base, true),
            None => worker.send_snapshot(&snap_path),
        };
        // Always unpark, even on snapshot failure — otherwise
        // secondaries stay stuck in WFI and the next acquire of
        // this VM is a brick. Best-effort: if park failed in the
        // first place, unpark is also a no-op.
        if parked {
            let _ = worker.send_smpark_unpark()?;
        }
        let _stats = snap_result?;
        let metadata = serde_json::json!({
            "memory_mib": meta.memory_mib,
            "vcpus": meta.vcpus,
            "layers": meta
                .layers
                .iter()
                .map(|p| p.to_string_lossy().to_string())
                .collect::<Vec<_>>(),
            "delta_squashfs": meta
                .delta_squashfs
                .as_ref()
                .map(|p| p.to_string_lossy().to_string()),
            "snapshot_base": snap_path.to_string_lossy().to_string(),
            "baked_at": chrono_rfc3339_now(),
            "source": "PooledVm::snapshot",
        });
        std::fs::write(
            dest_dir.join("metadata.json"),
            serde_json::to_string_pretty(&metadata)
                .map_err(|e| Error::vm_msg(format!("metadata serialize: {e}")))?,
        )
        .map_err(Error::Io)?;
        Image::from_snapshot(&dest_dir)
    }
}

impl Drop for PooledVm<'_> {
    fn drop(&mut self) {
        // macOS: the inner Vm's Drop is a no-op (skip_cleanup=true; the worker
        // owns the sockets). Hand the worker back to the pool, which kills it
        // (snapshot state may be dirty) and replenishes to target N.
        #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
        {
            let _ = self.vm.take();
            if let Some(worker) = self.worker.take() {
                self.pool_arc.release(worker);
            }
        }
        // Linux/KVM.
        #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
        if let Some(pool) = self.pool.take() {
            let Some(vm) = self.vm.take() else {
                return;
            };
            // Keep the VM warm (return ALIVE to idle for reuse) only up to the
            // `min` always-warm floor; beyond min, tear it down + free its slot.
            // This bounds idle at min when load subsides (so `min=0` drains to
            // zero — no leak, no janitor needed) while a `min=N` pool keeps N
            // VMs hot for full warm reuse. Concurrent releases may transiently
            // settle idle a little above min, still bounded by `max` — benign,
            // and those extras are warm-reusable.
            let warm_slot = {
                let idle = pool.idle.lock().unwrap_or_else(|e| e.into_inner());
                idle.len() < pool.min
            };
            if !warm_slot {
                // Above the warm floor: stop the VM (inner Vm Drop) + free slot.
                drop(vm);
                pool.admission.release();
                return;
            }
            // Within the warm floor: return the VM ALIVE to idle for reuse,
            // keeping its admission slot (it IS the replenishment, so no refill).
            //   - restore_on_release=true (default): in-place reset to the
            //     snapshot baseline FIRST (RAM + CPU + intc/clock + serial +
            //     device state) for clean per-cycle isolation — far cheaper than
            //     teardown + fresh restore since the KVM VM/vCPUs/threads/RAM all
            //     persist. On reset failure, tear down (never reuse a half-reset
            //     VM). Mirrors HVF's restore_on_release(true) in-place RESTORE.
            //   - restore_on_release=false (opt-in): reuse as-is — fastest, but
            //     the guest carries state across cycles (trusted/idempotent only).
            if pool.restore_on_release {
                if let Err(e) = vm.reset_to_snapshot() {
                    eprintln!(
                        "supermachine: KVM in-place reset failed ({e}); \
                         tearing down this VM instead of reusing it"
                    );
                    drop(vm);
                    pool.admission.release();
                    // We lost a within-floor warm VM; background-restore a fresh
                    // one to keep the idle set at `min`.
                    pool.refill_async();
                    return;
                }
            }
            pool.idle.lock().unwrap_or_else(|e| e.into_inner()).push(vm);
            pool.admission.notify(); // wake an acquirer blocked at the cap
        } else {
            // Poolless cold-start fallback: just stop the VM.
            let _ = self.vm.take();
        }
    }
}

/// Configurable bake of an OCI image. Built via [`Image::builder`];
/// terminate with [`OciImageBuilder::build`] to produce an
/// [`Image`].
/// Builder for an explicitly configured worker pool. Started
/// with [`Image::pool`]; terminated with [`PoolBuilder::build`].
///
/// Defaults: `min=0`, `max=64`, `idle_timeout=60s`,
/// `acquire_timeout=60s` — i.e. lazy spawn, auto-evict, fail-
/// noisily on saturation. Override any of these with the
/// chainable setters below.
pub struct PoolBuilder<'a> {
    image: &'a Image,
    policy: PoolPolicy,
    /// Runtime overrides applied at pool-build time. Memory / vCPU
    /// changes here don't re-bake the snapshot — they override what
    /// the worker subprocess advertises to HVF at restore. Lazily
    /// committed (CoW page-fault), so a larger memory_mib than
    /// what was baked just raises the guest-visible ceiling without
    /// committing host pages.
    vm_config: VmConfig,
}

impl PoolBuilder<'_> {
    /// Always-warm baseline. The pool keeps at least this many
    /// workers alive — even if everyone drops their `PooledVm`,
    /// the next `acquire` finds these waiting in idle. Default 0
    /// (lazy-spawn on first acquire).
    pub fn min(mut self, n: usize) -> Self {
        self.policy.min = n;
        self
    }

    /// Hard concurrency cap. `acquire` blocks (with timeout) when
    /// `max` peers are checked out simultaneously. Default 64;
    /// raise for large multi-tenant fleets. Pass `usize::MAX` for
    /// effectively unbounded.
    pub fn max(mut self, n: usize) -> Self {
        self.policy.max = n.max(1);
        self
    }

    /// Idle workers above `min` that have been unused for longer
    /// than this get killed by the janitor — frees host RAM
    /// during quiet periods. Default 60 s. Pass `Duration::MAX`
    /// to disable eviction (fixed-size pool with no churn).
    pub fn idle_timeout(mut self, d: Duration) -> Self {
        self.policy.idle_timeout = d;
        self
    }

    /// Caller's `acquire` blocks at most this long when the pool
    /// is at `max` and no worker is idle. After that the call
    /// returns [`Error::PoolExhausted`]. Default 60 s. Pass `None`
    /// (via this method's twin if added) to block forever; pass
    /// `Duration::ZERO` to fail-fast.
    pub fn acquire_timeout(mut self, d: Duration) -> Self {
        self.policy.acquire_timeout = Some(d);
        self
    }

    /// Disable the acquire timeout — `acquire` blocks forever
    /// when at `max`. Useful for batch workloads where you'd
    /// rather wait than fail. Equivalent to passing `None`
    /// internally.
    pub fn no_acquire_timeout(mut self) -> Self {
        self.policy.acquire_timeout = None;
        self
    }

    /// Skip the per-cycle snapshot RESTORE on `PooledVm::drop`.
    /// Workers go straight back to the idle queue carrying
    /// whatever guest state the previous user left.
    ///
    /// Default `true`: every acquire starts from a clean
    /// snapshot-state guest. Pay ~3 ms restore per cycle (off
    /// the user's critical path with a buddy slot).
    ///
    /// `false`: opt into "warm worker reuse" — guest page cache
    /// stays warm across cycles. For workloads that re-read the
    /// same files every invocation (rustc + sysroot, python +
    /// stdlib, node + node_modules), this is a 3-6× speedup
    /// because the second compile/import doesn't re-fault
    /// pages from the squashfs layer.
    ///
    /// Safe when the workload always overwrites its own outputs
    /// (e.g. `rustc -o /tmp/m && /tmp/m` overwrites both source
    /// and binary on every cycle). Unsafe if the workload trusts
    /// `/tmp` to be clean or accumulates files unboundedly —
    /// the guest's RAM+fs accumulates state forever in this mode,
    /// so pair with periodic pool rebuild for long runs.
    pub fn restore_on_release(mut self, on: bool) -> Self {
        self.policy.restore_on_release = on;
        self
    }

    /// Per-acquire restore timeout. Forwarded to the inner
    /// [`VmConfig::with_restore_timeout`] used to spawn pool
    /// workers. Default 30 s (set at spawn time inside the pool).
    /// Bump for slow disks or large RAM snapshots; restore time
    /// scales roughly linearly with snapshot size.
    pub fn with_restore_timeout(mut self, timeout: Duration) -> Self {
        self.vm_config = std::mem::take(&mut self.vm_config).with_restore_timeout(timeout);
        self
    }

    /// Override the baked image's memory ceiling for this pool's
    /// workers. Pure runtime override — doesn't re-bake the
    /// snapshot. Pages are lazy-committed (CoW page-fault), so
    /// raising the ceiling beyond what was baked doesn't increase
    /// host commit unless the guest actually writes to the new
    /// pages.
    pub fn with_memory_mib(mut self, mib: u32) -> Self {
        self.vm_config = std::mem::take(&mut self.vm_config).with_memory_mib(mib);
        self
    }

    /// Override the baked image's vCPU count for this pool's
    /// workers. Pure runtime override.
    pub fn with_vcpus(mut self, vcpus: u32) -> Self {
        self.vm_config = std::mem::take(&mut self.vm_config).with_vcpus(vcpus);
        self
    }

    /// Build the pool against this image's snapshot. Spawns
    /// the initial `min` workers in parallel, starts the
    /// housekeeping threads (replenisher / restorer / janitor),
    /// returns a [`Pool`] handle.
    #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
    pub fn build(self) -> Result<Pool, Error> {
        let image = self.image;
        // Normalize: min must not exceed max — otherwise the
        // pre-spawn loop in build_hidden_pool would create more
        // workers than the auto-grow ceiling allows, and the
        // `alive ≤ max` invariant breaks.
        let mut policy = self.policy;
        if policy.min > policy.max {
            policy.min = policy.max;
        }
        let arc = image.build_pool_arc(&self.vm_config, policy)?;
        // Try to install this pool as the per-Image default so
        // subsequent `image.acquire()` / `image.acquire_with()`
        // calls go through the same configured pool. If the
        // OnceLock is already set (the user called acquire()
        // before pool().build()), we error rather than silently
        // returning a config-less default — that's the bug the
        // 0.4.1 docs accidentally created.
        match image.hidden_pool.set(Arc::clone(&arc)) {
            Ok(()) => Ok(Pool { inner: arc }),
            Err(_) => Err(Error::vm_msg(
                "this Image already has a Pool — pool() can only be called \
                 once per Image handle.\n\n\
                 To run two independent pools off the same snapshot, load the \
                 Image twice via Image.fromSnapshot:\n\n  \
                 const a = await Image.fromSnapshot(snapshotPath);\n  \
                 const b = await Image.fromSnapshot(snapshotPath);\n  \
                 const poolA = await a.pool(...);\n  \
                 const poolB = await b.pool(...);\n\n\
                 If you called image.acquire() before image.pool(), the \
                 Image has been bound to a default pool whose policy can't \
                 be changed in place — either reorder the calls or use \
                 fromSnapshot() to get a fresh handle."
                    .to_owned(),
            )),
        }
    }

    /// Build the pool (Linux/KVM). Warms the source image into a snapshot once
    /// (boot → agent-ready → capture), so every [`Pool::acquire`] is a CoW
    /// snapshot restore (~ms) instead of a cold boot (~1 s). If the image is
    /// already snapshot-backed it's used as-is.
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub fn build(self) -> Result<Pool, Error> {
        // Parity with macOS: if the image is already bound to a default pool
        // (the user called image.acquire() before pool().build()), error rather
        // than silently returning a second, unrelated pool whose policy the
        // default-acquire path ignores.
        if self.image.kvm_pool.get().is_some() {
            return Err(Error::vm_msg(
                "this Image already has a default Pool — image.acquire() was \
                 called before pool().build(), binding a default pool whose \
                 policy can't be changed in place. Reorder so pool().build() \
                 runs first, or load a fresh handle via Image::from_snapshot."
                    .to_owned(),
            ));
        }
        let warm = warm_snapshot_for_pool(self.image, &self.vm_config)?;
        // min must not exceed max, or the pre-warm loop would over-spawn beyond
        // the admission cap.
        let min = self.policy.min.min(self.policy.max.max(1));
        let inner = Arc::new(KvmPoolInner {
            image: warm,
            vm_config: self.vm_config,
            min,
            idle: std::sync::Mutex::new(Vec::new()),
            admission: Admission::new(self.policy.max, self.policy.acquire_timeout),
            restore_on_release: self.policy.restore_on_release,
            refilling: std::sync::atomic::AtomicBool::new(false),
            shut_down: std::sync::atomic::AtomicBool::new(false),
        });
        // Eager pre-warm to `min` idle VMs SYNCHRONOUSLY, so the returned pool's
        // stats() immediately reflect the configured baseline (no-op when
        // min == 0 — lazy pools stay lazy).
        inner.prewarm_to_min();
        Ok(Pool { kvm: inner })
    }
}

/// Prepare KVM data volumes: for each [`VolumeSpec`], ensure the host backing
/// file exists (created sparse to `size_bytes` and formatted ext4 on first use,
/// reused otherwise so data persists), and return the per-volume attach specs
/// for [`crate::kvm::run::LinuxVmConfig`]. Formatting is done host-side with
/// `mke2fs` (ubiquitous on Linux hosts) so the guest init only has to mount.
#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
fn prepare_kvm_volumes(
    specs: &[crate::vmm::resources::VolumeSpec],
) -> Result<Vec<crate::kvm::run::VolumeAttach>, Error> {
    let mut out = Vec::with_capacity(specs.len());
    for spec in specs {
        let path = std::path::Path::new(&spec.host_path);
        let fresh = !path.exists();
        if fresh {
            if let Some(parent) = path.parent() {
                std::fs::create_dir_all(parent).map_err(Error::Io)?;
            }
            // Sparse-allocate the backing file to the requested size.
            let f = std::fs::File::create(path).map_err(Error::Io)?;
            f.set_len(spec.size_bytes).map_err(Error::Io)?;
            drop(f);
            // Format ext4 (quiet, force on a regular file, lazy init for speed).
            let status = std::process::Command::new("mke2fs")
                .args(["-t", "ext4", "-F", "-q", "-E", "lazy_itable_init=1"])
                .arg(path)
                .status();
            match status {
                Ok(s) if s.success() => {}
                Ok(s) => {
                    let _ = std::fs::remove_file(path);
                    return Err(Error::vm_msg(format!(
                        "mke2fs on volume {} exited with {s} (install e2fsprogs)",
                        spec.host_path
                    )));
                }
                Err(e) => {
                    let _ = std::fs::remove_file(path);
                    return Err(Error::vm_msg(format!(
                        "failed to run mke2fs for volume {}: {e} (install e2fsprogs)",
                        spec.host_path
                    )));
                }
            }
        }
        out.push(crate::kvm::run::VolumeAttach {
            path: spec.host_path.clone(),
            size: spec.size_bytes,
            mount: spec.guest_path.clone(),
        });
    }
    Ok(out)
}

/// Persist the OciImageBuilder's data volumes into a baked KVM snapshot's
/// `metadata.json` (the `volumes: [{host_file, guest_path, size_bytes}]` array
/// that [`Image::from_snapshot`] parses into `Image::volumes`). On every start,
/// `Vm::start` merges these baked volumes into `prepare_kvm_volumes` — parity
/// with the HVF backend's bake-time `with_volume`.
#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
fn persist_kvm_builder_volumes(
    snap_dir: &Path,
    volumes: &[(PathBuf, String, u64)],
) -> Result<(), Error> {
    let meta_path = snap_dir.join("metadata.json");
    let text = std::fs::read_to_string(&meta_path).map_err(Error::Io)?;
    let mut meta: serde_json::Value = serde_json::from_str(&text)
        .map_err(|e| Error::vm_msg(format!("parse {}: {e}", meta_path.display())))?;
    let arr: Vec<serde_json::Value> = volumes
        .iter()
        .map(|(host, guest, size)| {
            serde_json::json!({
                "host_file": host.to_string_lossy(),
                "guest_path": guest,
                "size_bytes": size,
            })
        })
        .collect();
    if let Some(obj) = meta.as_object_mut() {
        obj.insert("volumes".into(), serde_json::json!(arr));
    }
    std::fs::write(
        &meta_path,
        serde_json::to_string_pretty(&meta)
            .map_err(|e| Error::vm_msg(format!("serialize metadata: {e}")))?,
    )
    .map_err(Error::Io)?;
    Ok(())
}

/// Write a `"backend":"kvm"` metadata.json next to a captured snapshot so
/// [`Image::from_snapshot`] can load it. `snap_rel` is the snapshot filename
/// RELATIVE to `dest_dir` (resolved dir-relative on load, so a cloned dir stays
/// loadable). `base` set → a differential snapshot (records the base ref).
#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
fn write_kvm_snapshot_metadata(
    dest_dir: &Path,
    snap_rel: &str,
    base: Option<&Path>,
    mem_size: usize,
    num_cpus: u8,
) -> Result<(), Error> {
    let mut meta = serde_json::json!({
        "backend": "kvm",
        "kvm_snapshot": snap_rel,
        "memory_mib": (mem_size >> 20) as u32,
        "vcpus": num_cpus as u32,
        "baked_at": chrono_rfc3339_now(),
        "source": "Vm::snapshot_live",
    });
    if let Some(b) = base {
        meta["kvm_snapshot_base"] = serde_json::json!(b.to_string_lossy());
        meta["source"] = serde_json::json!("Vm::snapshot_diff_live");
    }
    std::fs::write(
        dest_dir.join("metadata.json"),
        serde_json::to_string_pretty(&meta)
            .map_err(|e| Error::vm_msg(format!("metadata serialize: {e}")))?,
    )
    .map_err(Error::Io)?;
    Ok(())
}

/// Warm an image into a snapshot-backed [`Image`] for the pool's fast restore
/// path (Linux/KVM). A snapshot-backed image is returned unchanged; a cold-boot
/// image is booted once, the agent comes up, then it is captured to a PERSISTENT
/// warm snapshot in the shared snapshots dir, keyed by (cold-image family,
/// memory, vcpus, worker-binary identity). Restoring from the result is a CoW
/// mmap (~ms).
///
/// Persistence is the macOS warm-snapshot model brought to KVM: the warm
/// snapshot is reused across PROCESSES (a second pool/process for the same image
/// skips boot + the 3.5 s warmup entirely — a `cache hit`), and co-located warm
/// snapshots are memory-deduped against a shared golden base so concurrent VMs
/// of different images share the golden's RAM page cache (see
/// `dedup_warm_against_golden` + `docs/design/linux-memory-dedup-2026-06-08.md`).
#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
fn warm_snapshot_for_pool(image: &Image, config: &VmConfig) -> Result<Image, Error> {
    // Already snapshot-backed (e.g. produced by Vm::snapshot): nothing to do.
    if image
        .kvm
        .as_ref()
        .and_then(|k| k.snapshot.as_ref())
        .is_some()
    {
        return Ok(image.clone());
    }
    let trace = crate::trace::enabled("pool");

    // Effective resources the VM will boot with (config overrides image
    // defaults) — part of the cache key so a 512m/1v warm is never reused for a
    // 1g/4v request.
    let mem = config.memory_mib.unwrap_or(image.memory_mib);
    let vcpus = config.vcpus.unwrap_or(image.vcpus);

    let snapshots_dir = default_snapshots_dir();
    let family = warm_family_key(image);
    // Worker-binary fingerprint: a rebuilt/reinstalled worker (new SHA) yields a
    // new key, so a stale warm snapshot baked by an incompatible worker is never
    // reused — it just re-warms under the new key.
    let worker_fp = warm_worker_fingerprint();
    let warm_name = format!("{family}__kvmwarm__{mem}m{vcpus}v__{worker_fp}");
    let warm_dir = snapshots_dir.join(&warm_name);

    // Fast path: a valid cached warm snapshot exists → reuse (CoW restore, ~ms;
    // no boot, no warmup).
    if let Ok(img) = Image::from_snapshot(&warm_dir) {
        if trace {
            eprintln!("[warm-pool] cache hit: {}", warm_dir.display());
        }
        return Ok(img);
    }

    // Serialize same-key warmers (across processes) so we boot+warm exactly once.
    let _lock = WarmDirLock::acquire(&snapshots_dir, &warm_name);
    // Re-check under the lock — another process may have just produced it.
    if let Ok(img) = Image::from_snapshot(&warm_dir) {
        if trace {
            eprintln!("[warm-pool] cache hit (post-lock): {}", warm_dir.display());
        }
        return Ok(img);
    }

    // Cold warm: boot once and let the in-VM agent come up (it binds AF_VSOCK
    // 1028 within ~1-2s of boot). A fixed warm-up window (rather than polling
    // exec) avoids connecting to the muxer before the agent accepts. The
    // snapshot captures the agent-ready state, so restores land exec-ready.
    if trace {
        eprintln!(
            "[warm-pool] cold warm: boot + warmup -> {}",
            warm_dir.display()
        );
    }
    let vm = Vm::start(image, config)?;
    std::thread::sleep(std::time::Duration::from_millis(3500));

    // Capture into a sibling `.partial` dir, finalize metadata + dedup, then
    // atomically rename into place so a concurrent reader never sees a
    // half-written warm dir.
    let partial = snapshots_dir.join(format!("{warm_name}.partial.{}", std::process::id()));
    let _ = std::fs::remove_dir_all(&partial);
    // Consumes the boot VM (capture quiesces + tears down its vCPUs).
    let _ = vm.snapshot(&partial)?;
    finalize_warm_snapshot_metadata(&partial, &family, mem, &worker_fp)?;
    // Cross-family memory dedup vs a shared golden (best-effort; on any failure
    // the warm snapshot stays a full, still-correct snapshot).
    dedup_warm_against_golden(&snapshots_dir, &partial, mem, vcpus, &worker_fp, trace);

    // Atomic publish. If the target appeared meanwhile (a racing process), keep
    // theirs and drop ours.
    match std::fs::rename(&partial, &warm_dir) {
        Ok(()) => {}
        Err(_) if warm_dir.is_dir() => {
            let _ = std::fs::remove_dir_all(&partial);
        }
        Err(e) => {
            let _ = std::fs::remove_dir_all(&partial);
            return Err(Error::Io(e));
        }
    }
    // Best-effort GC of warm artifacts left by a previous worker binary (now
    // unreachable — the cache key only matches the current worker fingerprint).
    prune_stale_warm_artifacts(&snapshots_dir, &worker_fp);
    Image::from_snapshot(&warm_dir)
}

/// Garbage-collect persistent warm artifacts keyed by a DIFFERENT worker
/// fingerprint than `current_fp`. A rebuilt/reinstalled worker shifts the cache
/// key, so prior `<family>__kvmwarm__…__<old-fp>` dirs and their
/// `.kvmgolden/…__<old-fp>.snap` bases are never reused again — pure garbage.
/// We only touch STALE-fp artifacts (never the current fleet), and only past a
/// grace window, so a concurrent old-binary process mid-warm isn't disturbed
/// (and on Linux an unlinked file an old process still has `mmap`'d survives
/// until unmap anyway). Best-effort; all errors ignored.
#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
fn prune_stale_warm_artifacts(snapshots_dir: &Path, current_fp: &str) {
    let grace = std::time::Duration::from_secs(60);
    let now = std::time::SystemTime::now();
    let old_enough = |p: &Path| -> bool {
        std::fs::metadata(p)
            .and_then(|m| m.modified())
            .map(|mt| now.duration_since(mt).map(|d| d >= grace).unwrap_or(false))
            .unwrap_or(false)
    };
    // The worker fingerprint is the final `__`-separated segment of the name.

    // 1. Stale warm family dirs.
    if let Ok(rd) = std::fs::read_dir(snapshots_dir) {
        for entry in rd.flatten() {
            let p = entry.path();
            let Some(name) = p.file_name().and_then(|s| s.to_str()) else {
                continue;
            };
            if name.contains("__kvmwarm__")
                && name.rsplit("__").next() != Some(current_fp)
                && p.is_dir()
                && old_enough(&p)
            {
                let _ = std::fs::remove_dir_all(&p);
            }
        }
    }
    // 2. Stale goldens (their only referrers were the stale warm dirs above).
    let golden_dir = snapshots_dir.join(".kvmgolden");
    if let Ok(rd) = std::fs::read_dir(&golden_dir) {
        for entry in rd.flatten() {
            let p = entry.path();
            if p.extension().and_then(|s| s.to_str()) != Some("snap") {
                continue;
            }
            let stale = p
                .file_stem()
                .and_then(|s| s.to_str())
                .and_then(|s| s.rsplit("__").next())
                .map(|fp| fp != current_fp)
                .unwrap_or(false);
            if stale && old_enough(&p) {
                let _ = std::fs::remove_file(&p);
            }
        }
    }
}

#[cfg(all(test, target_os = "linux", target_arch = "x86_64"))]
mod warm_gc_tests {
    use super::*;

    fn set_mtime_secs_ago(p: &Path, secs_ago: i64) {
        let now = std::time::SystemTime::now()
            .duration_since(std::time::UNIX_EPOCH)
            .unwrap()
            .as_secs() as i64;
        let tv = libc::timeval {
            tv_sec: now - secs_ago,
            tv_usec: 0,
        };
        let times = [tv, tv];
        let c = std::ffi::CString::new(p.to_str().unwrap()).unwrap();
        unsafe {
            libc::utimes(c.as_ptr(), times.as_ptr());
        }
    }

    #[test]
    fn prune_removes_stale_fp_keeps_current_and_fresh() {
        let root = std::env::temp_dir().join(format!("sm-gc-test-{}", std::process::id()));
        let _ = std::fs::remove_dir_all(&root);
        let golden_dir = root.join(".kvmgolden");
        std::fs::create_dir_all(&golden_dir).unwrap();

        let cur = "aaaa11112222";
        let old = "bbbb33334444";

        // Warm dirs: current-fp (keep), stale-fp old (remove), stale-fp fresh (keep — grace).
        let warm_cur = root.join(format!("nginx__kvmwarm__512m1v__{cur}"));
        let warm_old = root.join(format!("nginx__kvmwarm__512m1v__{old}"));
        let warm_old_fresh = root.join(format!("alpine__kvmwarm__512m1v__{old}"));
        for d in [&warm_cur, &warm_old, &warm_old_fresh] {
            std::fs::create_dir_all(d).unwrap();
            std::fs::write(d.join("vm.snap"), b"x").unwrap();
        }
        // Goldens: current-fp (keep), stale-fp old (remove).
        let gold_cur = golden_dir.join(format!("512m1v__{cur}.snap"));
        let gold_old = golden_dir.join(format!("512m1v__{old}.snap"));
        std::fs::write(&gold_cur, b"x").unwrap();
        std::fs::write(&gold_old, b"x").unwrap();

        // Age everything past the grace window EXCEPT warm_old_fresh + its inode.
        for p in [&warm_cur, &warm_old, &gold_cur, &gold_old] {
            set_mtime_secs_ago(p, 120);
        }
        set_mtime_secs_ago(&warm_old_fresh, 1);

        prune_stale_warm_artifacts(&root, cur);

        assert!(warm_cur.is_dir(), "current-fp warm dir must be kept");
        assert!(
            !warm_old.exists(),
            "stale-fp warm dir (aged) must be pruned"
        );
        assert!(
            warm_old_fresh.is_dir(),
            "stale-fp warm dir within grace must be kept"
        );
        assert!(gold_cur.exists(), "current-fp golden must be kept");
        assert!(!gold_old.exists(), "stale-fp golden (aged) must be pruned");

        let _ = std::fs::remove_dir_all(&root);
    }
}

/// Stable per-cold-image-family key for a warm snapshot dir name: the cold
/// snapshot DIR's name (sanitized to path-safe chars), falling back to a hash of
/// the full path. Note `snapshot_path` for a cold KVM image loaded from a dir is
/// `<dir>/restore.snap`, so we key on the PARENT dir name (the family), not the
/// file name (which is the constant `restore.snap` for every cold image).
#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
fn warm_family_key(image: &Image) -> String {
    let dir = image.snapshot_path.parent().unwrap_or(&image.snapshot_path);
    let raw = dir.file_name().and_then(|s| s.to_str()).unwrap_or("");
    let sanitized: String = raw
        .chars()
        .map(|c| {
            if c.is_ascii_alphanumeric() || c == '-' || c == '_' || c == '.' {
                c
            } else {
                '_'
            }
        })
        .collect();
    if sanitized.is_empty() || sanitized == "." || sanitized == ".." {
        // Hash the full path so distinct images never collide.
        use std::hash::{Hash, Hasher};
        let mut h = std::collections::hash_map::DefaultHasher::new();
        image.snapshot_path.hash(&mut h);
        format!("img-{:016x}", h.finish())
    } else {
        sanitized
    }
}

/// 12-hex-prefix fingerprint of the host's `supermachine-worker` binary, or
/// `"noworker"` if it can't be resolved/hashed. Folds the worker identity into
/// the warm-snapshot cache key so a rebuilt worker invalidates stale warms.
#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
fn warm_worker_fingerprint() -> String {
    std::env::var_os("SUPERMACHINE_WORKER_BIN")
        .map(PathBuf::from)
        .and_then(|p| current_worker_sha16(&p))
        .map(|sha| sha.chars().take(12).collect::<String>())
        .unwrap_or_else(|| "noworker".to_owned())
}

/// Rewrite a freshly-captured warm snapshot's `metadata.json` so it survives the
/// atomic dir rename and carries the fields the golden-base dedup matches on:
/// a dir-RELATIVE `kvm_snapshot` (`vm.snap`, resolved against the dir on load),
/// plus `image` (family) + `baked_by_version`. Preserves all other fields.
#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
fn finalize_warm_snapshot_metadata(
    partial: &Path,
    family: &str,
    mem: u32,
    worker_fp: &str,
) -> Result<(), Error> {
    let meta_path = partial.join("metadata.json");
    let text = std::fs::read_to_string(&meta_path).map_err(Error::Io)?;
    let mut meta: serde_json::Value =
        serde_json::from_str(&text).map_err(|e| Error::vm_msg(format!("warm metadata: {e}")))?;
    let obj = meta
        .as_object_mut()
        .ok_or_else(|| Error::vm_msg("warm metadata is not an object".to_owned()))?;
    obj.insert("kvm_snapshot".into(), serde_json::json!("vm.snap"));
    obj.insert("image".into(), serde_json::json!(family));
    obj.insert("memory_mib".into(), serde_json::json!(mem));
    obj.insert(
        "baked_by_version".into(),
        serde_json::json!(env!("CARGO_PKG_VERSION")),
    );
    obj.insert("warm_worker_fp".into(), serde_json::json!(worker_fp));
    obj.insert("source".into(), serde_json::json!("warm_snapshot_for_pool"));
    std::fs::write(
        &meta_path,
        serde_json::to_string_pretty(&meta)
            .map_err(|e| Error::vm_msg(format!("warm metadata serialize: {e}")))?,
    )
    .map_err(Error::Io)?;
    Ok(())
}

/// Cross-image memory dedup against a shared golden base (best-effort).
///
/// Maintains ONE golden full snapshot per `(mem, vcpus, worker_fp)` under
/// `<snapshots_dir>/.kvmgolden/`. The first warm of a given key promotes its own
/// full as the golden (hardlinked — instant, same inode); every warm (including
/// that first one) is then rewritten as a diff against the golden. On restore
/// the golden is `mmap`'d copy-on-write and SHARED across every VM on it, so N
/// concurrent VMs of different images cost ~golden-once + per-VM diff (~14% of a
/// full) instead of N full guests. Same-offset diffing captures ~86% sharing
/// (mostly the ~88% zero pages, which align across images); KSM mops up the
/// rest at runtime.
///
/// Any failure leaves the warm snapshot a full (still correct) snapshot.
#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
fn dedup_warm_against_golden(
    snapshots_dir: &Path,
    partial: &Path,
    mem: u32,
    vcpus: u32,
    worker_fp: &str,
    trace: bool,
) {
    if std::env::var("SUPERMACHINE_AUTO_DEDUP").as_deref() == Ok("0") {
        return;
    }
    let warm_snap = partial.join("vm.snap");
    let golden_dir = snapshots_dir.join(".kvmgolden");
    if std::fs::create_dir_all(&golden_dir).is_err() {
        return;
    }
    let golden = golden_dir.join(format!("{mem}m{vcpus}v__{worker_fp}.snap"));

    // Serialize golden creation across processes.
    let _lock = WarmDirLock::acquire(&golden_dir, &format!("{mem}m{vcpus}v__{worker_fp}"));

    if !golden.exists() {
        // Promote this full as the shared golden. Hardlink (instant, same
        // inode) so rewriting `warm_snap` below replaces only the warm dir's
        // entry — the golden keeps the original full bytes. Fall back to copy
        // across filesystems.
        if std::fs::hard_link(&warm_snap, &golden).is_err() {
            let tmp = golden.with_extension("snap.tmp");
            if std::fs::copy(&warm_snap, &tmp).is_err() || std::fs::rename(&tmp, &golden).is_err() {
                let _ = std::fs::remove_file(&tmp);
                return;
            }
        }
    }

    match crate::kvm::run::rewrite_full_as_diff(&warm_snap, &golden) {
        Ok(diff_size) => {
            // Record the base so future fleet hygiene knows the dependency.
            let meta_path = partial.join("metadata.json");
            if let Ok(text) = std::fs::read_to_string(&meta_path) {
                if let Ok(mut meta) = serde_json::from_str::<serde_json::Value>(&text) {
                    if let Some(obj) = meta.as_object_mut() {
                        obj.insert(
                            "kvm_snapshot_base".into(),
                            serde_json::json!(golden.to_string_lossy()),
                        );
                        if let Ok(s) = serde_json::to_string_pretty(&meta) {
                            let _ = std::fs::write(&meta_path, s);
                        }
                    }
                }
            }
            if trace {
                eprintln!(
                    "[warm-pool] deduped vs golden {}: diff {:.1} MiB",
                    golden.display(),
                    diff_size as f64 / 1048576.0
                );
            }
        }
        Err(e) => {
            if trace {
                eprintln!("[warm-pool] dedup skipped ({e}); warm snapshot kept full");
            }
        }
    }
}

/// Cross-process advisory lock for a warm/golden snapshot key. A sibling lock
/// file (`<dir>/.<name>.warmlock`) under `flock(LOCK_EX)`; released when the
/// guard drops (the OS also reclaims it on process death). Best-effort: if the
/// lock can't be taken we proceed unlocked (the atomic rename + exists-checks
/// keep correctness; we just risk a redundant warm).
#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
struct WarmDirLock {
    _file: Option<std::fs::File>,
}

#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
impl WarmDirLock {
    fn acquire(dir: &Path, name: &str) -> Self {
        use std::os::fd::AsRawFd;
        if std::fs::create_dir_all(dir).is_err() {
            return Self { _file: None };
        }
        let lock_path = dir.join(format!(".{name}.warmlock"));
        let Ok(file) = std::fs::OpenOptions::new()
            .create(true)
            .read(true)
            .write(true)
            .truncate(false)
            .open(&lock_path)
        else {
            return Self { _file: None };
        };
        // Blocking exclusive lock with a hard deadline so a wedged holder can't
        // gate forever.
        let deadline = std::time::Instant::now() + std::time::Duration::from_secs(120);
        loop {
            let r = unsafe { libc::flock(file.as_raw_fd(), libc::LOCK_EX | libc::LOCK_NB) };
            if r == 0 {
                return Self { _file: Some(file) };
            }
            if std::time::Instant::now() > deadline {
                return Self { _file: None };
            }
            std::thread::sleep(std::time::Duration::from_millis(25));
        }
    }
}

/// Explicit, configured worker pool. Returned by
/// [`PoolBuilder::build`]. `Pool` is `Clone` (Arc-shared);
/// dropping every clone tears the pool down.
#[derive(Clone)]
pub struct Pool {
    /// macOS/HVF: the subprocess-worker pool.
    #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
    inner: Arc<HiddenPool>,
    /// Linux/KVM: shared pool state (warm image + idle pre-restored VMs).
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    kvm: Arc<KvmPoolInner>,
}

/// Linux/KVM pool state: the warm (snapshot-backed) source image plus a queue of
/// idle, pre-restored VMs kept topped up to `min` (so `acquire` is a ~µs pop
/// instead of a ~ms restore). A single background refiller tops the idle queue
/// back to `min` after each acquire / release.
#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
struct KvmPoolInner {
    image: Image,
    vm_config: VmConfig,
    min: usize,
    idle: Mutex<Vec<Vm>>,
    /// Hard max-concurrency admission: bounds total live VMs to `max` and blocks
    /// `acquire` at the cap instead of growing without bound (which would OOM the
    /// host). Carries the live count + `max` + `acquire_timeout`.
    admission: Admission,
    /// Warm-reuse switch (mirrors HVF's `restore_on_release`). When `false`,
    /// a released VM is returned ALIVE to `idle` and reused in place on the next
    /// acquire (guest stays parked, page cache hot) instead of being torn down
    /// and a fresh one restored — turning a ~ms restore + cold re-fault into a
    /// ~µs idle-pop. When `true` (default), each cycle tears down + restores
    /// fresh (clean isolation; the safe default for untrusted multi-tenant use).
    restore_on_release: bool,
    /// Ensures at most one background refiller runs at a time.
    refilling: std::sync::atomic::AtomicBool,
    /// Set by [`Pool::shutdown`]; once true, [`Self::take_or_restore`] refuses
    /// new acquires with [`Error::PoolExhausted`] instead of restoring more VMs.
    shut_down: std::sync::atomic::AtomicBool,
}

/// Hard max-concurrency admission for the KVM pool. Bounds total live VMs
/// (idle + checked-out) to `max`: a fresh restore must `reserve_blocking` a slot,
/// blocking up to `acquire_timeout` when all `max` are in use until a peer
/// `release`s — rather than spawning unboundedly (which would exhaust host RAM).
/// Idle reuse does NOT reserve (the slot was claimed when that VM was created).
#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
struct Admission {
    max: usize,
    alive: std::sync::atomic::AtomicUsize,
    lock: std::sync::Mutex<()>,
    available: std::sync::Condvar,
    acquire_timeout: Option<Duration>,
}

#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
impl Admission {
    fn new(max: usize, acquire_timeout: Option<Duration>) -> Self {
        Self {
            max: max.max(1),
            alive: std::sync::atomic::AtomicUsize::new(0),
            lock: std::sync::Mutex::new(()),
            available: std::sync::Condvar::new(),
            acquire_timeout,
        }
    }

    fn alive(&self) -> usize {
        self.alive.load(std::sync::atomic::Ordering::SeqCst)
    }

    /// Claim a slot if under `max`, non-blocking. Returns false at the cap. Used
    /// by the background refiller (which must never block).
    fn try_reserve(&self) -> bool {
        use std::sync::atomic::Ordering::SeqCst;
        loop {
            let cur = self.alive.load(SeqCst);
            if cur >= self.max {
                return false;
            }
            if self
                .alive
                .compare_exchange(cur, cur + 1, SeqCst, SeqCst)
                .is_ok()
            {
                return true;
            }
        }
    }

    /// Bounded wait for a slot-release OR a refiller idle-push, used by
    /// [`KvmPoolInner::take_or_restore`]'s acquire loop. Returns `Ok(true)` to
    /// retry the loop (re-check idle + try_reserve), or `Ok(false)` if the
    /// `acquire_timeout` deadline has passed. Each wait is capped at 100ms so a
    /// missed notify is a short stall, never a hang.
    ///
    /// CRITICAL: the acquire loop must re-check the IDLE QUEUE between waits,
    /// not just the slot count. A background refiller holds an admission slot
    /// while it restores, then pushes the VM to `idle` WITHOUT releasing the
    /// slot — so a caller that blocked purely on `alive < max` (the old
    /// `reserve_blocking`) would never observe that VM and would hang forever
    /// when `min == max` (the single slot is permanently the refiller's). This
    /// is why the wait lives here as a primitive and the idle re-check lives in
    /// `take_or_restore`.
    fn wait_for_change(&self, deadline: Option<std::time::Instant>) -> Result<bool, Error> {
        let g = self.lock.lock().unwrap_or_else(|e| e.into_inner());
        let wait = match deadline {
            Some(dl) => {
                let now = std::time::Instant::now();
                if now >= dl {
                    return Ok(false);
                }
                (dl - now).min(Duration::from_millis(100))
            }
            None => Duration::from_millis(100),
        };
        let _ = self.available.wait_timeout(g, wait);
        Ok(true)
    }

    /// Free a slot + wake one waiter.
    fn release(&self) {
        self.alive.fetch_sub(1, std::sync::atomic::Ordering::SeqCst);
        self.available.notify_one();
    }

    /// Wake ALL acquirers blocked in [`wait_for_change`]. Called by a refiller
    /// after pushing a fresh VM to the idle queue — that push does not call
    /// [`release`] (the slot stays claimed by the now-idle VM), so blocked
    /// acquirers must be woken explicitly to re-check idle promptly.
    fn notify(&self) {
        self.available.notify_all();
    }
}

#[cfg(all(test, target_os = "linux", target_arch = "x86_64"))]
mod admission_tests {
    use super::Admission;
    use std::sync::Arc;
    use std::time::{Duration, Instant};

    #[test]
    fn try_reserve_bounds_at_max() {
        let a = Admission::new(3, None);
        assert!(a.try_reserve());
        assert!(a.try_reserve());
        assert!(a.try_reserve());
        assert_eq!(a.alive(), 3);
        // At the cap: further non-blocking reservations fail.
        assert!(!a.try_reserve());
        assert_eq!(a.alive(), 3);
        // Releasing frees exactly one slot.
        a.release();
        assert_eq!(a.alive(), 2);
        assert!(a.try_reserve());
        assert_eq!(a.alive(), 3);
    }

    #[test]
    fn max_zero_clamps_to_one() {
        let a = Admission::new(0, None);
        assert_eq!(a.max, 1);
        assert!(a.try_reserve());
        assert!(!a.try_reserve());
    }

    #[test]
    fn wait_for_change_reports_deadline_passed() {
        // A past deadline → Ok(false) (the take_or_restore loop maps this to a
        // pool-saturated error) without blocking.
        let a = Admission::new(1, Some(Duration::from_millis(50)));
        assert!(a.try_reserve());
        let past = Instant::now() - Duration::from_secs(1);
        let start = Instant::now();
        assert_eq!(a.wait_for_change(Some(past)).unwrap(), false);
        assert!(
            start.elapsed() < Duration::from_millis(50),
            "a passed deadline must not block"
        );
        // No slot leaked by the wait.
        assert_eq!(a.alive(), 1);
    }

    #[test]
    fn wait_for_change_wakes_on_notify() {
        // A blocked acquirer is woken by notify() (the refiller-idle-push wake)
        // well before the 100ms cap, then re-loops to re-check idle.
        let a = Arc::new(Admission::new(1, Some(Duration::from_secs(5))));
        assert!(a.try_reserve());
        let peer = Arc::clone(&a);
        let waker = std::thread::spawn(move || {
            std::thread::sleep(Duration::from_millis(20));
            peer.notify();
        });
        let start = Instant::now();
        let deadline = Some(Instant::now() + Duration::from_secs(5));
        assert_eq!(a.wait_for_change(deadline).unwrap(), true);
        let elapsed = start.elapsed();
        waker.join().unwrap();
        assert!(
            elapsed < Duration::from_millis(100),
            "notify must wake the waiter promptly, waited {elapsed:?}"
        );
    }

    #[test]
    fn wait_for_change_caps_each_wait_without_notify() {
        // With no notify and a far deadline, a single wait returns within ~100ms
        // (the cap) so the acquire loop re-checks idle frequently — this is the
        // backstop that makes the min==max deadlock impossible even if a notify
        // is ever missed.
        let a = Admission::new(1, Some(Duration::from_secs(10)));
        assert!(a.try_reserve());
        let start = Instant::now();
        let deadline = Some(Instant::now() + Duration::from_secs(10));
        assert_eq!(a.wait_for_change(deadline).unwrap(), true);
        let elapsed = start.elapsed();
        assert!(
            elapsed < Duration::from_millis(250),
            "each wait must cap at ~100ms, waited {elapsed:?}"
        );
    }
}

#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
impl KvmPoolInner {
    fn restore_one(&self) -> Result<Vm, Error> {
        Vm::start(&self.image, &self.vm_config)
    }

    /// Pop an idle pre-warmed VM (~µs) or restore a fresh one (~ms). A fresh
    /// restore reserves one of the `max` concurrency slots, BLOCKING (up to
    /// `acquire_timeout`) when the pool is saturated rather than over-spawning.
    /// Idle reuse takes no slot (it was reserved when that VM was created).
    fn take_or_restore(&self) -> Result<Vm, Error> {
        let deadline = self
            .admission
            .acquire_timeout
            .map(|d| std::time::Instant::now() + d);
        loop {
            if self.shut_down.load(std::sync::atomic::Ordering::SeqCst) {
                return Err(Error::pool_exhausted("pool is shut down"));
            }
            // Re-check idle EVERY iteration. A background refiller holds an
            // admission slot while it restores, then pushes the VM here without
            // releasing the slot — so an acquirer that blocked purely on the
            // slot count would never see it and would hang forever when
            // min == max (the lone slot is the refiller's). Popping idle here
            // each loop is what breaks that deadlock.
            if let Some(vm) = self.idle.lock().unwrap_or_else(|e| e.into_inner()).pop() {
                return Ok(vm);
            }
            // No idle VM: claim a fresh slot if under `max` and restore.
            if self.admission.try_reserve() {
                return self.restore_one().inspect_err(|_| self.admission.release());
            }
            // At the cap with nothing idle: wait for a peer release OR a
            // refiller idle-push, then re-loop (which re-checks idle).
            if !self.admission.wait_for_change(deadline)? {
                return Err(Error::pool_exhausted(format!(
                    "pool saturated: all {} VM slots in use and none freed within \
                     acquire_timeout",
                    self.admission.max
                )));
            }
        }
    }

    /// Synchronously pre-warm the idle queue up to `min` (best-effort). Used at
    /// `build()` so eager pre-spawn (`min > 0`) is observable in `stats()` the
    /// instant `build()` returns, rather than racing a background thread.
    fn prewarm_to_min(&self) {
        loop {
            let idle_len = self.idle.lock().unwrap_or_else(|e| e.into_inner()).len();
            // Stop at the idle target, or when another slot would exceed `max`.
            if idle_len >= self.min || !self.admission.try_reserve() {
                break;
            }
            match self.restore_one() {
                Ok(vm) => {
                    self.idle.lock().unwrap_or_else(|e| e.into_inner()).push(vm);
                    // Wake any acquirer blocked at the cap so it re-checks idle.
                    self.admission.notify();
                }
                Err(_) => {
                    self.admission.release();
                    break;
                }
            }
        }
    }

    /// Spawn (at most one) background refiller to top the idle queue up to `min`.
    fn refill_async(self: &Arc<Self>) {
        use std::sync::atomic::Ordering::SeqCst;
        if self.min == 0 {
            return;
        }
        if self
            .refilling
            .compare_exchange(false, true, SeqCst, SeqCst)
            .is_err()
        {
            return; // a refiller is already running
        }
        let inner = Arc::clone(self);
        std::thread::spawn(move || {
            loop {
                let idle_len = inner.idle.lock().unwrap_or_else(|e| e.into_inner()).len();
                // Stop at the idle target, or when claiming another slot would
                // exceed `max` (try_reserve returns false at the cap).
                if idle_len >= inner.min || !inner.admission.try_reserve() {
                    break;
                }
                match inner.restore_one() {
                    Ok(vm) => {
                        inner
                            .idle
                            .lock()
                            .unwrap_or_else(|e| e.into_inner())
                            .push(vm);
                        // Wake an acquirer blocked at the cap to re-check idle.
                        inner.admission.notify();
                    }
                    Err(_) => {
                        inner.admission.release();
                        break;
                    }
                }
            }
            inner.refilling.store(false, SeqCst);
        });
    }
}

// Opaque Debug: the KVM `Pool` holds an `Image`, and `Image` (which derives
// Debug) caches an `Arc<Pool>` — a derived Debug would recurse infinitely if
// ever printed. Print opaquely instead.
impl std::fmt::Debug for Pool {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.debug_struct("Pool").finish_non_exhaustive()
    }
}

/// Snapshot of pool state at a point in time. Cheap to fetch —
/// one mutex acquire — so it's safe to graph at modest rates.
#[derive(Debug, Clone, Copy)]
pub struct PoolStats {
    /// Total workers alive: idle + checked-out + in-flight spawn.
    pub alive: usize,
    /// Currently checked out (in use by a `PooledVm`).
    pub in_use: usize,
    /// Sitting in the idle queue waiting for next acquire.
    pub idle: usize,
    /// Acquire callers currently blocked waiting for a slot.
    pub waiting: usize,
    /// Configured maximum concurrency.
    pub max: usize,
    /// Configured baseline / always-warm count.
    pub min: usize,
    /// Cumulative dead-while-idle workers the watchdog has reaped. A
    /// steadily climbing value points at workers crashing post-restore.
    pub reaped: u64,
    /// High-water-mark resident footprint (phys_footprint, MiB) observed
    /// across this pool's workers, vs the configured `memory_mib` cap.
    /// `0` until the first measurement. The gap between this and
    /// `memory_mib × alive` is the headroom that
    /// SUPERMACHINE_ADMISSION_CHARGE=rss reclaims for density.
    pub observed_footprint_mib: u64,
}

impl Pool {
    /// Acquire a fresh VM from this pool. Identical fast path to
    /// [`Image::acquire`] — on a hit, ~µs to pop the idle queue.
    /// On miss, follows the policy: auto-grow up to `max`, or
    /// block (with timeout) if at `max`.
    #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
    pub fn acquire(&self) -> Result<PooledVm<'_>, Error> {
        let _span = tracing::info_span!(
            "supermachine.pool.acquire",
            memory_mib = self.inner.spawn_cfg.memory_mib,
            vcpus = self.inner.spawn_cfg.vcpus,
        )
        .entered();
        let worker = self.inner.acquire()?;
        let vm = Vm {
            pool: None,
            vsock_mux_path: worker.vsock_mux_path.clone(),
            vsock_exec_path: worker.vsock_exec_path.clone(),
            own_vsock_mux_dir: None,
            skip_cleanup: true,
            // image_meta is filled in via Image's ensure_pool path;
            // when the pool is explicitly built we don't have
            // direct access to the source Image, so leave it None
            // and rely on `Vm::start`-derived snapshots if the
            // user wants `PooledVm::snapshot` to work. Most
            // pool-based callers don't need it.
            image_meta: Some(Arc::new(ImageMeta {
                memory_mib: self.inner.spawn_cfg.memory_mib,
                vcpus: self.inner.spawn_cfg.vcpus,
                layers: self.inner.spawn_cfg.layers.clone(),
                delta_squashfs: self.inner.spawn_cfg.delta_squashfs.clone(),
            })),
        };
        Ok(PooledVm {
            vm: Some(vm),
            worker: Some(worker),
            pool_arc: Arc::clone(&self.inner),
            _image: std::marker::PhantomData,
        })
    }

    /// Acquire a VM (Linux/KVM). Pops a pre-warmed idle VM (~µs) when one is
    /// ready, else restores a fresh one from the warm snapshot (~ms). Triggers a
    /// background refill back to `min`. Torn down + replaced when the
    /// [`PooledVm`] drops. The warming happened once at [`PoolBuilder::build`].
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub fn acquire(&self) -> Result<PooledVm<'_>, Error> {
        let vm = self.kvm.take_or_restore()?;
        // No background refill on acquire: BOTH release modes now return the VM
        // ALIVE to idle (isolated = in-place reset, dirty = as-is), so the
        // checked-out VM IS its own replenishment. A refill here would restore
        // redundant fresh VMs during the checkout window and grow the pool past
        // its working set. The only teardown is the reset-failure fallback in
        // PooledVm::drop, which refills itself.
        Ok(PooledVm {
            vm: Some(vm),
            pool: Some(Arc::clone(&self.kvm)),
            _image: std::marker::PhantomData,
        })
    }

    /// Snapshot of current pool state.
    #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
    pub fn stats(&self) -> PoolStats {
        let s = self.inner.state.lock().ok();
        let alive = s.as_ref().map(|s| s.alive).unwrap_or(0);
        let idle = s.as_ref().map(|s| s.idle.len()).unwrap_or(0);
        let waiting = s.as_ref().map(|s| s.waiting).unwrap_or(0);
        let reaped = s.as_ref().map(|s| s.reaped).unwrap_or(0);
        let observed_footprint_mib = self
            .inner
            .spawn_cfg
            .observed_footprint_mib
            .load(std::sync::atomic::Ordering::Relaxed);
        PoolStats {
            alive,
            in_use: alive.saturating_sub(idle),
            idle,
            waiting,
            max: self.inner.policy.max,
            min: self.inner.policy.min,
            reaped,
            observed_footprint_mib,
        }
    }

    /// Snapshot of current pool state (Linux/KVM): idle = pre-warmed VMs ready,
    /// alive = idle + checked-out, against the configured min/max.
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub fn stats(&self) -> PoolStats {
        let idle = self
            .kvm
            .idle
            .lock()
            .unwrap_or_else(|e| e.into_inner())
            .len();
        let alive = self.kvm.admission.alive();
        PoolStats {
            alive,
            in_use: alive.saturating_sub(idle),
            idle,
            waiting: 0,
            max: self.kvm.admission.max,
            min: self.kvm.min,
            reaped: 0,
            observed_footprint_mib: 0,
        }
    }

    /// Shut the pool down explicitly. Wakes any caller blocked on
    /// [`Self::acquire`] — they receive
    /// `Err(Error::vm_msg("pool is shutting down"))` instead of
    /// hanging — drains idle + dirty workers, and stops
    /// housekeeping threads.
    ///
    /// Idempotent. Pool is also shut down on Drop, so explicit
    /// `shutdown()` is for embedders who want a synchronous "the
    /// pool is gone now" guarantee (e.g. before re-creating a pool
    /// at a different size, or before a process-shutdown hook).
    pub fn shutdown(&self) {
        // macOS: tear down the worker pool. Linux/KVM no-reuse pool holds no
        // shared resources — per-acquire VMs stop when their PooledVm drops.
        #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
        self.inner.shutdown_pool();
        // Linux/KVM: mark the pool dead so subsequent acquires error (instead of
        // restoring fresh VMs) + drain any pre-warmed idle VMs now.
        #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
        {
            self.kvm
                .shut_down
                .store(true, std::sync::atomic::Ordering::SeqCst);
            let drained: Vec<Vm> =
                std::mem::take(&mut *self.kvm.idle.lock().unwrap_or_else(|e| e.into_inner()));
            for vm in drained {
                self.kvm.admission.release();
                drop(vm);
            }
        }
    }
}

///
/// Every setter that affects the workload's behavior (env, cmd,
/// memory, guest_port) is part of the bake's input fingerprint:
/// changing it forces a re-bake and produces a different snapshot.
/// Use distinct `with_name` values if you want side-by-side
/// snapshots for the same image ref with different configs.
pub struct OciImageBuilder {
    image: String,
    name: Option<String>,
    pull_policy: PullPolicy,
    memory_mib: Option<u32>,
    vcpus: Option<u32>,
    guest_port: Option<u16>,
    cmd: Option<Vec<String>>,
    envs: Vec<(String, String)>,
    snapshots_dir: Option<PathBuf>,
    /// Optional post-bake warmup. After the bake completes, we
    /// `acquire` a VM from the freshly-baked image, run this
    /// closure, snapshot the post-warmup state, and replace
    /// `restore.snap` with the warm version. Subsequent acquires
    /// land at warm state — guest page cache for the workload
    /// already populated, so e.g. `rustc` cold-start drops from
    /// ~370 ms to ~50–100 ms.
    warmup: Option<Box<dyn FnOnce(&Vm) -> Result<(), Error> + Send>>,
    /// Stable tag for the warmup. Folded into the snapshot's
    /// cached fingerprint so changing the warmup invalidates the
    /// previous warm snapshot. If `None`, warmup is treated as
    /// "any change re-runs" (we use a hash-of-empty as the tag,
    /// which is stable across runs).
    warmup_tag: Option<String>,
    /// Extra files to stage into the bake's delta layer at
    /// (host_path, guest_path). Useful for bundling per-snapshot
    /// auxiliary binaries (e.g. the snapshot-park kernel module
    /// at `/supermachine-smpark.ko`). Plumbed through to the
    /// bake step as `--extra-file <host>:<guest>` args.
    extra_files: Vec<(PathBuf, String)>,
    /// virtio-fs DAX mounts: (host_path, guest_tag, symlink_policy)
    /// (host_path, guest_tag, symlinks_policy, guest_path). Each is
    /// exposed as a virtio-fs device and auto-mounted by init-oci
    /// at `guest_path` before the workload starts. Plumbed through
    /// to the bake step as
    /// `--mount <host>:<tag>:<guest_path>[:<policy>]` args.
    mounts: Vec<(
        PathBuf,
        String,
        crate::vmm::resources::SymlinkPolicy,
        String,
    )>,
    /// Writable virtio-blk volumes: (host_path, guest_path, size_bytes).
    /// Each is plumbed through to the bake step as
    /// `--volume <host>:<guest>:<size_bytes>` args. Use for
    /// dependency caches (`node_modules`, `target/`) — block I/O
    /// bypasses the FUSE round-trip cost that makes `mounts` slow
    /// for thousands-of-small-files write workloads. Volume bytes
    /// persist across restores; only the mapping is snapshotted.
    volumes: Vec<(PathBuf, String, u64)>,
    /// Extra kernel cmdline tokens appended after supermachine's
    /// own defaults. Power-user / testing escape hatch — e.g.
    /// `["init=/nope"]` in a test to deliberately trigger an
    /// early-init kernel panic. Plumbed through to the bake step
    /// as `--cmdline-extra <token>` args.
    extra_kernel_args: Vec<String>,
    /// When `Some(true)`, the no-warmup `.build()` path waits for
    /// the workload's listener to come up (or the parked-PID-1
    /// fallback) before capturing — same as v0.4.22 behavior.
    /// When `None` or `Some(false)`, the default v0.4.23+ behavior
    /// applies: snapshot is captured at the pre-exec marker, BEFORE
    /// the workload runs. Each restore re-execs the workload fresh.
    ///
    /// Set to `true` for service-image bakes (nginx, redis, etc.)
    /// where you want the listener pre-bound at restore time but
    /// don't want the cost of routing through `with_warmup`. See
    /// [`OciImageBuilder::with_listener_required`].
    require_listener: Option<bool>,
    /// Target platform, in Docker `--platform` form. `None` →
    /// default `"linux/arm64"`. Setting `"linux/amd64"` makes the
    /// bake pull the amd64 variant of multi-arch images AND
    /// auto-mounts Apple's Rosetta runtime share, giving the
    /// guest end-to-end amd64-binary execution via the M1
    /// Rosetta-in-VM plumbing. See
    /// `docs/design/chrome-amd64-gap-2026-05-17.md`.
    pub(crate) platform: Option<String>,
}

impl OciImageBuilder {
    /// Start a new builder for `image_ref` (e.g. `"nginx:1.27-alpine"`,
    /// `"ghcr.io/owner/image@sha256:..."`).
    pub fn new(image_ref: impl Into<String>) -> Self {
        Self {
            image: image_ref.into(),
            name: None,
            pull_policy: PullPolicy::default(),
            memory_mib: None,
            vcpus: None,
            guest_port: None,
            cmd: None,
            envs: Vec::new(),
            snapshots_dir: None,
            warmup: None,
            warmup_tag: None,
            extra_files: Vec::new(),
            mounts: Vec::new(),
            volumes: Vec::new(),
            extra_kernel_args: Vec::new(),
            require_listener: None,
            platform: None,
        }
    }

    /// Set the target platform for the image pull, in Docker
    /// `--platform` form. Two values are supported:
    ///
    ///   - `"linux/arm64"` (default) — native arm64 path, full perf.
    ///   - `"linux/amd64"` — pull the amd64 variant from a multi-
    ///     arch index; auto-mount Apple's Rosetta runtime share at
    ///     `/run/rosetta`; register binfmt_misc so amd64 ELFs run
    ///     via Rosetta translation. Requires Rosetta to be
    ///     installed on the host (`softwareupdate --install-rosetta`).
    ///
    /// ```no_run
    /// # use supermachine::Image;
    /// let img = Image::builder("mcr.microsoft.com/playwright:v1.59.1-jammy")
    ///     .with_platform("linux/amd64")
    ///     .with_memory_mib(4096)
    ///     .build()?;
    /// # Ok::<(), supermachine::Error>(())
    /// ```
    pub fn with_platform(mut self, platform: impl Into<String>) -> Self {
        self.platform = Some(platform.into());
        self
    }

    /// Stage `host_path` into the snapshot's delta layer at
    /// `guest_path`. The file appears at `guest_path` inside the
    /// guest's root filesystem after restore. Folded into the
    /// bake's content hash so changing the host file invalidates
    /// the cached snapshot.
    ///
    /// Used (e.g.) to ship `supermachine-smpark.ko` so init-oci
    /// can `finit_module` it on boot for multi-vCPU snapshot
    /// support.
    pub fn with_extra_file(
        mut self,
        host_path: impl Into<PathBuf>,
        guest_path: impl Into<String>,
    ) -> Self {
        self.extra_files.push((host_path.into(), guest_path.into()));
        self
    }

    /// Override where the image bytes come from. Default (when not
    /// called) treats the constructor's `image_ref` as a registry
    /// reference and pulls from Docker Hub or the registry encoded
    /// in the ref.
    ///
    /// Internally the bake driver also accepts `image_ref` directly
    /// in the prefixed forms `oci-archive:/path` and `oci-layout:/path`;
    /// this method is the structured convenience: the user keeps
    /// `image_ref` as a logical identifier (used to derive the
    /// snapshot dir name) and points at a local source separately.
    ///
    /// ```no_run
    /// # use supermachine::{Image, PullPolicy};
    /// let img = Image::builder("shopify-test-sm:latest")
    ///     .with_oci_archive("/tmp/shopify.tar")
    ///     .build()?;
    /// # Ok::<(), supermachine::Error>(())
    /// ```
    pub fn with_oci_archive(mut self, archive_path: impl Into<PathBuf>) -> Self {
        // Rewrite image ref to the prefix form; keep the user's
        // original ref as the auto-derived snapshot name if no
        // explicit `with_name` was called.
        let path: PathBuf = archive_path.into();
        let original =
            std::mem::replace(&mut self.image, format!("oci-archive:{}", path.display()));
        if self.name.is_none() {
            self.name = Some(crate::bake::snapshot_name_for_image(&original));
        }
        self
    }

    /// Like `with_oci_archive` but points at an OCI layout DIRECTORY
    /// (the un-tar'd form, with `index.json` + `oci-layout` +
    /// `blobs/sha256/...` at the top level).
    pub fn with_oci_layout(mut self, layout_dir: impl Into<PathBuf>) -> Self {
        let path: PathBuf = layout_dir.into();
        let original = std::mem::replace(&mut self.image, format!("oci-layout:{}", path.display()));
        if self.name.is_none() {
            self.name = Some(crate::bake::snapshot_name_for_image(&original));
        }
        self
    }

    /// Expose a host directory to the guest via virtio-fs (with DAX).
    /// The guest mounts it inside `init-oci` as
    /// `mount -t virtiofs <tag> <target>` — by convention init-oci
    /// mounts each declared tag at `/mnt/<tag>` and bind-mounts into
    /// the workload's filesystem if a per-image policy says so.
    ///
    /// Reads from the guest land in the host's page cache (DAX-mapped
    /// via `hv_vm_map`; validated by spike 22 to be zero-copy + shared
    /// across VMs that mount the same host path). The mount is added
    /// to the bake's input hash so changing `host_path` invalidates the
    /// cached snapshot.
    ///
    /// ```no_run
    /// # use supermachine::Image;
    /// let img = Image::builder("node:22-alpine")
    ///     .with_mount("/Users/me/myapp", "myapp", "/workspace")
    ///     .with_cmd(["node", "/workspace/index.js"])
    ///     .build()?;
    /// # Ok::<(), supermachine::Error>(())
    /// ```
    pub fn with_mount(
        mut self,
        host_path: impl Into<PathBuf>,
        guest_tag: impl Into<String>,
        guest_path: impl Into<String>,
    ) -> Self {
        self.mounts.push((
            host_path.into(),
            guest_tag.into(),
            crate::vmm::resources::SymlinkPolicy::default(),
            guest_path.into(),
        ));
        self
    }

    /// Like [`Self::with_mount`] but lets the caller pick a
    /// [`SymlinkPolicy`] other than the default `Opaque`.
    pub fn with_mount_symlinks(
        mut self,
        host_path: impl Into<PathBuf>,
        guest_tag: impl Into<String>,
        guest_path: impl Into<String>,
        symlinks: crate::vmm::resources::SymlinkPolicy,
    ) -> Self {
        self.mounts.push((
            host_path.into(),
            guest_tag.into(),
            symlinks,
            guest_path.into(),
        ));
        self
    }

    /// Attach a writable virtio-blk volume backing `host_path`
    /// (created sparse if missing, sized to `spec.size_bytes`) at
    /// `spec.guest_path` inside the guest. Use for dependency caches
    /// and other write-heavy paths where you'd otherwise pay the
    /// per-file FUSE round-trip cost of `with_mount`. The volume's
    /// bytes are NOT folded into the snapshot — only the mapping
    /// is. Volume contents persist across restores.
    ///
    /// ```no_run
    /// # use supermachine::{Image, VolumeSpec};
    /// let img = Image::builder("node:22-alpine")
    ///     .with_volume(VolumeSpec::new("/var/cache/sm/node_modules.img",
    ///                                  "/work/node_modules"))
    ///     .build()?;
    /// # Ok::<(), supermachine::Error>(())
    /// ```
    pub fn with_volume(mut self, spec: crate::vmm::resources::VolumeSpec) -> Self {
        self.volumes.push((
            PathBuf::from(spec.host_path),
            spec.guest_path,
            spec.size_bytes,
        ));
        self
    }

    /// Append one extra token to the kernel cmdline. Tokens go
    /// after supermachine's own defaults (`earlycon`, `console`,
    /// `tsi_hijack`, etc.) but before the per-bake `tsi_token`.
    /// Power-user / testing escape hatch — e.g. pass
    /// `"init=/nope"` in a test to deliberately trigger an
    /// early-init kernel panic, or `"panic=1"` to make the
    /// kernel panic on any warning. Folded into the bake's input
    /// hash so changing this re-bakes.
    pub fn with_extra_kernel_arg(mut self, arg: impl Into<String>) -> Self {
        self.extra_kernel_args.push(arg.into());
        self
    }

    /// Override the number of vCPUs the snapshot is baked with.
    /// Default `1`. Multi-vCPU is opt-in: it lifts sustained
    /// HTTP-serving throughput (single-vCPU is the c=32+
    /// bottleneck) at the cost of slightly higher cold boot and
    /// some snapshot/restore caveats. See
    /// docs/design/concurrency-floor-2026-05-04.md.
    pub fn with_vcpus(mut self, vcpus: u32) -> Self {
        self.vcpus = Some(vcpus);
        self
    }

    /// Snapshot name. Default: derived from the image ref via
    /// `bake::snapshot_name_for_image`. Use this when you want
    /// `nginx:1.27-alpine` baked twice with different configs.
    pub fn with_name(mut self, name: impl Into<String>) -> Self {
        self.name = Some(name.into());
        self
    }

    /// Cache + registry policy. See [`PullPolicy`].
    pub fn with_pull_policy(mut self, policy: PullPolicy) -> Self {
        self.pull_policy = policy;
        self
    }

    /// Override the bake-time memory budget (MiB). The runtime
    /// memory is set on [`VmConfig`]; this is the size the
    /// snapshot is captured at.
    pub fn with_memory_mib(mut self, mib: u32) -> Self {
        self.memory_mib = Some(mib);
        self
    }

    /// Override the guest service port the bake waits for as the
    /// readiness signal. Default `80`.
    pub fn with_guest_port(mut self, port: u16) -> Self {
        self.guest_port = Some(port);
        self
    }

    /// Override the image's `CMD`. Pass an argv array, same shape
    /// as Docker's `--entrypoint` + arguments combined.
    ///
    /// ```no_run
    /// # use supermachine::Image;
    /// let img = Image::builder("python:3.12-alpine")
    ///     .with_cmd(["python", "-m", "http.server", "8080"])
    ///     .with_guest_port(8080)
    ///     .build()?;
    /// # Ok::<(), supermachine::Error>(())
    /// ```
    pub fn with_cmd<I, S>(mut self, cmd: I) -> Self
    where
        I: IntoIterator<Item = S>,
        S: Into<String>,
    {
        self.cmd = Some(cmd.into_iter().map(Into::into).collect());
        self
    }

    /// Add an environment variable for the workload. Repeatable.
    /// Mirrors `docker run -e KEY=VAL`.
    pub fn with_env(mut self, key: impl Into<String>, value: impl Into<String>) -> Self {
        self.envs.push((key.into(), value.into()));
        self
    }

    /// Override the directory snapshots are stored in. Default
    /// is `~/.local/supermachine-snapshots`. Use this to keep
    /// per-project snapshot stores isolated from each other.
    pub fn with_snapshots_dir(mut self, dir: impl Into<PathBuf>) -> Self {
        self.snapshots_dir = Some(dir.into());
        self
    }

    /// Run a warmup closure once after the bake, then re-snapshot
    /// the post-warmup state. Future restores from this image
    /// land at the warm state — guest page cache for the
    /// workload already populated, so e.g. compiling a small
    /// Rust program drops from ~370 ms to ~50–100 ms.
    ///
    /// Cached: if the warm snapshot already exists with a
    /// matching warmup tag (see [`Self::with_warmup_tag`]), the
    /// warmup is skipped on subsequent builds. Without an
    /// explicit tag, the warmup re-runs whenever the snapshot
    /// is invalidated by other inputs (image_ref, memory, etc.)
    /// — set a tag if you change the closure body and want the
    /// cache to invalidate.
    ///
    /// ```no_run
    /// # use std::time::Duration;
    /// # use supermachine::Image;
    /// let image = Image::ensure_baked("rust_warm", "rust:1-slim", |b| b
    ///     .with_memory_mib(2048)
    ///     .with_warmup(|vm| {
    ///         vm.write_file("/tmp/probe.rs", b"fn main(){}")?;
    ///         vm.exec_builder()
    ///             .argv(["sh", "-c", "rustc -O /tmp/probe.rs -o /tmp/probe && /tmp/probe"])
    ///             .timeout(Duration::from_secs(60))
    ///             .output()?;
    ///         Ok(())
    ///     })
    ///     .with_warmup_tag("v1")
    /// )?;
    /// # Ok::<(), supermachine::Error>(())
    /// ```
    pub fn with_warmup<F>(mut self, warmup: F) -> Self
    where
        F: FnOnce(&Vm) -> Result<(), Error> + Send + 'static,
    {
        self.warmup = Some(Box::new(warmup));
        self
    }

    /// Stable tag for the warmup closure (see [`Self::with_warmup`]).
    /// Bump when you change the warmup body and want the previously
    /// cached warm snapshot invalidated.
    pub fn with_warmup_tag(mut self, tag: impl Into<String>) -> Self {
        self.warmup_tag = Some(tag.into());
        self
    }

    /// For the no-warmup `.build()` path, wait for the workload's
    /// in-guest listener to come up before capturing the snapshot
    /// (the v0.4.22 behavior). Without this, v0.4.23+ defaults to
    /// the `pre-exec` trigger which captures BEFORE the workload
    /// runs — fast bake, but each restore re-execs the workload
    /// fresh (workload's own startup time is paid per acquire).
    ///
    /// **When to call this:**
    ///
    /// - **You're baking a service image** (nginx, redis, postgres,
    ///   anything that binds a listener and stays up) AND you want
    ///   the listener pre-bound at restore-time so first acquire's
    ///   port-traffic works immediately, but you don't want to pay
    ///   the cost of routing through `with_warmup` (which adds a
    ///   warm-snapshot round-trip).
    ///
    /// **When NOT to call this:**
    ///
    /// - **You're using `vm.exec(...)`** for arbitrary commands and
    ///   don't care about the workload's listener. Default (pre-exec
    ///   trigger) is faster and gives you the same agent behavior.
    ///
    /// - **The workload doesn't bind a listener and doesn't exit
    ///   quickly** (e.g. a long-running daemon that never serves a
    ///   port). With `require_listener=true` you'd time out at
    ///   `--snapshot-after-ms` (~7 s default). The pre-exec trigger
    ///   handles this case in ~150 ms regardless.
    ///
    /// No effect when `with_warmup` is also set — the warmup path
    /// always uses listener-ready (or the warmup callback would run
    /// against a not-yet-ready guest).
    pub fn with_listener_required(mut self) -> Self {
        self.require_listener = Some(true);
        self
    }

    /// Run the bake (or reuse a cached snapshot per
    /// `with_pull_policy`) and return the resulting [`Image`].
    ///
    /// Dispatches by backend: KVM (Linux/x86_64) bakes through the
    /// self-contained KVM pipeline; HVF (macOS/aarch64) through the worker
    /// pipeline. The cache / pull-policy / version-skew handling is shared.
    pub fn build(self) -> Result<Image, Error> {
        #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
        {
            self.build_kvm()
        }
        #[cfg(not(all(target_os = "linux", target_arch = "x86_64")))]
        {
            self.build_hvf()
        }
    }

    /// KVM/x86_64 bake. Routes through the unified [`Image::from_oci_to_dir`]
    /// cache-or-bake path (which on Linux uses [`Image::bake_kvm_auto`]).
    ///
    /// NOTE: `with_env` / `with_cmd` / `with_mount` / `with_volume` /
    /// `with_warmup` are not yet applied on the KVM backend (tracked parity
    /// gaps); if set they're ignored with a warning and the base image is baked.
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    fn build_kvm(self) -> Result<Image, Error> {
        let snapshots_dir = self
            .snapshots_dir
            .clone()
            .unwrap_or_else(default_snapshots_dir);
        let derived_name = self
            .name
            .clone()
            .unwrap_or_else(|| crate::bake::snapshot_name_for_image(&self.image));
        // Volumes ARE applied (below). The rest aren't wired into the KVM bake
        // yet; warn so the caller knows they're ignored.
        if !self.envs.is_empty()
            || self.cmd.is_some()
            || !self.mounts.is_empty()
            || !self.extra_files.is_empty()
            || self.warmup.is_some()
        {
            eprintln!(
                "supermachine(KVM): OciImageBuilder env/cmd/mounts/warmup are not yet \
                 applied on the KVM backend; baking the base image for {:?}.",
                self.image
            );
        }
        let img = Image::from_oci_to_dir(
            &self.image,
            self.pull_policy,
            &snapshots_dir,
            Some(&derived_name),
        )?;
        if self.volumes.is_empty() {
            return Ok(img);
        }
        // Persist the builder's data volumes into the snapshot metadata so every
        // start attaches + mounts them (parity with HVF `with_volume`). The host
        // backing files are created/formatted lazily at `Vm::start` via
        // `prepare_kvm_volumes`. Reload so the returned Image carries them.
        let snap_dir = snapshots_dir.join(&derived_name);
        persist_kvm_builder_volumes(&snap_dir, &self.volumes)?;
        Image::from_snapshot(&snap_dir)
    }

    /// HVF/aarch64 bake (the worker pipeline).
    #[cfg(not(all(target_os = "linux", target_arch = "x86_64")))]
    fn build_hvf(self) -> Result<Image, Error> {
        let snapshots_dir = self.snapshots_dir.unwrap_or_else(default_snapshots_dir);
        let derived_name = self
            .name
            .clone()
            .unwrap_or_else(|| crate::bake::snapshot_name_for_image(&self.image));
        let snap_dir = snapshots_dir.join(&derived_name);

        // Cache fast-path: same as Image::from_oci_to_dir, but on
        // the builder we have to assume the cache might be stale
        // for a different config under the same name. We trust the
        // bake pipeline's input-hash check (`native_bake_key`) to
        // re-bake when the inputs changed; on cache hit it's a
        // no-op and we just load the existing snapshot.
        let cache_loadable = Image::from_snapshot(&snap_dir).is_ok();
        // Version-skew check: if the cached snapshot was baked under
        // a different supermachine binary, the init/kernel/agent
        // shipped IN the snapshot are stale and likely missing
        // recent fixes. Treat as cache-miss and silently invalidate
        // — the user sees a fresh re-bake, not a runtime warning
        // they have to act on. (For PullPolicy::Never, we keep the
        // hard error so the operator notices.)
        if cache_loadable {
            if let Some(baked) = snap_dir_baked_under_other_version(&snap_dir) {
                let current = env!("CARGO_PKG_VERSION");
                eprintln!(
                    "supermachine: snapshot at {} was baked under v{baked}; \
                     current binaries are v{current}. Auto-rebaking \
                     (this is a one-time cost on the next build after upgrade).",
                    snap_dir.display()
                );
                invalidate_stale_snapshot_tree(&snap_dir);
            }
        }
        // Re-check after potential invalidation — the dir may have
        // gone away.
        let cache_loadable = cache_loadable && snap_dir.is_dir();
        match self.pull_policy {
            PullPolicy::Never => {
                if cache_loadable {
                    return Image::from_snapshot(&snap_dir);
                }
                let restore_snap = snap_dir.join("restore.snap");
                if restore_snap.is_file() {
                    return Err(Error::cache_invalid(format!(
                        "snapshot present at {} but not loadable on this binary; \
                         rebake required (PullPolicy::Never won't auto-rebake)",
                        snap_dir.display()
                    )));
                }
                return Err(Error::cache_miss(format!(
                    "no cached snapshot for {} at {} (PullPolicy::Never)",
                    self.image,
                    snap_dir.display()
                )));
            }
            // Missing+invalid OR Always: fall through to bake. The
            // bake pipeline will short-circuit on input-hash match
            // even on Always policy.
            _ => {}
        }

        // Encode env / cmd into the form `bake::run_push` accepts.
        let mut extra_args: Vec<String> = Vec::new();
        for (k, v) in &self.envs {
            extra_args.push("--env".to_owned());
            extra_args.push(format!("{k}={v}"));
        }
        for (host, guest) in &self.extra_files {
            extra_args.push("--extra-file".to_owned());
            extra_args.push(format!("{}:{}", host.display(), guest));
        }
        // Effective mounts = user mounts + (Rosetta auto-mount when amd64).
        // For `linux/amd64` we silently add two mounts that wire up
        // Apple's Rosetta translation pipeline end-to-end:
        //
        //   1. Tag `"rosetta"` → the read-only Rosetta runtime share at
        //      `/Library/Apple/usr/libexec/oah/RosettaLinux` on the host
        //      (the `rosetta` interpreter + `rosettad` daemon). init-oci
        //      mounts this at `/run/rosetta` and registers binfmt_misc
        //      for the amd64 ELF magic.
        //
        //   2. Tag `"rosettad-cache"` → a writable host-side cache dir at
        //      `~/.cache/supermachine/rosetta-aot/`. init-oci mounts this
        //      at `/var/cache/rosettad` and starts the rosettad daemon
        //      against it. `rosettad` writes `.aotcache` files there
        //      (content-addressable by the amd64 binary's build-id), so
        //      repeated runs of the same binary skip retranslation —
        //      across VM restarts, across snapshot bakes, across
        //      separate images that happen to share binaries (the
        //      build-id keying makes cross-image sharing safe).
        //
        // If the host doesn't have Rosetta installed, error out *here*
        // with an actionable hint rather than letting the bake fail
        // downstream with a confusing "mount: no such directory".
        use crate::vmm::resources::SymlinkPolicy;
        let mut effective_mounts: Vec<(PathBuf, String, SymlinkPolicy, String)> =
            self.mounts.clone();
        let platform_amd64 = self.platform.as_deref() == Some("linux/amd64");
        if platform_amd64
            && !effective_mounts
                .iter()
                .any(|(_, tag, _, _)| tag == "rosetta")
        {
            const ROSETTA_HOST: &str = "/Library/Apple/usr/libexec/oah/RosettaLinux";
            let rosetta_path = PathBuf::from(ROSETTA_HOST);
            if !rosetta_path.join("rosetta").is_file() || !rosetta_path.join("rosettad").is_file() {
                return Err(Error::bake_msg(format!(
                    "platform=linux/amd64 requires Apple Rosetta runtime at \
                     {ROSETTA_HOST}; install with `softwareupdate --install-rosetta`"
                )));
            }
            effective_mounts.push((
                rosetta_path,
                "rosetta".to_owned(),
                SymlinkPolicy::Opaque,
                "/run/rosetta".to_owned(),
            ));
        }
        // Auto-mount the persistent AOT cache for amd64. Skipped when the
        // user explicitly provided a `"rosettad-cache"` tag (escape
        // hatch for tests / sandboxed environments) or when HOME isn't
        // resolvable.
        if platform_amd64
            && !effective_mounts
                .iter()
                .any(|(_, tag, _, _)| tag == "rosettad-cache")
        {
            if let Some(home) = std::env::var_os("HOME") {
                let cache_dir = PathBuf::from(home)
                    .join(".cache")
                    .join("supermachine")
                    .join("rosetta-aot");
                if let Err(e) = std::fs::create_dir_all(&cache_dir) {
                    eprintln!(
                        "supermachine: could not create Rosetta AOT cache dir \
                         {}: {} — amd64 binaries will still run via JIT but \
                         translations won't persist across VM restarts",
                        cache_dir.display(),
                        e
                    );
                } else {
                    effective_mounts.push((
                        cache_dir,
                        "rosettad-cache".to_owned(),
                        SymlinkPolicy::Opaque,
                        "/var/cache/rosettad".to_owned(),
                    ));
                }
            }
        }
        for (host, tag, symlinks, guest_path) in &effective_mounts {
            extra_args.push("--mount".to_owned());
            // Encoding: `HOST:TAG:GUEST_PATH` (Opaque default policy)
            // or `HOST:TAG:GUEST_PATH:POLICY` when the user picked
            // a non-default policy. Parallel to `--volume HOST:GUEST:
            // SIZE_BYTES`. Splits left-to-right on `:`.
            let s = match symlinks {
                SymlinkPolicy::Opaque => {
                    format!("{}:{}:{}", host.display(), tag, guest_path)
                }
                SymlinkPolicy::Deny => {
                    format!("{}:{}:{}:deny", host.display(), tag, guest_path)
                }
                SymlinkPolicy::Follow => {
                    format!("{}:{}:{}:follow", host.display(), tag, guest_path)
                }
            };
            extra_args.push(s);
        }
        for (host, guest, size_bytes) in &self.volumes {
            extra_args.push("--volume".to_owned());
            // Encoding: HOST:GUEST:SIZE_BYTES. The bake-time worker
            // parses this and creates the sparse backing file +
            // attaches it as a virtio-blk to the guest.
            extra_args.push(format!("{}:{}:{}", host.display(), guest, size_bytes));
        }
        for token in &self.extra_kernel_args {
            extra_args.push("--cmdline-extra".to_owned());
            extra_args.push(token.clone());
        }
        // Signal to the bake pipeline whether the caller asked for
        // listener-required semantics. When set, the bake's
        // `--snapshot-after-ms` fallback stays at the conservative
        // 7s (room for postgres/JVM-class slow binds). When unset,
        // it drops to 200 ms — there's no listener to wait for in
        // the pre-exec / cmd-is-`sleep` / warmup-no-listener cases,
        // and the 7s wait was wasted on every bake of those shapes.
        if self.require_listener.unwrap_or(false) {
            extra_args.push("--supermachine-listener-required".to_owned());
        }
        let cmd_override = match &self.cmd {
            Some(argv) => Some(
                serde_json::to_string(argv)
                    .map_err(|e| Error::bake_msg(format!("encode cmd: {e}")))?,
            ),
            None => None,
        };

        let root = repo_root_for_bake()?;
        let request = crate::bake::BakeRequest {
            image: self.image.clone(),
            name: self.name.clone(),
            runtime: "supermachine".to_owned(),
            guest_port: self.guest_port.unwrap_or(80),
            memory_mib: self.memory_mib.unwrap_or(256),
            vcpus: self.vcpus.unwrap_or(1),
            pull_policy: self.pull_policy.as_bake_str().to_owned(),
            snapshots_dir: snapshots_dir.clone(),
            cmd_override,
            extra_args,
            platform: self
                .platform
                .clone()
                .unwrap_or_else(|| "linux/arm64".to_owned()),
        };
        // No warmup → ALWAYS-PIPELINED-SKIP-WARM path.
        //
        // We route plain `.build()` through the pipelined-bake
        // driver with `skip_warm_snapshot=true` AND
        // `keep_alive=true`. The driver:
        //   1. Boots the worker, signals BAKE_READY.
        //   2. Issues SNAPSHOT_ASYNC for the user's snapshot —
        //      capture is fast (~5 ms), the disk write runs in a
        //      background thread on the worker.
        //   3. Skips the warm SNAPSHOT entirely (no second capture).
        //   4. Returns the live worker (BakedWorker) to us before
        //      the bg save necessarily completes. The first
        //      `Pool::acquire()` claims this worker as a pre-warm
        //      idle entry — saves ~50 ms spawn + ~5 ms restore
        //      versus a cold-from-disk worker.
        //
        // Synchronization: `save_compact_to_file` writes to
        // `<path>.partial` and atomic-renames to `<path>`, so file
        // existence ↔ save complete. `Pool::spawn_one` polls for
        // `snapshot_path.is_file()` before invoking the worker
        // (which would otherwise fail-fast on `--restore-from`
        // pointing at a missing file). The first acquire doesn't
        // need the file at all — it uses the warm worker's
        // in-memory state.
        //
        // Returned `Image` uses `from_snapshot_pending` because
        // metadata.json IS on disk by the time we reach here, but
        // restore.snap may still be in flight. The non-pending
        // `Image::from_snapshot` would reject that; the pending
        // variant is identical except for the file-existence check.
        if self.warmup.is_none() {
            let trace = crate::trace::enabled("bake");
            let bake_t0 = std::time::Instant::now();
            // Empty warm_dir path: skip_warm_snapshot=true
            // suppresses both the warm SNAPSHOT round-trip AND
            // the warm metadata write, so warm_dir is unused.
            // Keep a sibling sentinel for diagnostic clarity in
            // case bake-trace logs reference it.
            // Default trigger: pre-exec (fast, ~150 ms bake on
            // slow-listener images, ~17× speedup on workloads that
            // would otherwise hit the 7-second wall-clock fallback).
            // Caller can opt out via `.with_listener_required()` to
            // get the v0.4.22 listener-ready capture instead — slower
            // bake, but guaranteed listener-up at restore time.
            let use_pre_exec = !self.require_listener.unwrap_or(false);
            let pipelined = crate::bake::PipelinedWarmup {
                warm_dir: snapshots_dir.join(format!("{}__warm__unused", derived_name)),
                warm_tag: "unused".to_owned(),
                keep_alive: true,
                skip_warm_snapshot: true,
                use_pre_exec_trigger: use_pre_exec,
                callback: Box::new(|_ctx| Ok(())),
            };
            match crate::bake::run_push_pipelined(&request, bake_t0, &root, pipelined) {
                Ok(warm_handoff) => {
                    if trace {
                        eprintln!(
                            "[bake-trace] always-pipelined (skip-warm) total: {:?} (bg save \
                             may still be in flight)",
                            bake_t0.elapsed()
                        );
                    }
                    let img = Image::from_snapshot_pending(&snap_dir)?;
                    if let Some(bw) = warm_handoff {
                        *img.warm_baked_worker.inner.lock().unwrap() = Some(bw);
                    }
                    return Ok(img);
                }
                Err(msg) => {
                    return Err(map_bake_error(&request.image, msg));
                }
            }
        }
        let warmup = self.warmup.unwrap();
        // Warmup path: derive a sibling directory keyed by the
        // warmup tag. Same name → cache hit (no warmup re-run);
        // different name → fresh warm bake.
        let tag = self.warmup_tag.as_deref().unwrap_or("default");
        let warm_dir = snapshots_dir.join(format!("{}__warm__{}", derived_name, tag));
        if let Ok(image) = Image::from_snapshot(&warm_dir) {
            // Same version-skew check as the no-warmup base above —
            // if the cached warm snapshot was baked under an older
            // binary, the agent + init shipped in it are stale.
            // Invalidate and fall through to a fresh warm bake.
            if let Some(baked) = snap_dir_baked_under_other_version(&warm_dir) {
                let current = env!("CARGO_PKG_VERSION");
                eprintln!(
                    "supermachine: warm snapshot at {} was baked under v{baked}; \
                     current binaries are v{current}. Auto-rebaking.",
                    warm_dir.display()
                );
                invalidate_stale_snapshot_tree(&warm_dir);
                // Also invalidate the base snapshot — re-running the
                // bake pipeline below needs a fresh base it can warm
                // up from. The base may be the same version as warm
                // (paired bake) or different (rare).
                invalidate_stale_snapshot_tree(&snap_dir);
            } else {
                return Ok(image);
            }
        }

        // Pipelined bake. The bake worker boots, signals
        // BAKE_READY, captures the base async (background save
        // overlapping with warmup), runs the warmup closure
        // against the still-live guest, captures warm sync, then
        // QUITs. Cuts ~900 ms vs the sequential path on
        // rust:1-slim because the base save and warmup overlap,
        // and we save one boot+restore round-trip.
        let trace = crate::trace::enabled("bake");
        let bake_t0 = std::time::Instant::now();

        // The user's warmup is `FnOnce(&Vm) -> Result<(), Error>`.
        // Inside the pipelined-bake driver we have only the
        // worker's vsock paths, so we synthesize a minimal `Vm`
        // around them and hand that to the user. The synthetic
        // Vm has `pool: None` and `image_meta: None` — neither
        // matters for warmup workloads (which call `vm.exec`,
        // `vm.write_file`, `vm.read_file`, etc., all of which
        // talk over vsock-exec).
        //
        // We capture any error in a Mutex so the bake driver can
        // surface it. The Box<FnOnce> escape-hatch dodges the
        // type system limitation that we can't move a non-Send
        // FnOnce through a closure without a wrapper.
        let warmup_err: std::sync::Arc<std::sync::Mutex<Option<Error>>> =
            std::sync::Arc::new(std::sync::Mutex::new(None));
        let warmup_err_inner = warmup_err.clone();
        let warmup_t0_capture: std::sync::Arc<std::sync::Mutex<Option<std::time::Instant>>> =
            std::sync::Arc::new(std::sync::Mutex::new(None));
        let warmup_t0_inner = warmup_t0_capture.clone();
        let pipelined = crate::bake::PipelinedWarmup {
            warm_dir: warm_dir.clone(),
            warm_tag: tag.to_owned(),
            // Opt in to warm-handoff: bake driver returns the live
            // worker; first Pool::acquire() claims it. Saves the
            // ~50 ms spawn + ~5 ms restore on the first cycle for
            // every with_warmup user. Falls back transparently if
            // the worker is dropped without anyone claiming it.
            keep_alive: true,
            // Take the warm SNAPSHOT — this is the with-warmup path,
            // user expects a separate warm artifact at warm_dir.
            skip_warm_snapshot: false,
            // Use pre-exec as the BASE trigger for warmup bakes too
            // (0.7.0): init-oci's "workload-pre-exec" marker fires
            // BAKE_READY at the exact moment the guest is ready to
            // be probed by the warmup callback — no timer, no
            // listener-wait, no 7s/200ms fallback. The previous
            // contract said "warmup needs the workload running" but
            // the vsock_exec channel is live from boot independent
            // of the workload's state, so user-supplied vm.exec
            // calls inside the warmup work the same against an
            // init-oci-in-nanosleep guest as against a
            // post-workload-fork one. Caller can opt out via
            // `.with_listener_required()` if they really do depend
            // on the workload binding a port before warmup runs.
            use_pre_exec_trigger: !self.require_listener.unwrap_or(false),
            callback: Box::new(move |ctx| {
                if let Ok(mut g) = warmup_t0_inner.lock() {
                    *g = Some(std::time::Instant::now());
                }
                #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
                {
                    let synth_vm = Vm {
                        pool: None,
                        vsock_mux_path: ctx.vsock_mux_path.clone(),
                        vsock_exec_path: ctx.vsock_exec_path.clone(),
                        own_vsock_mux_dir: None,
                        skip_cleanup: true,
                        image_meta: None,
                    };
                    let result = warmup(&synth_vm);
                    // Drop the synth Vm without running cleanup
                    // (skip_cleanup=true already; explicit drop for
                    // clarity).
                    drop(synth_vm);
                    match result {
                        Ok(()) => Ok(()),
                        Err(e) => {
                            let msg = e.to_string();
                            if let Ok(mut g) = warmup_err_inner.lock() {
                                *g = Some(e);
                            }
                            Err(msg)
                        }
                    }
                }
                // No in-process Vm off the macOS/HVF backend → no warmup to run.
                #[cfg(not(all(target_os = "macos", target_arch = "aarch64")))]
                {
                    let _ = (&ctx, &warmup, &warmup_err_inner);
                    Ok(())
                }
            }),
        };

        match crate::bake::run_push_pipelined(&request, bake_t0, &root, pipelined) {
            Ok(warm_handoff) => {
                if trace {
                    eprintln!("[bake-trace] pipelined bake total: {:?}", bake_t0.elapsed());
                    if let Some(t0) = warmup_t0_capture.lock().ok().and_then(|g| *g) {
                        eprintln!("[bake-trace] (warmup ran at +{:?})", t0 - bake_t0);
                    }
                }
                let img = Image::from_snapshot(&warm_dir)?;
                // Stash the bake-time warm worker so the first
                // Pool::acquire() can claim it instead of spawning
                // fresh + restoring from disk. See
                // `Image::warm_baked_worker` for the full lifecycle
                // contract (claim-or-drop, race semantics, fall-
                // through behavior on worker death).
                if let Some(bw) = warm_handoff {
                    *img.warm_baked_worker.inner.lock().unwrap() = Some(bw);
                }
                Ok(img)
            }
            Err(msg) => {
                // If the warmup callback was the failure source,
                // bubble the typed Error back instead of the
                // stringified bake message.
                if let Some(e) = warmup_err.lock().ok().and_then(|mut g| g.take()) {
                    return Err(e);
                }
                Err(map_bake_error(&request.image, msg))
            }
        }
    }
}

/// Default snapshots directory: `~/.local/supermachine-snapshots`,
/// matching the CLI's default. Customizable via
/// [`Image::from_oci_to_dir`] or `$SUPERMACHINE_SNAPSHOTS`.
/// Returns `Some(baked_version)` if the snapshot was baked under a
/// version different from `CARGO_PKG_VERSION`, or `None` if it's
/// current (or version can't be determined).
///
/// Used by:
///  - [`warn_if_snapshot_version_mismatch`] (cheap warning on load,
///    kept as a backstop for paths that don't auto-rebake).
///  - [`OciImageBuilder::build`] (treats version-skewed snapshots
///    as cache-miss → silently re-bakes).
fn snapshot_baked_under_other_version(meta: &serde_json::Value) -> Option<String> {
    let current = env!("CARGO_PKG_VERSION");
    let baked = meta
        .get("baked_by_version")
        .and_then(|v| v.as_str())
        .map(|s| s.to_owned())
        .or_else(|| {
            meta.get("kernel")
                .and_then(|v| v.as_str())
                .and_then(parse_version_segment)
        })?;
    if baked == current {
        None
    } else {
        Some(baked)
    }
}

/// Read `<snap_dir>/metadata.json` and return `Some(baked_version)`
/// if the snapshot was baked under a non-current version. Returns
/// `None` on parse errors / missing fields / version match — every
/// "can't tell" case is treated as up-to-date (we'd rather miss a
/// re-bake than churn through an unnecessary one).
fn snap_dir_baked_under_other_version(snap_dir: &Path) -> Option<String> {
    let meta_text = std::fs::read_to_string(snap_dir.join("metadata.json")).ok()?;
    let meta: serde_json::Value = serde_json::from_str(&meta_text).ok()?;
    snapshot_baked_under_other_version(&meta)
}

/// Delete a snapshot directory + all its `__warm__<tag>` siblings.
/// Used to invalidate version-skewed caches before re-bake, so the
/// next build produces a clean snapshot tree under the same name.
///
/// Best-effort: any path that fails to remove (e.g. user lacks
/// permission, file in use) is logged via stderr and skipped. The
/// caller's re-bake will surface a clearer error if the leftover
/// blocks it.
fn invalidate_stale_snapshot_tree(snap_dir: &Path) {
    // Base dir (`<name>/`).
    if let Err(e) = std::fs::remove_dir_all(snap_dir) {
        if e.kind() != std::io::ErrorKind::NotFound {
            eprintln!(
                "supermachine: warning: failed to remove stale snapshot {}: {e}",
                snap_dir.display()
            );
        }
    }
    // Warm siblings (`<name>__warm__<tag>/`). Read the parent dir
    // and match by prefix so we catch every tag the user has ever
    // used, not just the well-known ones.
    let Some(parent) = snap_dir.parent() else {
        return;
    };
    let Some(base_name) = snap_dir.file_name().and_then(|s| s.to_str()) else {
        return;
    };
    let prefix = format!("{base_name}__warm__");
    let Ok(read) = std::fs::read_dir(parent) else {
        return;
    };
    for entry in read.flatten() {
        let path = entry.path();
        if path
            .file_name()
            .and_then(|s| s.to_str())
            .is_some_and(|n| n.starts_with(&prefix))
        {
            if let Err(e) = std::fs::remove_dir_all(&path) {
                if e.kind() != std::io::ErrorKind::NotFound {
                    eprintln!(
                        "supermachine: warning: failed to remove stale warm snapshot {}: {e}",
                        path.display()
                    );
                }
            }
        }
    }
}

/// Warn (once per process, per snapshot dir) if a snapshot was baked
/// under a different supermachine version than the current binary. The
/// bake driver writes its kernel path as `…/supermachine/v<VERSION>/kernel`;
/// if that <VERSION> doesn't equal the current `CARGO_PKG_VERSION`, the
/// snapshot's pinned init shim and kernel are also from the old build
/// and likely missing recent fixes (loopback bring-up, cgroup2 mount,
/// X11/dbus paths, …). The warning is one stderr line, easy to grep,
/// and silent for fresh-baked snapshots so cron-restarted services
/// don't print on every restore.
///
/// Most call sites (Image::from_oci, OciImageBuilder::build) auto-
/// rebake stale snapshots transparently — this warning is the
/// backstop for code paths like `Image::from_snapshot(explicit_path)`
/// where we can't tell if a re-bake is appropriate, so we surface
/// the skew and let the embedder decide.
fn warn_if_snapshot_version_mismatch(meta: &serde_json::Value, snapshot_path: &Path) {
    // Source of truth for "which binary baked this snapshot": the
    // `baked_by_version` field (immutable from fresh-bake time),
    // with the `kernel` path's `v0.4.X` segment as a legacy fallback.
    let Some(baked) = snapshot_baked_under_other_version(meta) else {
        return;
    };
    let current = env!("CARGO_PKG_VERSION");
    eprintln!(
        "supermachine: warning: snapshot at {} was baked under \
         v{baked}; current binaries are v{current}. Re-bake \
         (delete the snapshot dir and rerun `supermachine run`) \
         to pick up init/kernel fixes shipped since v{baked}.",
        snapshot_path.display()
    );
}

/// Extract the `v0.4.27` slug from a path like
/// `/…/supermachine/v0.4.27/kernel` → `Some("0.4.27")`. Returns `None`
/// for paths that don't follow this layout (custom kernel paths,
/// SUPERMACHINE_KERNEL_PATH overrides, etc.) — in that case we can't
/// reason about version skew so we don't warn.
fn parse_version_segment(kernel_path: &str) -> Option<String> {
    let p = Path::new(kernel_path);
    for comp in p.components() {
        let Some(s) = comp.as_os_str().to_str() else {
            continue;
        };
        let Some(rest) = s.strip_prefix('v') else {
            continue;
        };
        if rest.matches('.').count() < 2 {
            continue;
        }
        if !rest
            .split('.')
            .all(|seg| seg.chars().all(|c| c.is_ascii_digit()))
        {
            continue;
        }
        return Some(rest.to_owned());
    }
    None
}

/// Parse the wire / metadata representation of a [`SymlinkPolicy`]
/// (`"deny" | "opaque" | "follow"`). Returns `None` for unrecognized
/// inputs so callers can fall back to the default.
fn parse_symlink_policy(s: &str) -> Option<crate::vmm::resources::SymlinkPolicy> {
    use crate::vmm::resources::SymlinkPolicy;
    match s {
        "deny" => Some(SymlinkPolicy::Deny),
        "opaque" => Some(SymlinkPolicy::Opaque),
        "follow" => Some(SymlinkPolicy::Follow),
        _ => None,
    }
}

/// Sweep `cache_dir` (typically `~/.cache/supermachine/rosetta-aot`)
/// for AOT cache orphans before worker spawn. See the call site in
/// `build_pool_arc` for the rationale.
///
/// Evicts two classes of file:
///   - `<x>.aotcache` with `st_size == 0`: migration cleanup for
///     caches built before the FUSE-layer atomic-publish protocol
///     existed. These would trigger rosetta's segment_count
///     assertion or SIGBUS-on-mmap-past-EOF on the next load.
///   - `.<x>.aotcache.partial`: crash-recovery cleanup for the new
///     publish protocol. A `.partial` exists on disk iff a prior
///     VM was SIGKILLed mid-write; it's safe to unlink because by
///     construction the partial belongs to no currently-running
///     writer (the live writer holds an O_CREAT|O_EXCL fd and
///     would lose it on VM teardown).
///
/// Best-effort: silently no-op if the dir doesn't exist or any
/// individual stat / unlink fails (e.g. a file vanishes between
/// stat and unlink — fine, it's gone). Returns the count of
/// evicted entries for tests / observability.
fn scrub_aotcache_orphans(cache_dir: &Path) -> usize {
    use std::os::unix::ffi::OsStrExt;
    let entries = match std::fs::read_dir(cache_dir) {
        Ok(it) => it,
        Err(_) => return 0,
    };
    let mut evicted_zero = 0usize;
    let mut evicted_partial = 0usize;
    for ent in entries.flatten() {
        let name = ent.file_name();
        let bytes = name.as_bytes();
        // Class 1: `<x>.aotcache` of size 0 (pre-fix orphan)
        let is_aotcache_final = bytes.ends_with(b".aotcache") && !bytes.starts_with(b".");
        // Class 2: `.<x>.aotcache.partial` (post-fix crash recovery)
        let is_aotcache_partial = bytes.starts_with(b".") && bytes.ends_with(b".aotcache.partial");
        if !is_aotcache_final && !is_aotcache_partial {
            continue;
        }
        let path = ent.path();
        let Ok(md) = std::fs::metadata(&path) else {
            continue;
        };
        if !md.is_file() {
            continue;
        }
        if is_aotcache_partial {
            // Unconditionally unlink partials — by construction they
            // belong to no currently-running writer.
            if std::fs::remove_file(&path).is_ok() {
                evicted_partial += 1;
            }
        } else if md.len() == 0 {
            // Final-name aotcache with zero size — migration cleanup.
            if std::fs::remove_file(&path).is_ok() {
                evicted_zero += 1;
            }
        }
    }
    let evicted = evicted_zero + evicted_partial;
    if evicted > 0 {
        eprintln!(
            "supermachine: scrubbed {} AOT cache orphan(s) from {} \
             ({} zero-byte aotcache, {} mid-flight partial) \u{2014} \
             would have trapped rosetta with the segment_count \
             assertion or SIGBUS on mmap past EOF",
            evicted,
            cache_dir.display(),
            evicted_zero,
            evicted_partial,
        );
    }
    evicted
}

fn default_snapshots_dir() -> PathBuf {
    if let Some(d) = std::env::var_os("SUPERMACHINE_SNAPSHOTS") {
        return PathBuf::from(d);
    }
    let home = std::env::var_os("HOME")
        .map(PathBuf::from)
        .unwrap_or_else(|| PathBuf::from("."));
    home.join(".local/supermachine-snapshots")
}

/// `bake::run_push` wants a "repo root" so it can locate the
/// supermachine-worker binary, the kernel image, the entitlements
/// plist, etc. The CLI walks up from its own exe to find it. From
/// a library context the same auto-discovery applies (an embedder
/// running their app from the dev tree finds the workspace; a
/// release-tarball install finds `<prefix>/share/supermachine`).
fn repo_root_for_bake() -> Result<PathBuf, Error> {
    if let Some(root) = std::env::var_os("SUPERMACHINE_ROOT") {
        return Ok(PathBuf::from(root));
    }
    let exe = std::env::current_exe().map_err(|e| Error::bake_msg(format!("current_exe: {e}")))?;
    for ancestor in exe.ancestors() {
        if ancestor.join("tools/supermachine-push").is_file() {
            return Ok(ancestor.to_path_buf());
        }
        if ancestor.join("share/supermachine/kernel").is_file() {
            return Ok(ancestor.to_path_buf());
        }
    }
    std::env::current_dir().map_err(|e| Error::bake_msg(format!("current_dir: {e}")))
}

/// Map a `bake::run_push` error string into the right
/// [`Error`] variant. The bake pipeline returns flat strings, so
/// we pattern-match keywords.
fn map_bake_error(image: &str, msg: String) -> Error {
    // Kernel-panic sentinel emitted by bake.rs when its serial-log
    // watcher detects a panic banner. Format:
    //   `KERNEL_PANIC|<first_line>|<stack_line_1>\x1F<stack_line_2>...`
    // We turn that into a typed `Error::KernelPanic` so callers can
    // pattern-match (vs. groveling through the bake message string).
    if let Some(rest) = msg.strip_prefix("KERNEL_PANIC|") {
        let mut parts = rest.splitn(2, '|');
        let first_line = parts.next().unwrap_or("").to_owned();
        let stack: Vec<String> = parts
            .next()
            .map(|s| s.split('\x1F').map(ToOwned::to_owned).collect())
            .unwrap_or_default();
        return Error::kernel_panic(first_line, stack);
    }
    let lc = msg.to_ascii_lowercase();

    // Registry HTTP-status-based classification. The bake produces
    // strings like "registry manifest request failed for X with HTTP 404"
    // or "registry token request failed with HTTP 401" — match those
    // shapes.
    let has_status = |code: u16| -> bool {
        let needle = format!("http {code}");
        lc.contains(&needle)
    };
    if has_status(404)
        || lc.contains("manifest unknown")
        || lc.contains("name unknown")
        || lc.contains("not found")
            && (lc.contains("registry") || lc.contains("manifest") || lc.contains("image"))
    {
        return Error::image_not_found(image, msg);
    }
    if has_status(401)
        || has_status(403)
        || lc.contains("unauthorized")
        || lc.contains("forbidden")
        || lc.contains("auth challenge")
    {
        return Error::registry_auth(image, msg);
    }
    if lc.contains("could not resolve")
        || lc.contains("dns")
        || lc.contains("connection refused")
        || lc.contains("connection reset")
        || lc.contains("network is unreachable")
        || lc.contains("ssl_connect")
        || lc.contains("tls handshake")
        || lc.contains("curl: (6)")  // Couldn't resolve host
        || lc.contains("curl: (7)")  // Failed to connect
        || lc.contains("curl: (28)") // Operation timeout
        || lc.contains("curl: (35)") // SSL connect error
        || lc.contains("curl: (56)")
    // Recv failure
    {
        return Error::registry_unreachable(msg);
    }

    // Generic registry/manifest/auth strings that didn't match a
    // specific HTTP status fall through to the catch-all Network
    // variant — same as before.
    if lc.contains("registry") || lc.contains("manifest") || lc.contains("docker pull") {
        Error::network_msg(msg)
    } else {
        // Snapshot timeouts, listener-readiness failures, and
        // anything else that wasn't a network-layer issue.
        Error::bake_msg(msg)
    }
}

/// Configuration for [`Vm::start`]. Built via the chainable
/// `VmConfig::with_*` methods or constructed directly:
///
/// ```
/// use supermachine::VmConfig;
/// let cfg = VmConfig::new()
///     .with_memory_mib(512)
///     .with_vcpus(2);
/// # let _ = cfg;
/// ```
#[derive(Debug, Clone, Default)]
pub struct VmConfig {
    /// Override the image's baked memory. `None` = use Image's value.
    memory_mib: Option<u32>,
    /// Override the image's baked vCPUs. `None` = use Image's value.
    vcpus: Option<u32>,
    assets: Option<AssetPaths>,
    vsock_mux_dir: Option<PathBuf>,
    restore_timeout: Option<Duration>,
    /// Data volumes to attach + mount in the guest (KVM). Each is a host-backed
    /// virtio-blk (vdb, vdc, …) mounted at its `guest_path`. Honored on the
    /// cold-boot path; data persists in the host backing files.
    volumes: Vec<crate::vmm::resources::VolumeSpec>,
    /// virtio-fs mounts (KVM): each exposes a host directory to the guest over
    /// FUSE-over-virtio, mounted at its `guest_path`. Cold-boot only for now
    /// (no DAX window yet — see docs/design/kvm-virtiofs-dax-2026-06-07.md).
    virtiofs: Vec<crate::vmm::resources::MountSpec>,
    /// Attach a virtio-balloon device (KVM cold boot). When set, the guest's
    /// balloon driver binds and the host can reclaim guest memory via
    /// [`Vm::request_balloon_inflate`]. Cold-boot only ([`Image::start`]); the
    /// warm-pool `acquire` path ignores it (balloon isn't snapshotted).
    enable_balloon: bool,
}

impl VmConfig {
    /// Use the image's baked defaults for memory + vCPUs;
    /// auto-discover assets; vsock-mux socket in `$TMPDIR`;
    /// 10 s restore timeout.
    pub fn new() -> Self {
        Self::default()
    }

    /// Override the image's baked memory.
    pub fn with_memory_mib(mut self, mib: u32) -> Self {
        self.memory_mib = Some(mib);
        self
    }

    /// Override the image's baked vCPU count.
    pub fn with_vcpus(mut self, vcpus: u32) -> Self {
        self.vcpus = Some(vcpus);
        self
    }

    /// Attach a virtio-balloon device so the host can reclaim guest memory via
    /// [`Vm::request_balloon_inflate`] (KVM cold boot — [`Image::start`]). The
    /// guest needs `CONFIG_VIRTIO_BALLOON` (the bundled supermachine kernel has
    /// it). Off by default; the warm-pool `acquire` path ignores it (balloon is
    /// a cold-boot reclaim lever, not snapshotted — matching HVF's restore default).
    pub fn with_balloon(mut self, enable: bool) -> Self {
        self.enable_balloon = enable;
        self
    }

    /// Attach a data volume (KVM): a host-backed virtio-blk mounted in the guest
    /// at `spec.guest_path`. The backing file is created sparse + formatted ext4
    /// on first use and reused (so data persists across runs); pass the same
    /// `host_path` to keep state. Multiple volumes become vdb, vdc, … Honored on
    /// the cold-boot start path (snapshots/pools don't carry volume mounts yet).
    ///
    /// ```no_run
    /// # use supermachine::{Image, VmConfig};
    /// # use supermachine::vmm::resources::VolumeSpec;
    /// let image = Image::from_oci("postgres:16-alpine")?;
    /// let cfg = VmConfig::new()
    ///     .with_volume(VolumeSpec::new("/srv/pgdata.img", "/var/lib/postgresql/data"));
    /// let vm = image.start(&cfg)?;
    /// # let _ = vm; Ok::<(), supermachine::Error>(())
    /// ```
    pub fn with_volume(mut self, spec: crate::vmm::resources::VolumeSpec) -> Self {
        self.volumes.push(spec);
        self
    }

    /// Expose a host directory to the guest over virtio-fs (KVM), mounted at
    /// `spec.guest_path`. Served by an in-process FUSE backend with a DAX window
    /// (the guest init mounts `-o dax` for zero-copy reads). Mounts survive a
    /// snapshot: the device + FUSE backend tables + DAX slot table are captured
    /// (SMSNAP05) and re-attached on restore (lazy fd reopen + eager DAX rebind).
    ///
    /// ```no_run
    /// # use supermachine::{Image, VmConfig};
    /// # use supermachine::vmm::resources::MountSpec;
    /// let image = Image::from_oci("alpine")?;
    /// let cfg = VmConfig::new()
    ///     .with_virtiofs(MountSpec::new("/srv/assets", "assets", "/mnt/assets"));
    /// let vm = image.start(&cfg)?;
    /// # let _ = vm; Ok::<(), supermachine::Error>(())
    /// ```
    pub fn with_virtiofs(mut self, spec: crate::vmm::resources::MountSpec) -> Self {
        self.virtiofs.push(spec);
        self
    }

    /// Override asset auto-discovery. Useful for `.app` bundles
    /// that ship the kernel + init shim under
    /// `Contents/Resources/`.
    pub fn with_assets(mut self, assets: AssetPaths) -> Self {
        self.assets = Some(assets);
        self
    }

    /// Where to put the host-side vsock-mux unix socket. Default
    /// is `$TMPDIR`. Use this if you need the socket inside an
    /// app-private dir for sandboxing reasons.
    pub fn with_vsock_mux_dir(mut self, dir: impl Into<PathBuf>) -> Self {
        self.vsock_mux_dir = Some(dir.into());
        self
    }

    /// How long to wait for the snapshot to restore. Default 10 s.
    pub fn with_restore_timeout(mut self, timeout: Duration) -> Self {
        self.restore_timeout = Some(timeout);
        self
    }
}

/// A running microVM. Holds an internal worker process and the
/// host-side vsock-mux unix socket through which you talk to the
/// guest.
///
/// Drop the value to stop the VM, or call [`Vm::stop`] for an
/// explicit shutdown report.
///
/// The in-process `Vm` runtime needs a hypervisor backend; gated to
/// macOS/HVF until the KVM backend lands (broaden the gate then).
#[cfg(all(target_os = "macos", target_arch = "aarch64"))]
pub struct Vm {
    pool: Option<WarmPool>,
    vsock_mux_path: PathBuf,
    /// `<vsock_mux>-exec.sock` for the in-guest exec agent. Only
    /// useful once the agent crate ships in the initramfs (see
    /// `docs/design/exec-2026-05-03.md`); until then dialing this
    /// path will fail with "no listener" because the agent isn't
    /// running guest-side. The unix socket itself is created
    /// unconditionally so `Vm::exec` can wire to it once the agent
    /// lands.
    vsock_exec_path: PathBuf,
    /// Best-effort cleanup of the temp socket dir we created.
    own_vsock_mux_dir: Option<PathBuf>,
    /// `true` for [`PooledVm`]'s wrapped Vm — Drop must NOT
    /// shut down the pool or unlink sockets, since those are
    /// owned by [`Image`]'s [`HiddenPool`] and reused across
    /// [`Image::acquire`] calls.
    skip_cleanup: bool,
    /// Source image metadata for [`Vm::snapshot`] — needed to
    /// emit a `metadata.json` describing the new snapshot's
    /// layers / memory / vCPUs (the snapshot file alone isn't
    /// loadable as an Image without these).  `None` for VMs
    /// that didn't come from an Image (currently impossible via
    /// the public API; reserved for future use cases).
    image_meta: Option<Arc<ImageMeta>>,
}

/// Linux/KVM backend `Vm`: holds the [`RunningVm`](crate::kvm::run::RunningVm)
/// control handle (vCPU threads + on-demand snapshot/stop) plus the shared
/// vsock socket paths. The agnostic exec/file/forward methods operate against
/// the same fields as the macOS `Vm`.
#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
pub struct Vm {
    running: Option<crate::kvm::run::RunningVm>,
    vsock_mux_path: PathBuf,
    vsock_exec_path: PathBuf,
    own_vsock_mux_dir: Option<PathBuf>,
    skip_cleanup: bool,
    /// Stops the background clock-resync thread (spawned in [`Vm::start`]) when
    /// the VM is dropped. Without it that thread keeps retrying for its full
    /// 30 s deadline against a dead VM — leaking a thread per VM across pool
    /// churn. Drop sets it; the thread checks it each iteration and exits.
    time_sync_stop: Arc<AtomicBool>,
}

/// Transient stub for platforms with NO hypervisor backend (neither macOS/HVF
/// nor Linux/KVM): the `Vm` TYPE is still named in portable signatures
/// (`PooledVm::vm`, `OciImageBuilder::warmup: FnOnce(&Vm)`,
/// `Image::start -> Result<Vm>`), so this uninhabitable stub lets them resolve.
#[cfg(not(any(
    all(target_os = "macos", target_arch = "aarch64"),
    all(target_os = "linux", target_arch = "x86_64")
)))]
pub struct Vm {
    _never: std::convert::Infallible,
}

/// Subset of [`Image`] fields snapshotted into [`Vm`] so
/// [`Vm::snapshot`] can write a self-contained `metadata.json`
/// next to the captured snapshot file.
#[derive(Clone, Debug)]
pub(crate) struct ImageMeta {
    pub memory_mib: u32,
    pub vcpus: u32,
    pub layers: Vec<PathBuf>,
    pub delta_squashfs: Option<PathBuf>,
}

#[cfg(any(
    all(target_os = "macos", target_arch = "aarch64"),
    all(target_os = "linux", target_arch = "x86_64")
))]
impl Vm {
    /// Start a microVM from `image` with the supplied configuration.
    ///
    /// What this does, in order:
    ///
    /// 1. Resolves the kernel path. Preferences (first hit wins):
    ///    `image`'s bundled kernel (if the snapshot dir shipped one),
    ///    `config.assets.kernel` (if set explicitly), then
    ///    [`AssetPaths::discover`]. Fails with [`Error::Assets`] if
    ///    none is found.
    /// 2. Creates a unique unix socket path for vsock-mux under
    ///    the configured directory.
    /// 3. Spawns an in-process VM thread that restores from
    ///    `image.snapshot_path()`. (The library runs the VM
    ///    in-process via [`crate::internal::vmm::pool::WarmPool`].
    ///    The standalone `supermachine-worker` binary is only used
    ///    by the router daemon for SCM_RIGHTS process isolation.)
    /// 4. Waits up to [`VmConfig::with_restore_timeout`] for the
    ///    restore to complete.
    /// 5. Returns the [`Vm`] handle. The vsock-mux socket is
    ///    available immediately at [`Vm::vsock_path`].
    #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
    pub fn start(image: &Image, config: &VmConfig) -> Result<Vm, Error> {
        // Vm::start runs the VM thread in this process, so this
        // process itself calls hv_vm_create. Without the HVF
        // entitlement that fails with HV_DENIED (Hv(-85377017)),
        // which is cryptic. Surface a clear error up front instead.
        // Image::acquire callers don't pay this cost — the worker
        // subprocess handles HVF for them.
        #[cfg(target_os = "macos")]
        if let Err(msg) = crate::codesign::check_self_has_hvf_entitlement() {
            return Err(Error::vm_msg(msg));
        }
        let assets = match &config.assets {
            Some(a) => a.clone(),
            None => AssetPaths::discover(),
        };
        // Kernel preference: bundled (snapshot dir) > config.assets >
        // AssetPaths::discover. A bundled kernel makes the snapshot
        // self-contained so a `.app` ships everything it needs.
        let kernel: PathBuf = if let Some(k) = image.bundled_kernel.as_ref() {
            k.clone()
        } else if let Some(k) = assets.kernel.as_ref() {
            k.clone()
        } else {
            return Err(Error::assets_msg(
                "no kernel found: snapshot dir has no bundled kernel and AssetPaths::discover() came up empty; set VmConfig::with_assets() or $SUPERMACHINE_ASSETS_DIR".to_owned(),
            ));
        };
        let kernel = kernel.as_path();

        // Per-VM unix socket path under the chosen dir.
        let dir = match &config.vsock_mux_dir {
            Some(d) => d.clone(),
            None => std::env::temp_dir(),
        };
        let mut own_dir = None;
        if !dir.is_dir() {
            std::fs::create_dir_all(&dir).map_err(Error::Io)?;
            own_dir = Some(dir.clone());
        }
        let vsock_mux_path = dir.join(format!(
            "supermachine-vm-{}-{}.sock",
            std::process::id(),
            unique_suffix(),
        ));
        // `<vsock_mux>-exec` is the convention that worker.rs and
        // the design doc agree on. Same parent dir so unlinking the
        // mux on shutdown sweeps it too.
        let vsock_exec_path = {
            let mut p = vsock_mux_path.clone();
            let mut name = p.file_name().unwrap().to_owned();
            name.push("-exec");
            p.set_file_name(name);
            p
        };

        // Build VmResources for snapshot restore. Memory + vCPUs
        // come from the image's bake metadata unless the caller
        // explicitly overrode them.
        let memory_mib = config.memory_mib.unwrap_or(image.memory_mib);
        let vcpus = config.vcpus.unwrap_or(image.vcpus);
        let mut resources = VmResources::new()
            .with_kernel_path(kernel.to_string_lossy().to_string())
            .with_memory_mib(memory_mib as usize)
            .with_vcpus(vcpus)
            .with_cow_restore(true)
            .with_restore(image.snapshot_path.to_string_lossy().to_string())
            .with_vsock_mux(vsock_mux_path.to_string_lossy().to_string())
            .with_vsock_exec(vsock_exec_path.to_string_lossy().to_string());

        // Attach the OCI image's virtio-blk layers in bake order.
        // The guest's overlayfs union is built bottom-up over these.
        for layer in &image.layers {
            resources = resources.with_block_device(layer.to_string_lossy().to_string());
        }
        if let Some(delta) = &image.delta_squashfs {
            resources = resources.with_block_device(delta.to_string_lossy().to_string());
        }

        // Pool of size 1 — single worker, single VM.
        let options = RunOptions::default();
        let pool = WarmPool::start(resources, options).map_err(Error::from)?;

        // Restore from the snapshot. WarmPool's restore_timeout
        // dispatches the RESTORE command to the pre-spawned worker
        // and blocks until the guest is up.
        let timeout = config
            .restore_timeout
            .unwrap_or_else(|| Duration::from_secs(10));
        let _ = pool
            .restore_timeout(image.snapshot_path.to_string_lossy().to_string(), timeout)
            .map_err(Error::from)?;

        Ok(Vm {
            pool: Some(pool),
            vsock_mux_path,
            vsock_exec_path,
            own_vsock_mux_dir: own_dir,
            skip_cleanup: false,
            image_meta: Some(Arc::new(ImageMeta {
                memory_mib,
                vcpus,
                layers: image.layers.clone(),
                delta_squashfs: image.delta_squashfs.clone(),
            })),
        })
    }

    /// Linux/KVM `Vm::start` — not yet wired to the bake/Image rootfs pipeline.
    ///
    /// The KVM runtime exists and is validated end-to-end (boot → exec over
    /// vsock → snapshot) via [`crate::kvm::run::LinuxVm`] /
    /// [`RunningVm`](crate::kvm::run::RunningVm) and the `kvm_boot` example. The
    /// remaining work is the Linux bake path that produces a LinuxVm-runnable
    /// rootfs (a single merged squashfs + the agent init cpio) and an `Image`
    /// that carries them — see the KVM product-wiring plan (Step 2/4). Until
    /// then this returns a clear error rather than silently doing nothing.
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub fn start(image: &Image, config: &VmConfig) -> Result<Vm, Error> {
        use crate::kvm::run::{LinuxVm, LinuxVmConfig};
        let parts = image.kvm.as_ref().ok_or_else(|| {
            Error::vm_msg(
                "Image has no KVM artifacts: metadata.json needs \"backend\":\"kvm\" \
                 with kvm_kernel + kvm_initrd (produced by the KVM bake path)."
                    .to_owned(),
            )
        })?;
        // Restore from a snapshot if the image carries one (CoW mmap, ~ms);
        // otherwise cold-boot from kernel + agent initramfs (+ optional disk).
        let vm = if let Some(snap) = &parts.snapshot {
            if !config.volumes.is_empty() {
                eprintln!(
                    "supermachine(KVM): {} volume(s) requested via VmConfig but this image \
                     restores from a snapshot — the snapshot's OWN recorded volume attachments \
                     are re-attached (SMSNAP04), so the config volumes are ignored. To attach \
                     different volumes, cold-boot the image (e.g. bake_kvm_auto) with them.",
                    config.volumes.len()
                );
            }
            if !config.virtiofs.is_empty() {
                eprintln!(
                    "supermachine(KVM): {} virtio-fs mount(s) requested via VmConfig but this image \
                     restores from a snapshot — the snapshot's OWN recorded virtio-fs mounts are \
                     re-attached (SMSNAP05, DAX slots eagerly re-bound), so the config mounts are \
                     ignored. To attach different mounts, cold-boot the image with them.",
                    config.virtiofs.len()
                );
            }
            LinuxVm::restore_from_file(snap)
                .map_err(|e| Error::vm_msg(format!("restore snapshot {}: {e}", snap.display())))?
        } else {
            let kernel_path = parts
                .kernel
                .as_ref()
                .expect("kvm cold-boot kernel (validated in from_snapshot)");
            let initrd_path = parts
                .initrd
                .as_ref()
                .expect("kvm cold-boot initrd (validated in from_snapshot)");
            let kernel = std::fs::read(kernel_path).map_err(|e| {
                Error::vm_msg(format!("read kernel {}: {e}", kernel_path.display()))
            })?;
            let initrd = std::fs::read(initrd_path).map_err(|e| {
                Error::vm_msg(format!("read initrd {}: {e}", initrd_path.display()))
            })?;
            let disk_str: Option<String> = parts
                .disk
                .as_ref()
                .map(|p| p.to_string_lossy().into_owned());
            let disk_size = parts
                .disk
                .as_ref()
                .and_then(|p| std::fs::metadata(p).ok())
                .map(|m| m.len())
                .unwrap_or(0);
            let mem_mib = config.memory_mib.unwrap_or(image.memory_mib).max(1);
            let num_cpus = config.vcpus.unwrap_or(image.vcpus).clamp(1, 255) as u8;
            // The agent initramfs is PID 1 (exec over AF_VSOCK 1028); a rootfs
            // disk, if present, is attached at /dev/vda for the guest to mount.
            //
            // `tsi_hijack` turns on transparent egress: the AF_TSI-patched guest
            // kernel routes the workload's AF_INET/AF_INET6 connect()/sendto()
            // over vsock to the host vsock muxer, which opens the real host
            // socket (subject to egress_policy). No virtio-net, no guest NIC —
            // the same transparent-networking model as the HVF backend. Requires
            // the TSI-enabled guest kernel (CONFIG_TSI=y + af-tsi patch series).
            // `supermachine.host_time=<epoch_secs>` lets the generated init set
            // the guest wall clock from the host: a KVM guest has no RTC and
            // boots at ~1999, which makes TLS cert validation fail ("certificate
            // not trusted") and breaks apk/pip/https in workloads + builder RUNs.
            let host_time = std::time::SystemTime::now()
                .duration_since(std::time::UNIX_EPOCH)
                .map(|d| d.as_secs())
                .unwrap_or(0);
            let cmdline = format!(
                "console=ttyS0 panic=-1 reboot=t tsi_hijack supermachine.host_time={host_time}"
            );
            // Mint a per-VM vsock TSI control-channel auth token. `LinuxVm::new`
            // appends `supermachine.tsi_token=<hex>` (the guest's af_tsi driver
            // stamps it on every control DGRAM) and arms the muxer to reject any
            // control packet without it — so an in-guest workload can't forge TSI
            // egress ops to bypass egress policy. Best-effort: if the CSPRNG read
            // fails we boot without enforcement rather than failing the VM.
            let tsi_token = crate::cli::TsiToken::generate()
                .map(|t| t.bytes)
                .map_err(|e| {
                    eprintln!("supermachine(KVM): tsi token generation failed ({e}); booting without vsock control-channel auth");
                })
                .ok();
            // Data volumes: ensure each host backing file exists + is ext4, then
            // attach as vdb/vdc/… mounted at guest_path (the init reads the
            // sm.volume cmdline tokens run.rs appends). Runtime volumes
            // (VmConfig::with_volume) take precedence; baked-in volumes from the
            // image (OciImageBuilder::with_volume, persisted in metadata) are
            // appended for any guest_path the runtime didn't already cover.
            let mut vol_specs: Vec<crate::vmm::resources::VolumeSpec> = config.volumes.clone();
            for (host_file, guest_path, size_bytes, _pristine) in &image.volumes {
                if !vol_specs.iter().any(|v| v.guest_path == *guest_path) {
                    vol_specs.push(
                        crate::vmm::resources::VolumeSpec::new(
                            host_file.to_string_lossy().to_string(),
                            guest_path.clone(),
                        )
                        .with_size_bytes(*size_bytes),
                    );
                }
            }
            let volumes = prepare_kvm_volumes(&vol_specs)?;
            // virtio-fs mounts: expose each host dir to the guest over
            // FUSE-over-virtio (init reads the sm.virtiofs cmdline tokens).
            let virtiofs: Vec<crate::kvm::run::VirtioFsAttach> = config
                .virtiofs
                .iter()
                .map(|m| crate::kvm::run::VirtioFsAttach {
                    host_path: m.host_path.clone(),
                    tag: m.guest_tag.clone(),
                    mount: m.guest_path.clone(),
                })
                .collect();
            let lcfg = LinuxVmConfig {
                mem_size: (mem_mib as usize) * 1024 * 1024,
                num_cpus,
                kernel: &kernel,
                initrd: Some(&initrd),
                disk_path: disk_str.as_deref(),
                disk_size,
                cmdline: &cmdline,
                enable_vsock: true,
                volumes: &volumes,
                virtiofs: &virtiofs,
                tsi_token,
                // Balloon is a cold-boot-only memory-reclaim lever (not
                // snapshotted). Honored here on the cold-boot path; the warm-pool
                // restore path (above) never reaches this branch.
                enable_balloon: config.enable_balloon,
            };
            LinuxVm::new(&lcfg).map_err(|e| Error::vm_msg(format!("LinuxVm::new: {e}")))?
        };
        // Host-side unix socket bridged to the guest exec agent (AF_VSOCK 1028);
        // crate::exec dials this for exec/write_file/read_file/workload_signal.
        let exec_path = vm
            .start_exec_bridge(1028)
            .map_err(|e| Error::vm_msg(format!("start_exec_bridge: {e}")))?;
        // Workload TSI listener frontend (host→guest ingress for `expose_tcp` /
        // `connect`). Egress (guest→host `connect`) needs no frontend — the
        // shared vsock muxer terminates the guest's TSI control packets off the
        // TX queue and opens real host sockets (subject to egress_policy). If
        // binding the mux socket fails, fall back to an unwired path so exec
        // still works and only ingress is unavailable.
        let mux_path = vm
            .start_tsi_mux()
            .unwrap_or_else(|_| exec_path.with_extension("mux-unwired"));
        // Launch the vCPUs on background threads — the guest is now live and the
        // agent comes up to serve exec. The handle is held for stop/Drop.
        let running = vm.start_running();
        // Re-sync the guest clock to host time once the agent is up. The cold-boot
        // init already sets it from the cmdline, but a RESTORE inherits the
        // snapshot's (possibly stale) captured clock — so refresh it in the
        // background (non-blocking) to keep TLS/cert validation correct. Retries
        // until the agent answers or a deadline.
        let sync_path = exec_path.clone();
        let time_sync_stop = Arc::new(AtomicBool::new(false));
        let stop_c = time_sync_stop.clone();
        std::thread::spawn(move || {
            let deadline = std::time::Instant::now() + Duration::from_secs(30);
            loop {
                // Exit promptly once the VM is dropped, instead of retrying
                // against a dead VM for the whole deadline (per-VM thread leak).
                if stop_c.load(Ordering::SeqCst) {
                    break;
                }
                if sync_time_via_agent(&sync_path) {
                    break;
                }
                if std::time::Instant::now() >= deadline {
                    break;
                }
                std::thread::sleep(Duration::from_millis(200));
            }
        });
        Ok(Vm {
            running: Some(running),
            vsock_mux_path: mux_path,
            vsock_exec_path: exec_path,
            own_vsock_mux_dir: None,
            skip_cleanup: false,
            time_sync_stop,
        })
    }

    /// Path to the host-side unix socket that proxies bytes to /
    /// from the first TSI listener inside the guest. Connect to it
    /// with [`UnixStream::connect`] (or via [`Vm::connect`]).
    pub fn vsock_path(&self) -> &Path {
        &self.vsock_mux_path
    }

    /// Path to the host-side unix socket that bridges to the
    /// in-guest exec agent (native AF_VSOCK on the guest side).
    /// Reachable once the agent lands in the initramfs and is
    /// running guest-side; until then dialing it returns an
    /// immediate EOF.
    pub fn exec_path(&self) -> &Path {
        &self.vsock_exec_path
    }

    /// Spawn a process inside the running guest. Equivalent to
    /// `docker exec`. Returns an [`crate::exec::ExecChild`] handle
    /// you can read stdout/stderr from, write stdin to, and
    /// `wait()` for an exit status.
    ///
    /// ```no_run
    /// # use std::io::Read;
    /// # use supermachine::{Image, Vm, VmConfig};
    /// let image = Image::from_snapshot("path/to/snapshot")?;
    /// let vm = Vm::start(&image, &VmConfig::new())?;
    /// let mut child = vm.exec(["sh", "-c", "echo hi"])?;
    /// let mut buf = String::new();
    /// child.stdout().unwrap().read_to_string(&mut buf)?;
    /// assert_eq!(buf, "hi\n");
    /// child.wait()?;
    /// # Ok::<(), Box<dyn std::error::Error>>(())
    /// ```
    pub fn exec<I, S>(&self, argv: I) -> std::io::Result<crate::exec::ExecChild>
    where
        I: IntoIterator<Item = S>,
        S: Into<String>,
    {
        let argv: Vec<String> = argv.into_iter().map(|s| s.into()).collect();
        let _span = tracing::info_span!(
            "supermachine.exec",
            argv0 = argv.first().map(|s| s.as_str()).unwrap_or(""),
            argc = argv.len(),
        )
        .entered();
        self.exec_builder().argv(argv).spawn()
    }

    /// Configurable exec — TTY, env vars, cwd, initial winsize,
    /// timeout, and the [`crate::exec::ExecBuilder::output`]
    /// convenience that drains stdio + collects exit status into
    /// one [`crate::exec::ExecOutcome`].
    pub fn exec_builder(&self) -> crate::exec::ExecBuilder {
        crate::exec::ExecBuilder::new(self.vsock_exec_path.clone())
    }

    /// Write `bytes` to `path` inside the guest, atomically.
    /// Native vsock RPC — no exec, no shell. Roughly ~100 µs per
    /// call regardless of file size (up to the 12 MiB raw limit
    /// imposed by the agent's frame cap).
    ///
    /// The guest agent stages to a sibling tmp file then renames
    /// for atomicity, so partial writes don't leave a half-baked
    /// file at `path`.
    ///
    /// ```no_run
    /// # use supermachine::{Image, VmConfig};
    /// let image = Image::from_snapshot("path/to/snapshot")?;
    /// let vm = image.start(&VmConfig::new())?;
    /// vm.write_file("/tmp/main.rs", b"fn main() { println!(\"hi\"); }")?;
    /// let out = vm.exec_builder()
    ///     .argv(["rustc", "/tmp/main.rs", "-o", "/tmp/main"])
    ///     .output()?;
    /// assert!(out.success());
    /// # Ok::<(), Box<dyn std::error::Error>>(())
    /// ```
    pub fn write_file(&self, path: &str, bytes: &[u8]) -> std::io::Result<()> {
        let body = serde_json::json!({
            "action": "write_file",
            "path": path,
            "data_b64": b64_encode(bytes),
        });
        crate::exec::send_control(&self.vsock_exec_path, &body)
    }

    /// Read `path` from inside the guest. Default cap is 32 MiB
    /// (raised in 0.5.0 from the prior 4 MiB to accommodate
    /// Playwright trace.zip artifacts and similar mid-sized blobs).
    /// For larger files use [`Vm::read_file_with_max_bytes`] with
    /// an explicit cap, or stream via [`Vm::exec`] (`cat`).
    pub fn read_file(&self, path: &str) -> std::io::Result<Vec<u8>> {
        self.read_file_with_max_bytes(path, 32 * 1024 * 1024)
    }

    /// Like [`Vm::read_file`] but with an explicit byte cap. Returns
    /// an error if the file exceeds `max_bytes` so the caller never
    /// gets a partial result silently. Cap is enforced inside the
    /// guest before any bytes leave it.
    pub fn read_file_with_max_bytes(&self, path: &str, max_bytes: u64) -> std::io::Result<Vec<u8>> {
        let body = serde_json::json!({
            "action": "read_file",
            "path": path,
            "max_bytes": max_bytes,
        });
        // Generous read timeout for large reads — file IO inside
        // the VM is fast, but we want to tolerate cold-cache cases.
        let ack = crate::exec::send_control_with_ack(
            &self.vsock_exec_path,
            &body,
            Some(std::time::Duration::from_secs(30)),
        )?;
        let data_b64 = ack
            .get("data_b64")
            .and_then(|v| v.as_str())
            .ok_or_else(|| {
                std::io::Error::new(
                    std::io::ErrorKind::InvalidData,
                    "read_file: agent ack missing data_b64",
                )
            })?;
        b64_decode(data_b64).map_err(|e| std::io::Error::new(std::io::ErrorKind::InvalidData, e))
    }

    /// Send a Unix signal to the guest's main workload process.
    /// Use this for `docker stop`-style graceful shutdown:
    ///
    /// ```no_run
    /// # use supermachine::{Image, Vm, VmConfig};
    /// # let image = Image::from_snapshot("path")?;
    /// # let vm = Vm::start(&image, &VmConfig::new())?;
    /// vm.workload_signal(libc::SIGTERM)?;
    /// // ...wait for the workload to clean up...
    /// vm.stop()?;
    /// # Ok::<(), Box<dyn std::error::Error>>(())
    /// ```
    ///
    /// Implementation: dials the in-guest exec agent on a fresh
    /// connection with a CONTROL frame; the agent reads
    /// `/run/supermachine-workload.pid` (written by init-oci's
    /// PID-1 supervisor) and `kill(pid, signum)` it. Returns
    /// `Err(NotFound)` if the workload hasn't been spawned yet
    /// (only happens during the bake-time window).
    pub fn workload_signal(&self, signum: i32) -> std::io::Result<()> {
        let body = serde_json::json!({
            "action": "signal",
            "signum": signum,
        });
        crate::exec::send_control(&self.vsock_exec_path, &body)
    }

    /// Connect to the guest's first TSI listener. The returned
    /// `UnixStream` is byte-equivalent to a `TcpStream` to the
    /// guest's `:80` (or whatever port it bound).
    ///
    /// For HTTP, just write a request and read the response:
    /// supermachine's vsock-mux is a transparent proxy.
    pub fn connect(&self) -> std::io::Result<UnixStream> {
        UnixStream::connect(&self.vsock_mux_path)
    }

    /// Reclaim guest memory via virtio-balloon: ask the guest to release `pages`
    /// 4 KiB pages, which the device then `madvise(MADV_FREE)`s on the host RAM
    /// map (the kernel can drop them under pressure). Requires the VM to have been
    /// started with [`VmConfig::with_balloon(true)`](VmConfig::with_balloon) on a
    /// cold boot; returns `false` if no balloon device is attached. Asynchronous —
    /// the guest's balloon driver frees pages in the background.
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub fn request_balloon_inflate(&self, pages: u32) -> bool {
        self.running
            .as_ref()
            .map(|r| r.request_balloon_inflate(pages))
            .unwrap_or(false)
    }

    /// Bind a TCP listener on `127.0.0.1:host_port` that forwards
    /// each accepted connection to the guest's TSI listener (the
    /// same destination as [`Vm::connect`]). Returns a
    /// [`TcpForwarder`] that owns the accept-loop thread; drop it
    /// (or call [`TcpForwarder::stop`]) to stop accepting new
    /// connections. In-flight connections continue until they close
    /// naturally.
    ///
    /// `host_port = 0` lets the OS pick a free port; read the actual
    /// address back via [`TcpForwarder::local_addr`].
    ///
    /// `guest_port` pins the host-port → guest-port mapping. The
    /// host writes a small per-connection routing header (`SMUX-PORT
    /// -V1\0\0\0\0` + u32 BE port) before piping bytes, and the
    /// vsock-mux peeks (`MSG_PEEK`) that header and routes to the
    /// matching TSI listener instead of falling back to "first
    /// AF_INET listener." Pass `guest_port = 0` to opt out of the
    /// header and keep the legacy first-listener behavior — useful
    /// when the guest only binds one port and you want a router-
    /// style any-port forward.
    ///
    /// Use this when you want the embedded VM to look like a normal
    /// localhost service (e.g. `http://127.0.0.1:9090/`) rather than
    /// having every caller go through `vm.connect()`.
    ///
    /// ```no_run
    /// # use supermachine::{Image, Vm, VmConfig};
    /// let image = Image::from_snapshot("path/to/snapshot")?;
    /// let vm = Vm::start(&image, &VmConfig::new())?;
    /// let fwd = vm.expose_tcp(9090, 80)?;
    /// println!("nginx is on {}", fwd.local_addr());
    /// // ... do work ...
    /// drop(fwd); // stop forwarding
    /// # Ok::<(), supermachine::Error>(())
    /// ```
    pub fn expose_tcp(&self, host_port: u16, guest_port: u16) -> std::io::Result<TcpForwarder> {
        let listener = TcpListener::bind(("127.0.0.1", host_port))?;
        let bound = listener.local_addr()?;
        // Short accept timeout so the stop flag is responsive.
        listener.set_nonblocking(false)?;
        let stop = Arc::new(AtomicBool::new(false));
        let stop_thread = stop.clone();
        let vsock_path = self.vsock_mux_path.clone();
        let handle = std::thread::Builder::new()
            .name(format!("supermachine-tcp-{host_port}"))
            .spawn(move || {
                accept_loop(listener, vsock_path, stop_thread, guest_port);
            })
            .map_err(|e| std::io::Error::new(std::io::ErrorKind::Other, e))?;
        // Best-effort: poke the listener to unblock its accept on
        // shutdown. We rely on `stop` flag + a self-connect during
        // drop. See TcpForwarder::drop.
        Ok(TcpForwarder {
            stop,
            handle: Some(handle),
            bound,
        })
    }

    /// (Linux/KVM) Start a host-side TLS terminator for this VM: accept HTTPS on
    /// `cfg.listen_addr`, terminate with rustls, and bridge decrypted plaintext
    /// to the guest's TSI listener — the guest serves plain HTTP, no TLS code in
    /// the guest. This is the in-process counterpart of the macOS/HVF worker's
    /// `--tls-*` flags (feature parity). Fire-and-forget: the acceptor runs for
    /// the VM's lifetime. Requires vsock enabled.
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub fn expose_tls(
        &self,
        cfg: crate::vmm::tls::TlsConfig,
    ) -> std::io::Result<std::net::SocketAddr> {
        let running = self.running.as_ref().ok_or_else(|| {
            std::io::Error::new(std::io::ErrorKind::NotConnected, "VM is not running")
        })?;
        running
            .expose_tls(cfg)
            .map_err(|e| std::io::Error::new(std::io::ErrorKind::Other, e.to_string()))
    }

    /// Stop the VM. Equivalent to dropping it, but returns errors
    /// rather than swallowing them.
    #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
    pub fn stop(mut self) -> Result<(), Error> {
        if let Some(pool) = self.pool.take() {
            let _ = pool.shutdown().map_err(Error::from)?;
        }
        self.cleanup_socket();
        Ok(())
    }

    /// Stop the VM (Linux/KVM): force-exit + join the vCPU threads via the
    /// [`RunningVm`](crate::kvm::run::RunningVm) handle, then unlink the sockets.
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub fn stop(mut self) -> Result<(), Error> {
        if let Some(running) = self.running.take() {
            let _ = running.stop();
        }
        self.cleanup_socket();
        Ok(())
    }

    /// In-place reset this VM to its snapshot baseline (isolated warm-reuse) —
    /// see [`RunningVm::reset_to_snapshot`](crate::kvm::run::RunningVm::reset_to_snapshot).
    /// The pool calls this on release for the `restore_on_release=true`
    /// (isolated, default) path: it returns the guest byte-identical to the
    /// snapshot point — clean per-cycle isolation — without the full teardown +
    /// fresh-restore cost, since the KVM VM/vCPUs/threads/RAM all persist.
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub(crate) fn reset_to_snapshot(&self) -> Result<(), Error> {
        self.running
            .as_ref()
            .ok_or_else(|| Error::vm_msg("reset_to_snapshot: VM has no running handle".to_owned()))?
            .reset_to_snapshot()
            .map_err(|e| Error::vm_msg(format!("reset_to_snapshot: {e}")))
    }

    /// Capture a snapshot of the running VM into `dest_dir`. The
    /// dir gets `restore.snap` (the captured VM state) and a
    /// `metadata.json` describing the layers/memory/vCPUs from
    /// the source [`Image`] — together they form a fresh
    /// snapshot loadable via [`Image::from_snapshot`].
    ///
    /// This is the **"rustc-warm snapshot" pattern** — boot a VM
    /// from a base image (e.g. `rust:1-slim`), populate
    /// expensive in-VM state (run `cargo build` to fill
    /// `target/` with cached deps), capture, then re-use the new
    /// snapshot via `Image::from_snapshot(...).acquire()` for
    /// fast subsequent iterations.
    ///
    /// ```no_run
    /// # use supermachine::{Image, VmConfig};
    /// let base = Image::from_snapshot("path/to/rust-slim")?;
    /// let vm = base.start(&VmConfig::new())?;
    /// // Pre-warm: populate target/ with cached deps.
    /// vm.exec_builder()
    ///     .argv(["sh", "-c", "cd /src && cargo build --release"])
    ///     .output()?;
    /// // Capture; vm is consumed (and stopped).
    /// let warm = vm.snapshot("/tmp/rust-warm")?;
    /// // Now `warm.acquire()` gets you a VM with target/
    /// // already populated — every subsequent compile re-uses
    /// // the cached deps.
    /// # Ok::<(), supermachine::Error>(())
    /// ```
    ///
    /// **Only works on a Vm produced by [`Image::start`]**.
    /// Pooled VMs (from [`Image::acquire`]) live in worker
    /// subprocesses and don't have host-side access to the
    /// snapshot machinery; snapshot them by re-starting the
    /// source image and snapshotting that.
    #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
    pub fn snapshot(mut self, dest_dir: impl Into<PathBuf>) -> Result<Image, Error> {
        let dest_dir = dest_dir.into();
        let meta = self.image_meta.clone().ok_or_else(|| {
            Error::vm_msg(
                "Vm::snapshot requires an in-process Vm (use image.start, not image.acquire)"
                    .to_owned(),
            )
        })?;
        let pool = self.pool.as_ref().ok_or_else(|| {
            Error::vm_msg("Vm::snapshot: no pool to drive the capture".to_owned())
        })?;
        std::fs::create_dir_all(&dest_dir).map_err(Error::Io)?;
        let snap_path = dest_dir.join("restore.snap");
        // Trigger the capture via the pool RPC. Generous
        // timeout — capture is fast (~10s of ms) but disk
        // saving for big VMs can take a moment.
        let _result = pool
            .snapshot_timeout(
                snap_path.to_string_lossy().to_string(),
                Duration::from_secs(60),
            )
            .map_err(|e| Error::Vm {
                msg: format!("snapshot capture failed: {e:?}"),
                source: None,
            })?;
        // Write a metadata.json that mirrors what the bake step
        // emits, so Image::from_snapshot can load this dir.
        let metadata = serde_json::json!({
            "memory_mib": meta.memory_mib,
            "vcpus": meta.vcpus,
            "layers": meta
                .layers
                .iter()
                .map(|p| p.to_string_lossy().to_string())
                .collect::<Vec<_>>(),
            "delta_squashfs": meta
                .delta_squashfs
                .as_ref()
                .map(|p| p.to_string_lossy().to_string()),
            "snapshot_base": snap_path.to_string_lossy().to_string(),
            "baked_at": chrono_rfc3339_now(),
            "source": "Vm::snapshot",
        });
        std::fs::write(
            dest_dir.join("metadata.json"),
            serde_json::to_string_pretty(&metadata)
                .map_err(|e| Error::vm_msg(format!("metadata serialize: {e}")))?,
        )
        .map_err(Error::Io)?;
        // Cleanly shut down our worker — the snapshot is on disk.
        if let Some(pool) = self.pool.take() {
            let _ = pool.shutdown();
        }
        self.cleanup_socket();
        // Suppress the Drop, we already cleaned up.
        self.skip_cleanup = true;
        // Load the freshly-written dir as a new Image.
        Image::from_snapshot(&dest_dir)
    }

    /// Capture a snapshot (Linux/KVM) and return it as a loadable, snapshot-
    /// backed [`Image`] (`"backend":"kvm"`, `kvm_snapshot` → the saved file).
    /// Quiesces all vCPUs at a clean boundary, captures the full `VmSnapshot`,
    /// and writes `vm.snap` + `metadata.json` under `dest_dir`. Restoring the
    /// returned image via [`Vm::start`] is a CoW mmap (~ms) — this is what backs
    /// the warm pool and lets callers checkpoint a live guest.
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub fn snapshot(mut self, dest_dir: impl Into<PathBuf>) -> Result<Image, Error> {
        let dest_dir = dest_dir.into();
        let running = self.running.take().ok_or_else(|| {
            Error::vm_msg("Vm::snapshot: this VM is not running (already stopped?)".to_owned())
        })?;
        std::fs::create_dir_all(&dest_dir).map_err(Error::Io)?;
        // Quiesce all vCPUs at a clean boundary + capture full VM state.
        let snap = running
            .snapshot()
            .map_err(|e| Error::vm_msg(format!("capture snapshot: {e}")))?;
        let snap_path = dest_dir.join("vm.snap");
        snap.save(&snap_path)
            .map_err(|e| Error::vm_msg(format!("write snapshot {}: {e}", snap_path.display())))?;
        // metadata.json a `backend":"kvm"` restore-image points at the snapshot.
        let metadata = serde_json::json!({
            "backend": "kvm",
            "kvm_snapshot": snap_path.to_string_lossy(),
            "memory_mib": (snap.mem_size() >> 20) as u32,
            "vcpus": snap.num_cpus() as u32,
            "baked_at": chrono_rfc3339_now(),
            "source": "Vm::snapshot",
        });
        std::fs::write(
            dest_dir.join("metadata.json"),
            serde_json::to_string_pretty(&metadata)
                .map_err(|e| Error::vm_msg(format!("metadata serialize: {e}")))?,
        )
        .map_err(Error::Io)?;
        // The running VM was consumed by the capture; just unlink our sockets
        // and suppress the Drop's redundant cleanup.
        self.cleanup_socket();
        self.skip_cleanup = true;
        Image::from_snapshot(&dest_dir)
    }

    /// LIVE snapshot (Linux/KVM): capture a loadable [`Image`] WITHOUT stopping
    /// the guest — the VM keeps running and can be snapshotted again. Backs the
    /// builder's one-VM-per-layer snapshotting. `&self` (non-consuming).
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub fn snapshot_live(&self, dest_dir: impl Into<PathBuf>) -> Result<Image, Error> {
        let dest_dir = dest_dir.into();
        let running = self
            .running
            .as_ref()
            .ok_or_else(|| Error::vm_msg("Vm::snapshot_live: VM not running".to_owned()))?;
        std::fs::create_dir_all(&dest_dir).map_err(Error::Io)?;
        let snap = running
            .snapshot_live()
            .map_err(|e| Error::vm_msg(format!("capture live snapshot: {e}")))?;
        // `restore.snap` + a dir-RELATIVE `kvm_snapshot` is the builder's snapshot
        // -dir convention (is_snapshot_dir / clone_snapshot_dir): the relative
        // path resolves against the dir, so a cloned layer dir stays loadable.
        let snap_path = dest_dir.join("restore.snap");
        snap.save(&snap_path)
            .map_err(|e| Error::vm_msg(format!("write snapshot {}: {e}", snap_path.display())))?;
        write_kvm_snapshot_metadata(
            &dest_dir,
            "restore.snap",
            None,
            snap.mem_size(),
            snap.num_cpus(),
        )?;
        Image::from_snapshot(&dest_dir)
    }

    /// LIVE differential snapshot (Linux/KVM): like [`Vm::snapshot_live`] but
    /// stores only the guest-RAM pages changed vs `base_snap` (a full snapshot's
    /// `restore.snap`). Non-consuming — the VM keeps running. The builder chains
    /// these per layer off one VM.
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub fn snapshot_diff_live(
        &self,
        dest_dir: impl Into<PathBuf>,
        base_snap: &Path,
    ) -> Result<Image, Error> {
        let dest_dir = dest_dir.into();
        let running = self
            .running
            .as_ref()
            .ok_or_else(|| Error::vm_msg("Vm::snapshot_diff_live: VM not running".to_owned()))?;
        std::fs::create_dir_all(&dest_dir).map_err(Error::Io)?;
        let snap = running
            .snapshot_live()
            .map_err(|e| Error::vm_msg(format!("capture live snapshot: {e}")))?;
        let snap_path = dest_dir.join("restore.snap");
        snap.save_diff(&snap_path, base_snap).map_err(|e| {
            Error::vm_msg(format!("write diff snapshot {}: {e}", snap_path.display()))
        })?;
        write_kvm_snapshot_metadata(
            &dest_dir,
            "restore.snap",
            Some(base_snap),
            snap.mem_size(),
            snap.num_cpus(),
        )?;
        Image::from_snapshot(&dest_dir)
    }

    /// Differential snapshot (Linux/KVM): capture the running guest but store
    /// only the guest-RAM pages that changed vs `base` (another KVM-backed
    /// [`Image`], e.g. the previous layer) — the full vCPU/device state is always
    /// stored. Restoring the returned image transparently mmaps the base RAM
    /// copy-on-write and overlays the delta, so a chain of these (e.g. per-layer
    /// builder snapshots) each costs only its changed pages on disk.
    ///
    /// The base's snapshot file must remain in place (the diff references it by
    /// path). `base` must be a full (non-diff) KVM snapshot of the same memory
    /// size; pass an [`Image`] produced by [`Vm::snapshot`] / `bake_kvm_*`.
    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
    pub fn snapshot_diff(
        mut self,
        dest_dir: impl Into<PathBuf>,
        base: &Image,
    ) -> Result<Image, Error> {
        let dest_dir = dest_dir.into();
        let base_snap = base
            .kvm
            .as_ref()
            .and_then(|k| k.snapshot.clone())
            .ok_or_else(|| {
                Error::vm_msg(
                    "Vm::snapshot_diff: base Image has no KVM snapshot to diff against".to_owned(),
                )
            })?;
        let running = self.running.take().ok_or_else(|| {
            Error::vm_msg("Vm::snapshot_diff: this VM is not running (already stopped?)".to_owned())
        })?;
        std::fs::create_dir_all(&dest_dir).map_err(Error::Io)?;
        let snap = running
            .snapshot()
            .map_err(|e| Error::vm_msg(format!("capture snapshot: {e}")))?;
        let snap_path = dest_dir.join("vm.snap");
        snap.save_diff(&snap_path, &base_snap).map_err(|e| {
            Error::vm_msg(format!("write diff snapshot {}: {e}", snap_path.display()))
        })?;
        let metadata = serde_json::json!({
            "backend": "kvm",
            "kvm_snapshot": snap_path.to_string_lossy(),
            "kvm_snapshot_base": base_snap.to_string_lossy(),
            "memory_mib": (snap.mem_size() >> 20) as u32,
            "vcpus": snap.num_cpus() as u32,
            "baked_at": chrono_rfc3339_now(),
            "source": "Vm::snapshot_diff",
        });
        std::fs::write(
            dest_dir.join("metadata.json"),
            serde_json::to_string_pretty(&metadata)
                .map_err(|e| Error::vm_msg(format!("metadata serialize: {e}")))?,
        )
        .map_err(Error::Io)?;
        self.cleanup_socket();
        self.skip_cleanup = true;
        Image::from_snapshot(&dest_dir)
    }

    fn cleanup_socket(&self) {
        let _ = std::fs::remove_file(&self.vsock_mux_path);
        let _ = std::fs::remove_file(&self.vsock_exec_path);
        if let Some(dir) = &self.own_vsock_mux_dir {
            // Only unlink the dir if it's still empty (best-effort).
            let _ = std::fs::remove_dir(dir);
        }
    }
}

// ---------- minimal base64 (RFC 4648, mirror of agent's) ----------
//
// Inlined to keep deps minimal. Round-trip-tested against the
// agent's implementation; identical alphabet + padding rules.

const B64_ALPHA: &[u8; 64] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";

/// Public so the napi binding can encode bytes for the agent's
/// `write_file` action JSON without re-implementing this. The
/// shape is internal — embedders outside this workspace should
/// stick to [`crate::Vm::write_file`] / [`crate::Vm::read_file`]
/// which call into this for you.
pub fn b64_encode(bytes: &[u8]) -> String {
    let mut out = String::with_capacity((bytes.len() + 2) / 3 * 4);
    let mut i = 0;
    while i + 3 <= bytes.len() {
        let b0 = bytes[i] as u32;
        let b1 = bytes[i + 1] as u32;
        let b2 = bytes[i + 2] as u32;
        let n = (b0 << 16) | (b1 << 8) | b2;
        out.push(B64_ALPHA[((n >> 18) & 0x3f) as usize] as char);
        out.push(B64_ALPHA[((n >> 12) & 0x3f) as usize] as char);
        out.push(B64_ALPHA[((n >> 6) & 0x3f) as usize] as char);
        out.push(B64_ALPHA[(n & 0x3f) as usize] as char);
        i += 3;
    }
    let rem = bytes.len() - i;
    if rem == 1 {
        let b0 = bytes[i] as u32;
        let n = b0 << 16;
        out.push(B64_ALPHA[((n >> 18) & 0x3f) as usize] as char);
        out.push(B64_ALPHA[((n >> 12) & 0x3f) as usize] as char);
        out.push('=');
        out.push('=');
    } else if rem == 2 {
        let b0 = bytes[i] as u32;
        let b1 = bytes[i + 1] as u32;
        let n = (b0 << 16) | (b1 << 8);
        out.push(B64_ALPHA[((n >> 18) & 0x3f) as usize] as char);
        out.push(B64_ALPHA[((n >> 12) & 0x3f) as usize] as char);
        out.push(B64_ALPHA[((n >> 6) & 0x3f) as usize] as char);
        out.push('=');
    }
    out
}

/// Public counterpart to [`b64_encode`]. Same shape, same caveat.
pub fn b64_decode(s: &str) -> Result<Vec<u8>, String> {
    let mut tbl = [255u8; 256];
    for (i, &b) in B64_ALPHA.iter().enumerate() {
        tbl[b as usize] = i as u8;
    }
    let bytes: Vec<u8> = s.bytes().filter(|b| !b.is_ascii_whitespace()).collect();
    if bytes.len() % 4 != 0 {
        return Err(format!(
            "base64 length {} is not a multiple of 4",
            bytes.len()
        ));
    }
    let nchunks = bytes.len() / 4;
    let mut out = Vec::with_capacity(nchunks * 3);
    for (ci, chunk) in bytes.chunks_exact(4).enumerate() {
        let v: [u8; 4] = chunk.try_into().unwrap();
        // `=` padding is only valid as the 1 or 2 TRAILING characters of
        // the FINAL chunk. Reject everything else — leading/embedded `=`
        // ("=AAA"), a padded non-final chunk ("AA==AAAA"), or 3-4 pads
        // ("A===", "===="). The previous code counted `=` anywhere and
        // emitted a spurious byte instead of erroring, so a hostile/buggy
        // in-guest agent could make read_file silently return wrong bytes.
        let pad = v.iter().filter(|&&b| b == b'=').count();
        if pad > 0 {
            let last_chunk = ci == nchunks - 1;
            let trailing_only = match pad {
                1 => v[3] == b'=',
                2 => v[2] == b'=' && v[3] == b'=',
                _ => false,
            };
            if !last_chunk || !trailing_only {
                return Err(format!("base64 misplaced or excess padding in chunk {ci}"));
            }
        }
        let mut acc: u32 = 0;
        for &b in &v {
            let d = if b == b'=' {
                0
            } else {
                let d = tbl[b as usize];
                if d == 255 {
                    return Err(format!("invalid base64 character {:#x}", b));
                }
                d
            };
            acc = (acc << 6) | (d as u32);
        }
        out.push(((acc >> 16) & 0xff) as u8);
        if pad < 2 {
            out.push(((acc >> 8) & 0xff) as u8);
        }
        if pad < 1 {
            out.push((acc & 0xff) as u8);
        }
    }
    Ok(out)
}

#[cfg(any(
    all(target_os = "macos", target_arch = "aarch64"),
    all(target_os = "linux", target_arch = "x86_64")
))]
impl Drop for Vm {
    fn drop(&mut self) {
        // PooledVm sets skip_cleanup so its inner Vm doesn't
        // shut down the shared pool or unlink sockets the
        // HiddenPool keeps alive.
        if self.skip_cleanup {
            return;
        }
        #[cfg(all(target_os = "macos", target_arch = "aarch64"))]
        if let Some(pool) = self.pool.take() {
            let _ = pool.shutdown();
        }
        #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
        {
            // Stop the background clock-resync thread so it doesn't keep
            // retrying (and leaking) for 30 s against a VM that's going away.
            self.time_sync_stop.store(true, Ordering::SeqCst);
            if let Some(running) = self.running.take() {
                let _ = running.stop();
            }
        }
        self.cleanup_socket();
    }
}

/// Owns the accept-loop thread for a [`Vm::expose_tcp`] forwarder.
///
/// Drop this to stop accepting new connections. In-flight
/// connections continue until they close naturally — they're owned
/// by their own splice threads, not by the forwarder.
pub struct TcpForwarder {
    stop: Arc<AtomicBool>,
    handle: Option<JoinHandle<()>>,
    bound: SocketAddr,
}

impl TcpForwarder {
    /// The address the forwarder is listening on. Useful when you
    /// asked for `host_port = 0` and want to know the OS-assigned
    /// port.
    pub fn local_addr(&self) -> SocketAddr {
        self.bound
    }

    /// Stop accepting new connections. Equivalent to dropping the
    /// forwarder, but returns when the accept thread has actually
    /// exited.
    pub fn stop(mut self) {
        self.shutdown();
    }

    fn shutdown(&mut self) {
        self.stop.store(true, Ordering::SeqCst);
        // Self-connect to unblock the listener's accept(). We don't
        // care about the result — the connection just exists to wake
        // the loop, which then sees `stop` set and exits.
        let _ = TcpStream::connect_timeout(&self.bound, Duration::from_millis(200));
        if let Some(h) = self.handle.take() {
            let _ = h.join();
        }
    }
}

impl Drop for TcpForwarder {
    fn drop(&mut self) {
        self.shutdown();
    }
}

/// Accept loop for `Vm::expose_tcp`. Spawns a per-connection splice
/// thread for each accepted TCP stream; the splice threads live
/// independently of the forwarder so in-flight requests survive
/// `TcpForwarder::drop`.
fn accept_loop(listener: TcpListener, vsock_path: PathBuf, stop: Arc<AtomicBool>, guest_port: u16) {
    for incoming in listener.incoming() {
        if stop.load(Ordering::SeqCst) {
            break;
        }
        let tcp = match incoming {
            Ok(s) => s,
            Err(_) => continue,
        };
        let vsock = vsock_path.clone();
        std::thread::Builder::new()
            .name("supermachine-tcp-conn".into())
            .spawn(move || {
                if let Err(e) = splice_tcp_to_unix(tcp, &vsock, guest_port) {
                    // Log to stderr — this is best-effort; the
                    // embedder's preferred logging is out of scope.
                    eprintln!("supermachine: tcp forward: {e}");
                }
            })
            .ok();
    }
}

/// Bridge a single TCP connection to the vsock-mux unix socket.
/// Two threads per connection: one shovels TCP→Unix, the other
/// Unix→TCP. Either side closing tears the bridge down.
///
/// If `guest_port != 0`, writes a 20-byte routing header
/// (`SMUX-PORT-V1\0\0\0\0` + u32 BE port) at the front of the unix
/// connection so the worker's vsock-mux accept handler routes this
/// stream to the matching guest TSI listener. With `guest_port == 0`
/// (or for any unix client that doesn't write the header), the mux
/// falls back to "first AF_INET TSI listener" — the legacy behavior.
fn splice_tcp_to_unix(tcp: TcpStream, vsock_path: &Path, guest_port: u16) -> std::io::Result<()> {
    let mut unix = UnixStream::connect(vsock_path)?;
    if guest_port != 0 {
        // 16-byte magic + 4-byte BE port. Keep this constant in sync
        // with `vmm::vsock_mux::SMUX_PORT_MAGIC`.
        let mut hdr = [0u8; 20];
        hdr[..16].copy_from_slice(b"SMUX-PORT-V1\0\0\0\0");
        hdr[16..].copy_from_slice(&(guest_port as u32).to_be_bytes());
        unix.write_all(&hdr)?;
    }
    // try_clone so each direction owns its own handle.
    let tcp_w = tcp.try_clone()?;
    let unix_w = unix.try_clone()?;
    let t1 = std::thread::Builder::new()
        .name("supermachine-tcp-c2g".into())
        .spawn(move || {
            let _ = pump(tcp, unix_w);
        })?;
    let t2 = std::thread::Builder::new()
        .name("supermachine-tcp-g2c".into())
        .spawn(move || {
            let _ = pump(unix, tcp_w);
        })?;
    let _ = t1.join();
    let _ = t2.join();
    Ok(())
}

/// Generic byte pump from `r` → `w` until EOF or error. We use
/// `Read + Write` trait objects via concrete types so this works
/// for both TcpStream and UnixStream. Half-close on EOF: the writer
/// gets shutdown so the peer of `w` sees the FIN.
fn pump<R, W>(mut r: R, mut w: W) -> std::io::Result<()>
where
    R: Read,
    W: Write + Shutdownable,
{
    let mut buf = [0u8; 16 * 1024];
    loop {
        let n = match r.read(&mut buf) {
            Ok(0) => break,
            Ok(n) => n,
            Err(e) if e.kind() == std::io::ErrorKind::Interrupted => continue,
            Err(e) => return Err(e),
        };
        w.write_all(&buf[..n])?
    }
    let _ = w.shutdown_write();
    Ok(())
}

/// Trait letting `pump` call `shutdown(Write)` on either a
/// `TcpStream` or a `UnixStream` without dynamic dispatch.
trait Shutdownable {
    fn shutdown_write(&mut self) -> std::io::Result<()>;
}

impl Shutdownable for TcpStream {
    fn shutdown_write(&mut self) -> std::io::Result<()> {
        TcpStream::shutdown(self, std::net::Shutdown::Write)
    }
}

impl Shutdownable for UnixStream {
    fn shutdown_write(&mut self) -> std::io::Result<()> {
        UnixStream::shutdown(self, std::net::Shutdown::Write)
    }
}

fn unique_suffix() -> u64 {
    use std::sync::atomic::{AtomicU64, Ordering};
    static COUNTER: AtomicU64 = AtomicU64::new(0);
    let nanos = std::time::SystemTime::now()
        .duration_since(std::time::UNIX_EPOCH)
        .map(|d| d.as_nanos() as u64)
        .unwrap_or(0);
    nanos.wrapping_add(COUNTER.fetch_add(1, Ordering::Relaxed))
}

/// Tiny RFC 3339 timestamp formatter — used by [`Vm::snapshot`]'s
/// metadata. Avoids pulling in `chrono` for a single timestamp.
fn chrono_rfc3339_now() -> String {
    let secs = std::time::SystemTime::now()
        .duration_since(std::time::UNIX_EPOCH)
        .map(|d| d.as_secs() as i64)
        .unwrap_or(0);
    // Days since 1970-01-01 / seconds within day.
    let days = secs.div_euclid(86_400);
    let sod = secs.rem_euclid(86_400);
    let hh = sod / 3600;
    let mm = (sod % 3600) / 60;
    let ss = sod % 60;
    // Civil-from-days (Howard Hinnant's algorithm).
    let z = days + 719_468;
    let era = if z >= 0 { z } else { z - 146_096 } / 146_097;
    let doe = z - era * 146_097;
    let yoe = (doe - doe / 1460 + doe / 36_524 - doe / 146_096) / 365;
    let y = yoe + era * 400;
    let doy = doe - (365 * yoe + yoe / 4 - yoe / 100);
    let mp = (5 * doy + 2) / 153;
    let d = doy - (153 * mp + 2) / 5 + 1;
    let m = if mp < 10 { mp + 3 } else { mp - 9 };
    let y = if m <= 2 { y + 1 } else { y };
    format!("{y:04}-{m:02}-{d:02}T{hh:02}:{mm:02}:{ss:02}Z")
}

#[cfg(test)]
mod oci_image_builder_mount_tests {
    //! Coverage for the `OciImageBuilder` mount setters: every
    //! mount carries a `guest_path` (required field), policy is
    //! orthogonal, and multiple mounts compose in insertion order.
    use super::OciImageBuilder;
    use crate::vmm::resources::SymlinkPolicy;
    use std::path::PathBuf;

    #[test]
    fn with_mount_stores_all_four_fields() {
        let b = OciImageBuilder::new("alpine").with_mount("/host/x", "tag", "/workspace");
        assert_eq!(b.mounts.len(), 1);
        let (h, t, p, gp) = &b.mounts[0];
        assert_eq!(h, &PathBuf::from("/host/x"));
        assert_eq!(t, "tag");
        assert_eq!(p, &SymlinkPolicy::Opaque);
        assert_eq!(gp, "/workspace");
    }

    #[test]
    fn with_mount_symlinks_combines_policy_and_guest_path() {
        let b = OciImageBuilder::new("alpine").with_mount_symlinks(
            "/host/x",
            "ws",
            "/workspace",
            SymlinkPolicy::Follow,
        );
        let (h, t, p, gp) = &b.mounts[0];
        assert_eq!(h, &PathBuf::from("/host/x"));
        assert_eq!(t, "ws");
        assert_eq!(p, &SymlinkPolicy::Follow);
        assert_eq!(gp, "/workspace");
    }

    #[test]
    fn with_mount_symlinks_deny_policy_round_trips() {
        let b = OciImageBuilder::new("alpine").with_mount_symlinks(
            "/h",
            "t",
            "/g",
            SymlinkPolicy::Deny,
        );
        assert_eq!(b.mounts[0].2, SymlinkPolicy::Deny);
    }

    #[test]
    fn multiple_mounts_compose_independently() {
        // The auth-flow shape: one virtio-fs bind for source, one
        // for a sibling cache share, one with a non-default policy.
        let b = OciImageBuilder::new("alpine")
            .with_mount("/host/src", "workspace", "/workspace")
            .with_mount("/host/cache", "ro-cache", "/cache")
            .with_mount_symlinks("/host/strict", "strict", "/strict", SymlinkPolicy::Deny);
        assert_eq!(b.mounts.len(), 3);
        assert_eq!(b.mounts[0].3, "/workspace");
        assert_eq!(b.mounts[1].3, "/cache");
        assert_eq!(b.mounts[2].3, "/strict");
        assert_eq!(b.mounts[2].2, SymlinkPolicy::Deny);
    }

    #[test]
    fn mounts_preserve_insertion_order() {
        // Order matters for init-oci auto-mount sequencing: when
        // two binds nest (e.g. /a then /a/b), the parent must come
        // first or the child's mkdir + mount sequence misses.
        let b = OciImageBuilder::new("alpine")
            .with_mount("/h1", "first", "/a/b")
            .with_mount("/h2", "second", "/a")
            .with_mount("/h3", "third", "/a/c");
        let tags: Vec<&str> = b.mounts.iter().map(|m| m.1.as_str()).collect();
        assert_eq!(tags, vec!["first", "second", "third"]);
    }
}

#[cfg(test)]
mod map_bake_error_tests {
    use super::{map_bake_error, Error};

    #[test]
    fn decodes_kernel_panic_sentinel() {
        let msg = "KERNEL_PANIC|Kernel panic - not syncing: oops|frame_a\x1Fframe_b\x1Fframe_c"
            .to_string();
        let err = map_bake_error("nginx:alpine", msg);
        match err {
            Error::KernelPanic { first_line, stack } => {
                assert!(first_line.contains("Kernel panic"));
                assert_eq!(stack, vec!["frame_a", "frame_b", "frame_c"]);
            }
            other => panic!("expected KernelPanic, got {other:?}"),
        }
    }

    #[test]
    fn kernel_panic_with_empty_stack() {
        let msg = "KERNEL_PANIC|Internal error: Oops|".to_owned();
        match map_bake_error("img", msg) {
            Error::KernelPanic { first_line, stack } => {
                assert_eq!(first_line, "Internal error: Oops");
                // splitn(2) with empty-string second half yields one empty
                // stack frame; consumer sees a single empty line which is
                // fine — `Display` skips printing meaningfully.
                assert!(stack.len() <= 1);
            }
            other => panic!("expected KernelPanic, got {other:?}"),
        }
    }

    #[test]
    fn non_panic_messages_unchanged() {
        let err = map_bake_error(
            "img",
            "supermachine snapshot timeout; see bake.log".to_owned(),
        );
        match err {
            Error::Bake { msg, .. } => assert!(msg.contains("timeout")),
            other => panic!("expected Bake, got {other:?}"),
        }
    }
}

#[cfg(test)]
mod base64_tests {
    //! The `wire` base64 codec carries read_file payloads as
    //! agent-controlled `data_b64`. Decoding must round-trip what we
    //! encode and REJECT malformed input rather than emit spurious bytes.
    use super::{b64_decode, b64_encode};
    use proptest::prelude::*;

    #[test]
    fn known_vectors_round_trip() {
        // RFC 4648 §10 test vectors.
        let cases: &[(&[u8], &str)] = &[
            (b"", ""),
            (b"f", "Zg=="),
            (b"fo", "Zm8="),
            (b"foo", "Zm9v"),
            (b"foob", "Zm9vYg=="),
            (b"fooba", "Zm9vYmE="),
            (b"foobar", "Zm9vYmFy"),
        ];
        for (raw, enc) in cases {
            assert_eq!(b64_encode(raw), *enc, "encode {raw:?}");
            assert_eq!(b64_decode(enc).unwrap(), *raw, "decode {enc:?}");
        }
    }

    #[test]
    fn decode_rejects_malformed_padding() {
        // The bug this fix closes: misplaced / excess padding must error,
        // not decode to spurious bytes.
        for bad in ["====", "A===", "=AAA", "AA==AAAA", "Zm==Zm9v", "=Zm9"] {
            assert!(
                b64_decode(bad).is_err(),
                "{bad:?} must be rejected as malformed padding"
            );
        }
    }

    #[test]
    fn decode_rejects_bad_length_and_chars() {
        assert!(b64_decode("ABC").is_err(), "length not a multiple of 4");
        assert!(b64_decode("Zm9").is_err());
        assert!(b64_decode("Zm$v").is_err(), "invalid character");
        assert!(b64_decode("Zm9*").is_err());
    }

    #[test]
    fn decode_tolerates_whitespace() {
        // The codec strips ASCII whitespace before decoding (wrapped
        // base64 from agents / PEM-style line breaks).
        assert_eq!(b64_decode("Zm9v YmFy").unwrap(), b"foobar");
        assert_eq!(b64_decode("Zm9v\nYmFy\n").unwrap(), b"foobar");
    }

    proptest! {
        #![proptest_config(ProptestConfig::with_cases(1024))]

        /// decode(encode(x)) == x for ALL byte strings, and the encoding
        /// is always a clean multiple of 4 with no interior padding.
        #[test]
        fn round_trips_for_all_bytes(data in proptest::collection::vec(any::<u8>(), 0..512)) {
            let enc = b64_encode(&data);
            prop_assert_eq!(enc.len() % 4, 0);
            prop_assert_eq!(b64_decode(&enc).unwrap(), data);
        }
    }
}