refactor(supervisor): rename compute network_labels field to labels

Aligns with the compute provider's renamed `labels` field; the provider now promotes a configured subset to network policy. Behavior unchanged - still forwards a private-link label on create and restore.

Author: nicktrn

.server-changes/compute-network-labels.md

@@ -3,4 +3,4 @@ area: supervisor
 type: feature
 ---
 
-Forward per-VM network endpoint labels to compute runs on create and restore.
+Forward per-run identity labels to the compute provider on create and restore, letting network policy select runs (e.g. private link).

apps/supervisor/src/workloadManager/compute.ts

@@ -133,12 +133,12 @@ export class ComputeWorkloadManager implements WorkloadManager {
     // Strip image digest - resolve by tag, not digest
     const imageRef = stripImageDigest(opts.image);
 
-    // Per-VM network endpoint labels, applied to the VM's network endpoint so
-    // network policy can select it. Mirrors the label the Kubernetes workload
-    // manager sets on the run pod.
-    const networkLabels: Record<string, string> = {};
+    // Labels forwarded to the compute provider for network-policy selection;
+    // the provider promotes a configured subset to its network layer. Mirrors
+    // the privatelink label the Kubernetes workload manager sets on the run pod.
+    const labels: Record<string, string> = {};
     if (opts.hasPrivateLink) {
-      networkLabels.privatelink = opts.orgId;
+      labels.privatelink = opts.orgId;
     }
 
     // Wide event: single canonical log line emitted in finally
@@ -181,9 +181,7 @@ export class ComputeWorkloadManager implements WorkloadManager {
             deploymentVersion: opts.deploymentVersion,
             machine: opts.machine.name,
           },
-          ...(Object.keys(networkLabels).length > 0
-            ? { network_labels: networkLabels }
-            : {}),
+          ...(Object.keys(labels).length > 0 ? { labels } : {}),
         })
       );
 
@@ -321,12 +319,12 @@ export class ComputeWorkloadManager implements WorkloadManager {
       TRIGGER_WORKER_INSTANCE_NAME: this.opts.runner.instanceName,
     };
 
-    // Carry the same network endpoint labels onto the restored VM (mirror of
-    // the create path) so network policy keeps matching after a restore —
-    // without them a restored run would lose its policy-based egress.
-    const networkLabels: Record<string, string> = {};
+    // Resupply the same labels on restore (mirror of the create path); the
+    // provider doesn't persist them across a snapshot, so without this a
+    // restored run would lose its policy-based network selection.
+    const labels: Record<string, string> = {};
     if (opts.hasPrivateLink && opts.orgId) {
-      networkLabels.privatelink = opts.orgId;
+      labels.privatelink = opts.orgId;
     }
 
     this.logger.verbose("restore request body", {
@@ -342,9 +340,7 @@ export class ComputeWorkloadManager implements WorkloadManager {
         metadata,
         cpu: opts.machine.cpu,
         memory_gb: opts.machine.memory,
-        ...(Object.keys(networkLabels).length > 0
-          ? { network_labels: networkLabels }
-          : {}),
+        ...(Object.keys(labels).length > 0 ? { labels } : {}),
       })
     );
 

internal-packages/compute/src/types.ts

@@ -42,10 +42,10 @@ export const InstanceCreateRequestSchema = z.object({
   cpu: z.number(),
   memory_gb: z.number(),
   metadata: z.record(z.unknown()).optional(),
-  // Per-VM endpoint labels applied to the VM's network endpoint for
-  // network-policy selection. Distinct from metadata, which is
-  // observability-only.
-  network_labels: z.record(z.string()).optional(),
+  // Per-instance identity labels; the provider promotes a configured subset
+  // to network-policy selection. Distinct from metadata, which is
+  // observability-only and never selected on.
+  labels: z.record(z.string()).optional(),
 });
 export type InstanceCreateRequest = z.infer<typeof InstanceCreateRequestSchema>;
 
@@ -70,10 +70,10 @@ export const SnapshotRestoreRequestSchema = z.object({
   metadata: z.record(z.string()),
   cpu: z.number(),
   memory_gb: z.number(),
-  // Per-VM endpoint labels applied to the restored endpoint for network-policy
-  // selection. A restored VM must carry the same policy labels as a
-  // freshly-booted one or its egress allows are lost.
-  network_labels: z.record(z.string()).optional(),
+  // Per-instance identity labels; the caller must resupply the same set as on
+  // create. The provider doesn't persist them across a snapshot, so omitting
+  // them drops the restored run's policy-based network selection.
+  labels: z.record(z.string()).optional(),
 });
 export type SnapshotRestoreRequest = z.infer<typeof SnapshotRestoreRequestSchema>;