Use dedicated omi-agent-vm firewall tag for AgentVM instances

[beastoin]

Summary

• Replace generic http-server network tag with dedicated omi-agent-vm tag in AgentVM GCE provisioning
• Make GCE_SOURCE_IMAGE default dynamic: projects/{gce_project_id}/global/images/family/omi-agent — automatically uses the correct project's image
• Addresses step 1 of AgentVM: use dedicated firewall tag instead of shared http-server #5351. Steps 2-3 (prod firewall rules) are infra changes tracked in the issue.

Changes

• agent.rs:478: "http-server" → "omi-agent-vm"
• config.rs: gce_source_image default now derives from gce_project_id

Test evidence (local dev, based-hardware-dev)

• VM created: omi-agent-test-desktop with IP 34.46.9.163
• Tag verified: omi-agent-vm (via gcloud compute instances describe)
• Status lifecycle: provisioning → ready (Firestore correctly updated)
• VM cleaned up after test

$ gcloud compute instances describe omi-agent-test-desktop --format="json(tags,status)"
{
  "status": "RUNNING",
  "tags": { "items": ["omi-agent-vm"] }
}

$ curl /v2/agent/status → {"status": "ready", "ip": "34.46.9.163", ...}

Test plan

• cargo test — 13/13 pass
• Full AgentVM provision e2e on dev: VM created, correct tag, correct image, Firestore lifecycle works
• Test VM deleted after verification

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

Replaces generic http-server network tag with dedicated omi-agent-vm tag in GCE VM provisioning. This security improvement narrows the firewall rule scope from broadly exposing port 8080 across many VMs to only agent VMs.

Key changes:

• Single line change in agent.rs: network tag updated from "http-server" to "omi-agent-vm"

Important verification needed:

• The PR mentions firewall rule allow-omi-agent-vm-8080 was created "in dev by @mon" but doesn't confirm it exists in production. Verify the firewall rule exists in all environments before merging.

Confidence Score: 4/5

• Safe to merge if firewall rule exists in all environments; otherwise will break agent VM provisioning
• Simple, well-tested security improvement (tests pass 13/13), but depends on external infrastructure. Score of 4 because the firewall rule dependency is mentioned in PR description but not verified for production.
• Verify GCP firewall configuration before merging - code change is safe but requires infrastructure readiness

Important Files Changed

Filename	Overview
desktop/Backend-Rust/src/routes/agent.rs	Changed network tag from http-server to omi-agent-vm for security scoping

_{Last reviewed commit: b500bee}

[greptile-apps]

Verify the allow-omi-agent-vm-8080 firewall rule exists in ALL environments (dev, staging, production) before merging - VMs won't be accessible on port 8080 if the rule is missing

[beastoin]

lgtm