@h-rig/bundle-default-lifecycle 0.0.6-alpha.156 → 0.0.6-alpha.158

package/dist/src/control-plane/policy.d.ts

@@ -0,0 +1,3 @@
+import { type PolicyConfig } from "@rig/contracts";
+export declare function seedPolicyFromContent(rawJson: string): void;
+export declare function loadPolicy(projectRoot: string): PolicyConfig;

package/dist/src/control-plane/policy.js

@@ -0,0 +1,226 @@
+// @bun
+// packages/bundle-default-lifecycle/src/control-plane/policy.ts
+import { existsSync, readFileSync, statSync } from "fs";
+import { resolve } from "path";
+import {
+  POLICY_VERSION
+} from "@rig/contracts";
+var DEFAULT_SCOPE = {
+  fail_closed: true,
+  harness_paths_exempt: true,
+  runtime_paths_exempt: true
+};
+var DEFAULT_SANDBOX = {
+  mode: "enforce",
+  network: true,
+  read_deny: [],
+  write_allow_from_runtime: true
+};
+var DEFAULT_ISOLATION = {
+  default_mode: "worktree",
+  repo_symlink_fallback: false,
+  strict_provisioning: true,
+  fail_closed_on_provision_error: true
+};
+var DEFAULT_COMPLETION = {
+  derive_checks_from_scope: true,
+  checks: [],
+  typescript_config_probe: ["tsconfig.json"],
+  eslint_config_probe: [".eslintrc.js", ".eslintrc.json", "eslint.config.js"]
+};
+var DEFAULT_RUNTIME_IMAGE = {
+  deps: {
+    monorepo_install: false,
+    hp_next_install: false
+  },
+  plugins_require_binaries: true
+};
+var DEFAULT_RUNTIME_SNAPSHOT = {
+  enabled: true
+};
+var policyCache = null;
+var policyCachePath = null;
+var seededPolicyConfig = null;
+function defaultPolicy() {
+  return {
+    version: POLICY_VERSION,
+    mode: "enforce",
+    scope: { ...DEFAULT_SCOPE },
+    rules: [],
+    sandbox: { ...DEFAULT_SANDBOX },
+    isolation: { ...DEFAULT_ISOLATION },
+    completion: { ...DEFAULT_COMPLETION },
+    runtime_image: {
+      deps: { ...DEFAULT_RUNTIME_IMAGE.deps },
+      plugins_require_binaries: DEFAULT_RUNTIME_IMAGE.plugins_require_binaries
+    },
+    runtime_snapshot: { ...DEFAULT_RUNTIME_SNAPSHOT }
+  };
+}
+function seedPolicyFromContent(rawJson) {
+  try {
+    seededPolicyConfig = mergeWithDefaults(JSON.parse(rawJson));
+  } catch {
+    seededPolicyConfig = null;
+  }
+}
+function loadPolicy(projectRoot) {
+  if (seededPolicyConfig) {
+    return seededPolicyConfig;
+  }
+  const configPath = resolve(projectRoot, "rig/policy/policy.json");
+  if (!existsSync(configPath)) {
+    return defaultPolicy();
+  }
+  let mtimeMs;
+  try {
+    mtimeMs = statSync(configPath).mtimeMs;
+  } catch {
+    return defaultPolicy();
+  }
+  if (policyCache && policyCachePath === configPath && policyCache.mtimeMs === mtimeMs) {
+    return policyCache.config;
+  }
+  try {
+    const config = mergeWithDefaults(JSON.parse(readFileSync(configPath, "utf-8")));
+    policyCache = { mtimeMs, config };
+    policyCachePath = configPath;
+    return config;
+  } catch {
+    return defaultPolicy();
+  }
+}
+function mergeWithDefaults(parsed) {
+  const base = defaultPolicy();
+  if (typeof parsed.mode === "string" && isValidMode(parsed.mode)) {
+    base.mode = parsed.mode;
+  }
+  if (parsed.scope && typeof parsed.scope === "object" && !Array.isArray(parsed.scope)) {
+    const scope = parsed.scope;
+    if (typeof scope.fail_closed === "boolean")
+      base.scope.fail_closed = scope.fail_closed;
+    if (typeof scope.harness_paths_exempt === "boolean")
+      base.scope.harness_paths_exempt = scope.harness_paths_exempt;
+    if (typeof scope.runtime_paths_exempt === "boolean")
+      base.scope.runtime_paths_exempt = scope.runtime_paths_exempt;
+  }
+  if (Array.isArray(parsed.rules)) {
+    base.rules = precompilePolicyRuleRegexes(parsed.rules.filter(isValidRule));
+  }
+  if (Array.isArray(parsed.deny) && base.rules.length === 0) {
+    base.rules = precompilePolicyRuleRegexes(migrateLegacyDeny(parsed.deny));
+  }
+  if (parsed.sandbox && typeof parsed.sandbox === "object" && !Array.isArray(parsed.sandbox)) {
+    const sandbox = parsed.sandbox;
+    if (typeof sandbox.mode === "string" && isValidMode(sandbox.mode))
+      base.sandbox.mode = sandbox.mode;
+    if (typeof sandbox.network === "boolean")
+      base.sandbox.network = sandbox.network;
+    if (Array.isArray(sandbox.read_deny))
+      base.sandbox.read_deny = sandbox.read_deny.filter((value) => typeof value === "string");
+    if (typeof sandbox.write_allow_from_runtime === "boolean")
+      base.sandbox.write_allow_from_runtime = sandbox.write_allow_from_runtime;
+  }
+  if (parsed.isolation && typeof parsed.isolation === "object" && !Array.isArray(parsed.isolation)) {
+    const isolation = parsed.isolation;
+    if (isolation.default_mode === "worktree")
+      base.isolation.default_mode = isolation.default_mode;
+    if (typeof isolation.repo_symlink_fallback === "boolean")
+      base.isolation.repo_symlink_fallback = isolation.repo_symlink_fallback;
+    if (typeof isolation.strict_provisioning === "boolean")
+      base.isolation.strict_provisioning = isolation.strict_provisioning;
+    if (typeof isolation.fail_closed_on_provision_error === "boolean")
+      base.isolation.fail_closed_on_provision_error = isolation.fail_closed_on_provision_error;
+  }
+  if (parsed.completion && typeof parsed.completion === "object" && !Array.isArray(parsed.completion)) {
+    const completion = parsed.completion;
+    if (typeof completion.derive_checks_from_scope === "boolean")
+      base.completion.derive_checks_from_scope = completion.derive_checks_from_scope;
+    if (Array.isArray(completion.checks))
+      base.completion.checks = completion.checks.filter((value) => typeof value === "string");
+    if (Array.isArray(completion.typescript_config_probe))
+      base.completion.typescript_config_probe = completion.typescript_config_probe.filter((value) => typeof value === "string");
+    if (Array.isArray(completion.eslint_config_probe))
+      base.completion.eslint_config_probe = completion.eslint_config_probe.filter((value) => typeof value === "string");
+  }
+  if (parsed.runtime_image && typeof parsed.runtime_image === "object" && !Array.isArray(parsed.runtime_image)) {
+    const runtimeImage = parsed.runtime_image;
+    if (runtimeImage.deps && typeof runtimeImage.deps === "object" && !Array.isArray(runtimeImage.deps)) {
+      const deps = runtimeImage.deps;
+      if (typeof deps.monorepo_install === "boolean")
+        base.runtime_image.deps.monorepo_install = deps.monorepo_install;
+      if (typeof deps.hp_next_install === "boolean")
+        base.runtime_image.deps.hp_next_install = deps.hp_next_install;
+    }
+    if (typeof runtimeImage.plugins_require_binaries === "boolean") {
+      base.runtime_image.plugins_require_binaries = runtimeImage.plugins_require_binaries;
+    }
+  }
+  if (parsed.runtime_snapshot && typeof parsed.runtime_snapshot === "object" && !Array.isArray(parsed.runtime_snapshot)) {
+    const runtimeSnapshot = parsed.runtime_snapshot;
+    if (typeof runtimeSnapshot.enabled === "boolean")
+      base.runtime_snapshot.enabled = runtimeSnapshot.enabled;
+  }
+  return base;
+}
+function isValidMode(value) {
+  return value === "off" || value === "observe" || value === "enforce";
+}
+function isValidRule(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value))
+    return false;
+  const rule = value;
+  return typeof rule.id === "string" && typeof rule.category === "string" && !!rule.match && typeof rule.match === "object";
+}
+function migrateLegacyDeny(deny) {
+  const rules = [];
+  for (const entry of deny) {
+    if (typeof entry.id !== "string")
+      continue;
+    const match = {};
+    if (typeof entry.pattern === "string")
+      match.pattern = entry.pattern;
+    if (typeof entry.regex === "string")
+      match.regex = entry.regex;
+    if (!match.pattern && !match.regex)
+      continue;
+    const rule = {
+      id: entry.id,
+      category: "command",
+      match,
+      action: entry.action === "warn" ? "warn" : "block"
+    };
+    if (typeof entry.reason === "string") {
+      rule.description = entry.reason;
+    }
+    rules.push(rule);
+  }
+  return rules;
+}
+function precompilePolicyRuleRegexes(rules) {
+  return rules.map((rule) => {
+    const compiled = { ...rule };
+    const matchRegex = compileRegex(rule.match?.regex);
+    const unlessRegex = compileRegex(rule.unless?.regex);
+    if (matchRegex) {
+      compiled.compiledRegex = matchRegex;
+    }
+    if (unlessRegex) {
+      compiled.compiledUnlessRegex = unlessRegex;
+    }
+    return compiled;
+  });
+}
+function compileRegex(pattern) {
+  if (!pattern)
+    return;
+  try {
+    return new RegExp(pattern);
+  } catch {
+    return;
+  }
+}
+export {
+  seedPolicyFromContent,
+  loadPolicy
+};

package/dist/src/control-plane/pr-automation.d.ts

@@ -53,6 +53,8 @@ export declare function runRepoDefaultMerge(input: {
     readonly config?: RigAutomationConfig;
     readonly command: GitHubCommandRunner;
     readonly cwd?: string;
+    /** Project root used to resolve the PR_MERGE_GATE capability; falls back to cwd. */
+    readonly projectRoot?: string;
     readonly strictGate: StrictPrMergeGateResult;
 }): Promise<void>;
 export declare function gateNeedsGreptileRereview(result: StrictPrMergeGateResult): boolean;

package/dist/src/control-plane/pr-automation.js

@@ -1,10 +1,18 @@
 // @bun
 // packages/bundle-default-lifecycle/src/control-plane/pr-automation.ts
-import { assertSafeGitBranchName } from "@rig/shared/safe-identifiers";
-import { runStrictPrMergeGate } from "@rig/pr-review-plugin";
-import {
-  strictMergeHeadShaFromGate
-} from "@rig/contracts";
+import { assertSafeGitBranchName } from "@rig/core/safe-identifiers";
+
+// packages/bundle-default-lifecycle/src/control-plane/pr-merge-gate-cap.ts
+import { PR_MERGE_GATE } from "@rig/contracts";
+import { defineCapability } from "@rig/core/capability";
+import { resolvePluginHost } from "@rig/core/project-plugins";
+var PrMergeGateCap = defineCapability(PR_MERGE_GATE);
+async function resolvePrMergeGateService(projectRoot) {
+  const { host } = await resolvePluginHost(projectRoot);
+  return PrMergeGateCap.require(host);
+}
+
+// packages/bundle-default-lifecycle/src/control-plane/pr-automation.ts
 var UPLOADED_SNAPSHOT_PR_MARKER = "<!-- rig:uploaded-snapshot -->";
 function positiveInt(value, fallback) {
   return typeof value === "number" && Number.isFinite(value) && value > 0 ? Math.floor(value) : fallback;
@@ -313,7 +321,7 @@ async function commitRunChanges(input) {
 async function closeIssueAfterMergedPr(input) {
   await input.updateTaskSource(input.projectRoot, {
     taskId: input.taskId,
-    sourceTask: input.sourceTask,
+    ...input.sourceTask !== undefined ? { sourceTask: input.sourceTask } : {},
     update: {
       status: "closed",
       comment: [
@@ -359,11 +367,12 @@ async function runRepoDefaultMerge(input) {
   if (merge.mode === "off")
     return;
   const requireGreptile = (input.config?.review?.provider ?? "greptile") === "greptile";
-  const matchHeadSha = strictMergeHeadShaFromGate(input.strictGate, input.prUrl, requireGreptile);
+  const mergeGate = await resolvePrMergeGateService(input.projectRoot ?? input.cwd ?? process.cwd());
+  const matchHeadSha = mergeGate.resolveHeadSha({ result: input.strictGate, prUrl: input.prUrl, requireGreptile });
   const method = merge.method ?? "repo-default";
   const args = ["pr", "merge", input.prUrl];
   if (method === "repo-default") {
-    args.push(await resolveRepoDefaultMergeFlag({ prUrl: input.prUrl, command: input.command, cwd: input.cwd }));
+    args.push(await resolveRepoDefaultMergeFlag({ prUrl: input.prUrl, command: input.command, ...input.cwd !== undefined ? { cwd: input.cwd } : {} }));
   } else {
     args.push(`--${method}`);
   }
@@ -441,6 +450,7 @@ async function syncBranchAfterPrFeedback(input) {
 }
 async function runPrAutomation(input) {
   const branch = assertSafeGitBranchName(input.branch, "PR branch");
+  const mergeGate = await resolvePrMergeGateService(input.projectRoot);
   const prConfig = input.config?.pr ?? {};
   const requireGreptile = (input.config?.review?.provider ?? "greptile") === "greptile";
   if (prConfig.mode === "off" || prConfig.mode === "ask") {
@@ -450,7 +460,7 @@ async function runPrAutomation(input) {
     taskId: input.taskId,
     runId: input.runId,
     summary: input.sourceTask?.title ? `Rig completed: ${input.sourceTask.title}` : null,
-    uploadedSnapshot: input.uploadedSnapshot
+    ...input.uploadedSnapshot !== undefined ? { uploadedSnapshot: input.uploadedSnapshot } : {}
   });
   if (input.gitCommand) {
     await pushBranchSyncedWithOrigin({ projectRoot: input.projectRoot, branch, gitCommand: input.gitCommand });
@@ -522,16 +532,16 @@ ${createResult.stdout ?? ""}`) : null;
       await syncBranchAfterPrFeedback({ projectRoot: input.projectRoot, taskId: input.taskId, branch, gitCommand: input.gitCommand });
       continue;
     }
-    const gate = await runStrictPrMergeGate({
+    const gate = await mergeGate.runGate({
       projectRoot: input.projectRoot,
       prUrl,
       taskId: input.taskId,
       runId: input.runId,
       cycle: iteration,
       command: input.command,
-      artifactRoot: input.artifactRoot,
+      ...input.artifactRoot !== undefined ? { artifactRoot: input.artifactRoot } : {},
       allowedFailures: input.config?.merge?.allowedFailures ?? [],
-      greptileApi: requireGreptile ? input.greptileApi : undefined,
+      ...requireGreptile && input.greptileApi ? { greptileApi: input.greptileApi } : {},
       requireGreptile
     });
     latestFeedback = [...gate.actionableFeedback];
@@ -561,22 +571,22 @@ ${createResult.stdout ?? ""}`) : null;
     }
     if (gate.approved) {
       pendingElapsedMs = 0;
-      const finalGate = await runStrictPrMergeGate({
+      const finalGate = await mergeGate.runGate({
         projectRoot: input.projectRoot,
         prUrl,
         taskId: input.taskId,
         runId: input.runId,
         cycle: iteration,
         command: input.command,
-        artifactRoot: input.artifactRoot,
+        ...input.artifactRoot !== undefined ? { artifactRoot: input.artifactRoot } : {},
         allowedFailures: input.config?.merge?.allowedFailures ?? [],
-        greptileApi: requireGreptile ? input.greptileApi : undefined,
+        ...requireGreptile && input.greptileApi ? { greptileApi: input.greptileApi } : {},
         requireGreptile,
         final: true
       });
       if (finalGate.approved) {
         await input.lifecycle?.onMergeStarted?.({ prUrl });
-        await runRepoDefaultMerge({ prUrl, config: input.config, command: input.command, cwd: input.projectRoot, strictGate: finalGate });
+        await runRepoDefaultMerge({ prUrl, ...input.config !== undefined ? { config: input.config } : {}, command: input.command, cwd: input.projectRoot, strictGate: finalGate });
         await input.lifecycle?.onMerged?.({ prUrl });
         return { status: "merged", prUrl, iterations: iteration, actionableFeedback: [], merged: true };
       }

package/dist/src/control-plane/pr-merge-gate-cap.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Cross-plugin seam (doc §3): the default lifecycle bundle resolves the
+ * merge-gate operations off the host's PR_MERGE_GATE capability instead of
+ * importing `@rig/pr-review-plugin`. `@rig/pr-review-plugin` OWNS the impl and
+ * registers it under {@link PR_MERGE_GATE}; this module is the bundle-side
+ * resolver so no bundle file `import`s the review plugin directly.
+ */
+import { type PrMergeGateService } from "@rig/contracts";
+/** Resolve the merge-gate service from the project's plugin host (throws if absent). */
+export declare function resolvePrMergeGateService(projectRoot: string): Promise<PrMergeGateService>;

package/dist/src/control-plane/pr-merge-gate-cap.js

@@ -0,0 +1,13 @@
+// @bun
+// packages/bundle-default-lifecycle/src/control-plane/pr-merge-gate-cap.ts
+import { PR_MERGE_GATE } from "@rig/contracts";
+import { defineCapability } from "@rig/core/capability";
+import { resolvePluginHost } from "@rig/core/project-plugins";
+var PrMergeGateCap = defineCapability(PR_MERGE_GATE);
+async function resolvePrMergeGateService(projectRoot) {
+  const { host } = await resolvePluginHost(projectRoot);
+  return PrMergeGateCap.require(host);
+}
+export {
+  resolvePrMergeGateService
+};

package/dist/src/control-plane/task-data.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Task-data seam accessor for the default lifecycle bundle.
+ *
+ * The lifecycle's git-ops / verifier / closeout stages read task-state, task
+ * facts (changed/pending files), artifacts, validation, and source-aware status.
+ * Those reads are owned by `@rig/task-sources-plugin`; the bundle resolves them
+ * through the boot-installed TASK-DATA capability instead of importing that
+ * plugin's impl modules cross-plugin (SEAM-ONLY §6.4). The service is installed
+ * by `buildPluginHostContext`, which every lifecycle entry point runs through.
+ */
+import { type TaskDataService } from "@rig/contracts";
+/** Resolve the boot-installed task-data service, or throw a precise error. */
+export declare function taskData(): TaskDataService;

package/dist/src/control-plane/task-data.js

@@ -0,0 +1,12 @@
+// @bun
+// packages/bundle-default-lifecycle/src/control-plane/task-data.ts
+import { TASK_DATA_SERVICE_CAPABILITY } from "@rig/contracts";
+import { defineCapability } from "@rig/core/capability";
+import { requireInstalledCapability } from "@rig/core/capability-loaders";
+var TaskDataCap = defineCapability(TASK_DATA_SERVICE_CAPABILITY);
+function taskData() {
+  return requireInstalledCapability(TaskDataCap, "task-data capability unavailable: load @rig/task-sources-plugin (default bundle) before running the lifecycle.");
+}
+export {
+  taskData
+};