@h-rig/cli-surface-plugin 0.0.6-alpha.157 → 0.0.6-alpha.158

package/dist/src/commands/init.js

@@ -15,83 +15,13 @@ var __export = (target, all) => {
 };
 var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
 
-// packages/cli-surface-plugin/src/commands/_spinner.ts
-function createTtySpinner(input) {
-  const output = input.output ?? process.stdout;
-  const isTty = output.isTTY === true;
-  const frames = input.frames && input.frames.length > 0 ? input.frames : SPINNER_FRAMES;
-  let label = input.label;
-  let frame = 0;
-  let paused = false;
-  let stopped = false;
-  let lastPrintedLabel = "";
-  const render = () => {
-    if (stopped || paused)
-      return;
-    if (!isTty) {
-      if (label !== lastPrintedLabel) {
-        output.write(`${label}
-`);
-        lastPrintedLabel = label;
-      }
-      return;
-    }
-    frame = (frame + 1) % frames.length;
-    const glyph = frames[frame] ?? frames[0] ?? "";
-    output.write(`\r\x1B[2K${input.styleFrame ? input.styleFrame(glyph) : glyph} ${label}`);
-  };
-  const clearLine = () => {
-    if (isTty)
-      output.write("\r\x1B[2K");
-  };
-  render();
-  const timer = isTty ? setInterval(render, input.intervalMs ?? 16) : null;
-  return {
-    setLabel(next) {
-      label = next;
-      render();
-    },
-    pause() {
-      paused = true;
-      clearLine();
-    },
-    resume() {
-      if (stopped)
-        return;
-      paused = false;
-      render();
-    },
-    stop(finalLine) {
-      if (stopped)
-        return;
-      stopped = true;
-      if (timer)
-        clearInterval(timer);
-      clearLine();
-      if (finalLine)
-        output.write(`${finalLine}
-`);
-    }
-  };
-}
-var SPINNER_FRAMES;
-var init__spinner = __esm(() => {
-  SPINNER_FRAMES = ["\u280B", "\u2819", "\u2839", "\u2838", "\u283C", "\u2834", "\u2826", "\u2827", "\u2807", "\u280F"];
-});
-
 // packages/cli-surface-plugin/src/app/drone-ui.ts
 var exports_drone_ui = {};
 __export(exports_drone_ui, {
-  droneWarn: () => droneWarn,
   droneText: () => droneText,
-  droneStep: () => droneStep,
-  droneSpinner: () => droneSpinner,
   droneSelect: () => droneSelect,
   droneOutro: () => droneOutro,
-  droneNote: () => droneNote,
   droneIntro: () => droneIntro,
-  droneInfo: () => droneInfo,
-  droneError: () => droneError,
   droneConfirm: () => droneConfirm,
   droneCancel: () => droneCancel
 });
@@ -111,12 +41,6 @@ function fg(hex) {
 function bold(text) {
   return `\x1B[1m${text}\x1B[22m`;
 }
-function renderMicroDroneFrame(frame) {
-  const tick = Math.max(0, MICRO_DRONE_FRAMES.indexOf(frame));
-  const blade = MICRO_BLADES[tick % MICRO_BLADES.length];
-  const eye = EYE_FRAMES[Math.floor(tick / 2) % EYE_FRAMES.length];
-  return `${ink4("(")}${cyan(blade)}${ink4(")")}${bold(accent(eye))}${ink4("(")}${cyan(blade)}${ink4(")")}`;
-}
 function hairline(width = Math.min(process.stdout.columns ?? 80, 100)) {
   return ink4("\u2500".repeat(Math.max(10, width)));
 }
@@ -130,58 +54,19 @@ function droneOutro(text) {
   console.log(` ${accent("\u25C6")} ${ink2(text)}`);
   console.log("");
 }
-function droneNote(message, title) {
-  if (title)
-    console.log(` ${accentDim("\u25C7")} ${bold(ink2(title))}`);
-  for (const line of message.split(`
-`))
-    console.log(` ${ink4("\u2502")} ${line}`);
-}
-function droneStep(text) {
-  console.log(` ${accent("\u203A")} ${ink(text)}`);
-}
-function droneInfo(text) {
-  console.log(` ${cyan("\xB7")} ${ink2(text)}`);
-}
-function droneWarn(text) {
-  console.log(` ${yellow("\u25B2")} ${ink2(text)}`);
-}
-function droneError(text) {
-  console.log(` ${red("\u2716")} ${ink2(text)}`);
-}
 function droneCancel(text) {
   console.log(` ${red("\u2716")} ${ink3(text)}`);
 }
-function droneSpinner() {
-  let active = null;
-  return {
-    start(message) {
-      active = createTtySpinner({
-        label: message,
-        frames: MICRO_DRONE_FRAMES,
-        styleFrame: renderMicroDroneFrame
-      });
-    },
-    stop(message) {
-      active?.stop(message ? ` ${accent("\u25C6")} ${ink2(message)}` : undefined);
-      active = null;
-    },
-    error(message) {
-      active?.stop(message ? ` ${red("\u2716")} ${ink2(message)}` : undefined);
-      active = null;
-    }
-  };
-}
 async function runMiniTui(build) {
   const tui = new TUI(new ProcessTerminal);
   let settled = false;
-  return await new Promise((resolve5) => {
+  return await new Promise((resolve6) => {
     const finish = (result) => {
       if (settled)
         return;
       settled = true;
       tui.stop();
-      resolve5(result);
+      resolve6(result);
     };
     build(tui, finish);
     tui.start();
@@ -250,7 +135,6 @@ async function droneConfirm(input) {
 }
 var PALETTE, ink, ink2, ink3, ink4, accent, accentDim, cyan, red, yellow, MICRO_BLADES, EYE_FRAMES, MICRO_DRONE_FRAMES, DRONE_SYMBOLS, DRONE_SELECT_THEME;
 var init_drone_ui = __esm(() => {
-  init__spinner();
   PALETTE = {
     ink: "#f2f3f6",
     ink2: "#aeb0ba",
@@ -300,23 +184,662 @@ var init_drone_ui = __esm(() => {
 });
 
 // packages/cli-surface-plugin/src/commands/init.ts
-import { appendFileSync, existsSync as existsSync4, mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+import { appendFileSync, existsSync as existsSync5, mkdirSync as mkdirSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync3 } from "fs";
 import { spawnSync } from "child_process";
-import { basename, resolve as resolve5 } from "path";
+import { resolve as resolve6 } from "path";
 
 // packages/cli-surface-plugin/src/runner.ts
-import { EventBus } from "@rig/runtime/control-plane/runtime/events";
-import { CliError as RuntimeCliError } from "@rig/runtime/control-plane/errors";
-import { evaluate, loadPolicy, resolveAction } from "@rig/runtime/control-plane/runtime/guard";
-import { buildBinary } from "@rig/runtime/control-plane/runtime/isolation";
+import { EventBus } from "@rig/core/runtime-events";
+import { CliError as RuntimeCliError } from "@rig/contracts";
+
+// packages/cli-surface-plugin/src/control-plane/guard.ts
+import { optimizeNextInvocation } from "bun:jsc";
+import { existsSync, readFileSync, statSync } from "fs";
+import { resolve } from "path";
+
+// packages/cli-surface-plugin/src/control-plane/scope.ts
+import { getScopeRules } from "@rig/core/scope-rules";
+var scopeRegexCache = new Map;
+function unique(values) {
+  return [...new Set(values)];
+}
+function normalizeRelativeScopePath(inputPath) {
+  let normalized = inputPath.replace(/^\.\//, "");
+  const rules = getScopeRules();
+  if (rules?.stripPrefixes) {
+    for (const prefix of rules.stripPrefixes) {
+      if (normalized.startsWith(prefix)) {
+        normalized = normalized.slice(prefix.length);
+      }
+    }
+  }
+  return normalized;
+}
+function normalizePathToScope(projectRoot, monorepoRoot, inputPath) {
+  let normalized = inputPath.replace(/^\.\//, "");
+  if (normalized.startsWith(projectRoot + "/")) {
+    normalized = normalized.slice(projectRoot.length + 1);
+  }
+  if (normalized.startsWith(monorepoRoot + "/")) {
+    normalized = normalized.slice(monorepoRoot.length + 1);
+  }
+  return normalizeRelativeScopePath(normalized);
+}
+function scopeGlobToRegex(glob) {
+  const cached = scopeRegexCache.get(glob);
+  if (cached) {
+    return cached;
+  }
+  const escaped = glob.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*\*/g, "__GLOBSTAR__").replace(/\*/g, "[^/]*").replace(/__GLOBSTAR__/g, ".*");
+  const compiled = new RegExp(`^${escaped}$`);
+  scopeRegexCache.set(glob, compiled);
+  return compiled;
+}
+function scopeMatches(path, scopes) {
+  const pathVariants = unique([path, normalizeRelativeScopePath(path)]);
+  for (const scope of scopes) {
+    const scopeVariants = unique([scope, normalizeRelativeScopePath(scope)]);
+    for (const candidatePath of pathVariants) {
+      for (const candidateScope of scopeVariants) {
+        if (candidatePath === candidateScope || scopeGlobToRegex(candidateScope).test(candidatePath)) {
+          return true;
+        }
+      }
+    }
+  }
+  return false;
+}
+
+// packages/cli-surface-plugin/src/control-plane/guard.ts
+import {
+  POLICY_VERSION
+} from "@rig/contracts";
+var DEFAULT_SCOPE = {
+  fail_closed: true,
+  harness_paths_exempt: true,
+  runtime_paths_exempt: true
+};
+var DEFAULT_SANDBOX = {
+  mode: "enforce",
+  network: true,
+  read_deny: [],
+  write_allow_from_runtime: true
+};
+var DEFAULT_ISOLATION = {
+  default_mode: "worktree",
+  repo_symlink_fallback: false,
+  strict_provisioning: true,
+  fail_closed_on_provision_error: true
+};
+var DEFAULT_COMPLETION = {
+  derive_checks_from_scope: true,
+  checks: [],
+  typescript_config_probe: ["tsconfig.json"],
+  eslint_config_probe: [".eslintrc.js", ".eslintrc.json", "eslint.config.js"]
+};
+var DEFAULT_RUNTIME_IMAGE = {
+  deps: {
+    monorepo_install: false,
+    hp_next_install: false
+  },
+  plugins_require_binaries: true
+};
+var DEFAULT_RUNTIME_SNAPSHOT = {
+  enabled: true
+};
+function defaultPolicy() {
+  return {
+    version: POLICY_VERSION,
+    mode: "enforce",
+    scope: { ...DEFAULT_SCOPE },
+    rules: [],
+    sandbox: { ...DEFAULT_SANDBOX },
+    isolation: { ...DEFAULT_ISOLATION },
+    completion: { ...DEFAULT_COMPLETION },
+    runtime_image: {
+      deps: { ...DEFAULT_RUNTIME_IMAGE.deps },
+      plugins_require_binaries: DEFAULT_RUNTIME_IMAGE.plugins_require_binaries
+    },
+    runtime_snapshot: { ...DEFAULT_RUNTIME_SNAPSHOT }
+  };
+}
+var policyCache = null;
+var policyCachePath = null;
+var seededPolicyConfig = null;
+var compiledRegexCache = new Map;
+function loadPolicy(projectRoot) {
+  if (seededPolicyConfig) {
+    return seededPolicyConfig;
+  }
+  const configPath = resolve(projectRoot, "rig/policy/policy.json");
+  if (!existsSync(configPath)) {
+    return defaultPolicy();
+  }
+  let mtimeMs;
+  try {
+    mtimeMs = statSync(configPath).mtimeMs;
+  } catch {
+    return defaultPolicy();
+  }
+  if (policyCache && policyCachePath === configPath && policyCache.mtimeMs === mtimeMs) {
+    return policyCache.config;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(readFileSync(configPath, "utf-8"));
+  } catch {
+    return defaultPolicy();
+  }
+  const config = mergeWithDefaults(parsed);
+  policyCache = { mtimeMs, config };
+  policyCachePath = configPath;
+  return config;
+}
+function mergeWithDefaults(parsed) {
+  const base = defaultPolicy();
+  if (typeof parsed.mode === "string" && isValidMode(parsed.mode)) {
+    base.mode = parsed.mode;
+  }
+  if (parsed.scope && typeof parsed.scope === "object" && !Array.isArray(parsed.scope)) {
+    const s = parsed.scope;
+    if (typeof s.fail_closed === "boolean")
+      base.scope.fail_closed = s.fail_closed;
+    if (typeof s.harness_paths_exempt === "boolean")
+      base.scope.harness_paths_exempt = s.harness_paths_exempt;
+    if (typeof s.runtime_paths_exempt === "boolean")
+      base.scope.runtime_paths_exempt = s.runtime_paths_exempt;
+  }
+  if (Array.isArray(parsed.rules)) {
+    base.rules = precompilePolicyRuleRegexes(parsed.rules.filter(isValidRule));
+  }
+  if (Array.isArray(parsed.deny) && base.rules.length === 0) {
+    base.rules = precompilePolicyRuleRegexes(migrateLegacyDeny(parsed.deny));
+  }
+  if (parsed.sandbox && typeof parsed.sandbox === "object" && !Array.isArray(parsed.sandbox)) {
+    const sb = parsed.sandbox;
+    if (typeof sb.mode === "string" && isValidMode(sb.mode))
+      base.sandbox.mode = sb.mode;
+    if (typeof sb.network === "boolean")
+      base.sandbox.network = sb.network;
+    if (Array.isArray(sb.read_deny))
+      base.sandbox.read_deny = sb.read_deny.filter((v) => typeof v === "string");
+    if (typeof sb.write_allow_from_runtime === "boolean")
+      base.sandbox.write_allow_from_runtime = sb.write_allow_from_runtime;
+  }
+  if (parsed.isolation && typeof parsed.isolation === "object" && !Array.isArray(parsed.isolation)) {
+    const iso = parsed.isolation;
+    if (iso.default_mode === "worktree")
+      base.isolation.default_mode = iso.default_mode;
+    if (typeof iso.repo_symlink_fallback === "boolean")
+      base.isolation.repo_symlink_fallback = iso.repo_symlink_fallback;
+    if (typeof iso.strict_provisioning === "boolean")
+      base.isolation.strict_provisioning = iso.strict_provisioning;
+    if (typeof iso.fail_closed_on_provision_error === "boolean")
+      base.isolation.fail_closed_on_provision_error = iso.fail_closed_on_provision_error;
+  }
+  if (parsed.completion && typeof parsed.completion === "object" && !Array.isArray(parsed.completion)) {
+    const comp = parsed.completion;
+    if (typeof comp.derive_checks_from_scope === "boolean")
+      base.completion.derive_checks_from_scope = comp.derive_checks_from_scope;
+    if (Array.isArray(comp.checks))
+      base.completion.checks = comp.checks.filter((v) => typeof v === "string");
+    if (Array.isArray(comp.typescript_config_probe))
+      base.completion.typescript_config_probe = comp.typescript_config_probe.filter((v) => typeof v === "string");
+    if (Array.isArray(comp.eslint_config_probe))
+      base.completion.eslint_config_probe = comp.eslint_config_probe.filter((v) => typeof v === "string");
+  }
+  if (parsed.runtime_image && typeof parsed.runtime_image === "object" && !Array.isArray(parsed.runtime_image)) {
+    const runtimeImage = parsed.runtime_image;
+    if (runtimeImage.deps && typeof runtimeImage.deps === "object" && !Array.isArray(runtimeImage.deps)) {
+      const deps = runtimeImage.deps;
+      if (typeof deps.monorepo_install === "boolean") {
+        base.runtime_image.deps.monorepo_install = deps.monorepo_install;
+      }
+      if (typeof deps.hp_next_install === "boolean") {
+        base.runtime_image.deps.hp_next_install = deps.hp_next_install;
+      }
+    }
+    if (typeof runtimeImage.plugins_require_binaries === "boolean") {
+      base.runtime_image.plugins_require_binaries = runtimeImage.plugins_require_binaries;
+    }
+  }
+  if (parsed.runtime_snapshot && typeof parsed.runtime_snapshot === "object" && !Array.isArray(parsed.runtime_snapshot)) {
+    const runtimeSnapshot = parsed.runtime_snapshot;
+    if (typeof runtimeSnapshot.enabled === "boolean") {
+      base.runtime_snapshot.enabled = runtimeSnapshot.enabled;
+    }
+  }
+  return base;
+}
+function isValidMode(value) {
+  return value === "off" || value === "observe" || value === "enforce";
+}
+function isValidRule(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value))
+    return false;
+  const r = value;
+  return typeof r.id === "string" && typeof r.category === "string" && r.match != null && typeof r.match === "object";
+}
+function migrateLegacyDeny(deny) {
+  const rules = [];
+  for (const entry of deny) {
+    if (typeof entry.id !== "string")
+      continue;
+    const match = {};
+    if (typeof entry.pattern === "string")
+      match.pattern = entry.pattern;
+    if (typeof entry.regex === "string")
+      match.regex = entry.regex;
+    if (!match.pattern && !match.regex)
+      continue;
+    rules.push({
+      id: entry.id,
+      category: "command",
+      match,
+      action: "block",
+      ...typeof entry.description === "string" ? { description: entry.description } : {}
+    });
+  }
+  return rules;
+}
+function precompilePolicyRuleRegexes(rules) {
+  return rules.map((rule) => {
+    const compiledRegex = rule.match.regex ? compileSafeRegex(rule.match.regex, `rules.${rule.id}.match.regex`, true) : undefined;
+    const compiledUnlessRegex = rule.unless?.regex ? compileSafeRegex(rule.unless.regex, `rules.${rule.id}.unless.regex`, true) : undefined;
+    return {
+      ...rule,
+      ...compiledRegex ? { compiledRegex } : {},
+      ...compiledUnlessRegex ? { compiledUnlessRegex } : {}
+    };
+  });
+}
+function getRegexUnsafeReason(pattern) {
+  if (pattern.length > 512) {
+    return "pattern exceeds max safe length (512 chars)";
+  }
+  if (/\\[1-9]/.test(pattern)) {
+    return "pattern uses backreferences";
+  }
+  if (/\((?:[^()\\]|\\.)*[+*](?:[^()\\]|\\.)*\)\s*[*+{]/.test(pattern)) {
+    return "pattern contains nested quantifiers";
+  }
+  if (/\((?:[^()\\]|\\.)*\.\\?[+*](?:[^()\\]|\\.)*\)\s*[*+{]/.test(pattern)) {
+    return "pattern contains nested broad quantifiers";
+  }
+  return null;
+}
+function compileSafeRegex(pattern, sourceLabel, logOnFailure) {
+  const cached = compiledRegexCache.get(pattern);
+  if (cached !== undefined) {
+    return cached ?? undefined;
+  }
+  const unsafeReason = getRegexUnsafeReason(pattern);
+  if (unsafeReason) {
+    if (logOnFailure) {
+      console.warn(`[policy] Skipping unsafe regex in ${sourceLabel}: ${unsafeReason}`);
+    }
+    compiledRegexCache.set(pattern, null);
+    return;
+  }
+  try {
+    const compiled = new RegExp(pattern);
+    compiledRegexCache.set(pattern, compiled);
+    return compiled;
+  } catch (error) {
+    if (logOnFailure) {
+      const message = error instanceof Error ? error.message : String(error);
+      console.warn(`[policy] Skipping invalid regex in ${sourceLabel}: ${message}`);
+    }
+    compiledRegexCache.set(pattern, null);
+    return;
+  }
+}
+function matchRule(rule, input) {
+  const { match } = rule;
+  if (match.pattern && input.includes(match.pattern)) {
+    return true;
+  }
+  if (match.regex) {
+    const compiled = rule.compiledRegex || compileSafeRegex(match.regex, `rules.${rule.id}.match.regex`, false);
+    if (!compiled) {
+      return false;
+    }
+    try {
+      return compiled.test(input);
+    } catch {
+      return false;
+    }
+  }
+  return false;
+}
+function matchRuleUnless(rule, command, taskId) {
+  if (!rule.unless)
+    return false;
+  if (rule.unless.regex) {
+    const compiled = rule.compiledUnlessRegex || compileSafeRegex(rule.unless.regex, `rules.${rule.id}.unless.regex`, false);
+    if (!compiled) {
+      return false;
+    }
+    try {
+      if (compiled.test(command))
+        return true;
+    } catch {}
+  }
+  if (rule.unless.task_in && taskId) {
+    if (rule.unless.task_in.includes(taskId))
+      return true;
+  }
+  return false;
+}
+function resolveAction(mode, matched) {
+  if (matched.length === 0)
+    return "allow";
+  if (mode === "off")
+    return "allow";
+  if (mode === "observe")
+    return "warn";
+  return "block";
+}
+function resolveAbsolutePath(projectRoot, rawPath) {
+  if (rawPath.startsWith("/"))
+    return resolve(rawPath);
+  return resolve(projectRoot, rawPath);
+}
+function isHarnessPath(projectRoot, rawPath) {
+  const absPath = resolveAbsolutePath(projectRoot, rawPath);
+  const managedRoots = [
+    resolve(projectRoot, "rig"),
+    resolve(projectRoot, ".rig"),
+    resolve(projectRoot, "artifacts")
+  ];
+  return managedRoots.some((root) => absPath === root || absPath.startsWith(root + "/"));
+}
+function isRuntimePath(projectRoot, rawPath, taskWorkspace) {
+  const absPath = resolveAbsolutePath(projectRoot, rawPath);
+  if (taskWorkspace) {
+    const workspaceRigRoot = resolve(taskWorkspace, ".rig");
+    const workspaceArtifactsRoot = resolve(taskWorkspace, "artifacts");
+    if (absPath === workspaceRigRoot || absPath.startsWith(workspaceRigRoot + "/") || absPath === workspaceArtifactsRoot || absPath.startsWith(workspaceArtifactsRoot + "/")) {
+      return true;
+    }
+  }
+  const runtimeRoot = resolve(projectRoot, ".rig/runtime/agents");
+  return absPath === runtimeRoot || absPath.startsWith(runtimeRoot + "/");
+}
+function isTestFile(path) {
+  return /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(path) || /\/(__tests__|tests|test)\//.test(path);
+}
+function evaluate(context) {
+  const policy = loadPolicy(context.projectRoot);
+  switch (context.evaluation.type) {
+    case "tool-call":
+      return evaluateToolCall(policy, context);
+    case "command":
+      return evaluateCommand(policy, context);
+    case "content-write":
+      return evaluateContent(policy, context);
+    case "file-access":
+      return evaluateScope(policy, context, context.evaluation.file_path, context.evaluation.access);
+  }
+}
+function evaluateScope(policy, context, filePath, access) {
+  const allowed = () => ({
+    allowed: true,
+    matchedRules: [],
+    action: "allow",
+    failClosed: false
+  });
+  if (policy.scope.harness_paths_exempt && isHarnessPath(context.projectRoot, filePath)) {
+    return allowed();
+  }
+  if (policy.scope.runtime_paths_exempt && isRuntimePath(context.projectRoot, filePath, context.taskWorkspace)) {
+    return allowed();
+  }
+  if (!context.taskId) {
+    if (access === "write" && policy.scope.fail_closed) {
+      return {
+        allowed: false,
+        matchedRules: [],
+        action: resolveAction(policy.mode, [{ id: "scope:no-task", category: "command", reason: "No active task; fail-closed for write operations" }]),
+        failClosed: true
+      };
+    }
+    return allowed();
+  }
+  const scopes = context.taskScopes || [];
+  if (scopes.length === 0) {
+    return allowed();
+  }
+  if (context.taskWorkspace && context.taskWorkspace !== context.projectRoot && filePath.startsWith("/")) {
+    const absPath = resolve(filePath);
+    if (!absPath.startsWith(context.taskWorkspace + "/") && !isHarnessPath(context.projectRoot, filePath)) {
+      const reason2 = `Absolute path '${filePath}' is outside task runtime boundary. Allowed root: ${context.taskWorkspace}`;
+      const matched2 = [{ id: "scope:workspace-boundary", category: "command", reason: reason2 }];
+      return {
+        allowed: policy.mode !== "enforce",
+        matchedRules: matched2,
+        action: resolveAction(policy.mode, matched2),
+        failClosed: false
+      };
+    }
+  }
+  const monorepoRoot = context.monorepoRoot || process.env.MONOREPO_ROOT?.trim() || context.taskWorkspace || context.projectRoot;
+  let normalizedPath = filePath;
+  if (context.taskWorkspace && context.taskWorkspace !== context.projectRoot && filePath.startsWith(context.taskWorkspace + "/")) {
+    normalizedPath = filePath.slice(context.taskWorkspace.length + 1);
+  }
+  normalizedPath = normalizePathToScope(context.projectRoot, monorepoRoot, normalizedPath);
+  if (scopeMatches(filePath, scopes) || scopeMatches(normalizedPath, scopes)) {
+    return allowed();
+  }
+  const reason = `File '${filePath}' (normalized: '${normalizedPath}') is outside scope of task ${context.taskId}`;
+  const matched = [{ id: "scope:out-of-scope", category: "command", reason }];
+  return {
+    allowed: policy.mode !== "enforce",
+    matchedRules: matched,
+    action: resolveAction(policy.mode, matched),
+    failClosed: false
+  };
+}
+function evaluateCommand(policy, context) {
+  const evaluation = context.evaluation;
+  if (evaluation.type !== "command") {
+    return { allowed: true, matchedRules: [], action: "allow", failClosed: false };
+  }
+  const command = evaluation.command;
+  const matchedRules = [];
+  for (const rule of policy.rules) {
+    if (rule.category !== "command")
+      continue;
+    if (!matchRule(rule, command))
+      continue;
+    if (matchRuleUnless(rule, command, context.taskId))
+      continue;
+    matchedRules.push({
+      id: rule.id,
+      category: rule.category,
+      ...rule.description !== undefined ? { description: rule.description } : {},
+      reason: rule.description || `Matched rule ${rule.id}`
+    });
+  }
+  const writeTarget = extractWriteTarget(command);
+  if (writeTarget && !/^\/dev\//.test(writeTarget) && !/^\/proc\//.test(writeTarget)) {
+    const scopeResult = evaluateScope(policy, context, writeTarget, "write");
+    if (!scopeResult.allowed || scopeResult.matchedRules.length > 0) {
+      matchedRules.push(...scopeResult.matchedRules);
+    }
+  }
+  const action = resolveAction(policy.mode, matchedRules);
+  return {
+    allowed: action !== "block",
+    matchedRules,
+    action,
+    failClosed: false
+  };
+}
+function extractWriteTarget(command) {
+  const redirect = command.match(/>>?\s+([^\s;|&]+)/);
+  if (redirect?.[1])
+    return redirect[1];
+  const tee = command.match(/tee\s+(-a\s+)?([^\s;|&]+)/);
+  if (tee?.[2])
+    return tee[2];
+  return "";
+}
+function evaluateContent(policy, context) {
+  const evaluation = context.evaluation;
+  if (evaluation.type !== "content-write") {
+    return { allowed: true, matchedRules: [], action: "allow", failClosed: false };
+  }
+  const { content, file_path } = evaluation;
+  const matchedRules = [];
+  const scopeResult = evaluateScope(policy, context, file_path, "write");
+  if (scopeResult.matchedRules.length > 0) {
+    matchedRules.push(...scopeResult.matchedRules);
+  }
+  for (const rule of policy.rules) {
+    if (rule.category !== "content" && rule.category !== "import" && rule.category !== "test-integrity")
+      continue;
+    if (rule.applies_to === "test-files" && !isTestFile(file_path))
+      continue;
+    if (!matchRule(rule, content))
+      continue;
+    if (matchRuleUnless(rule, content, context.taskId))
+      continue;
+    matchedRules.push({
+      id: rule.id,
+      category: rule.category,
+      ...rule.description !== undefined ? { description: rule.description } : {},
+      reason: rule.description || `Matched rule ${rule.id}`
+    });
+  }
+  const action = resolveAction(policy.mode, matchedRules);
+  return {
+    allowed: action !== "block",
+    matchedRules,
+    action,
+    failClosed: false
+  };
+}
+function evaluateToolCall(policy, context) {
+  const evaluation = context.evaluation;
+  if (evaluation.type !== "tool-call") {
+    return { allowed: true, matchedRules: [], action: "allow", failClosed: false };
+  }
+  const { tool_name, tool_input } = evaluation;
+  const allMatched = [];
+  const filePaths = extractFilePathsFromToolInput(tool_name, tool_input);
+  for (const fp of filePaths) {
+    const access = isWriteTool(tool_name) ? "write" : "read";
+    const scopeResult = evaluateScope(policy, context, fp, access);
+    if (scopeResult.matchedRules.length > 0) {
+      allMatched.push(...scopeResult.matchedRules);
+    }
+  }
+  const content = extractContentFromToolInput(tool_input);
+  if (content) {
+    const filePath = filePaths[0] || "";
+    const contentContext = {
+      ...context,
+      evaluation: { type: "content-write", file_path: filePath, content }
+    };
+    const contentPolicy = loadPolicy(context.projectRoot);
+    for (const rule of contentPolicy.rules) {
+      if (rule.category !== "content" && rule.category !== "import" && rule.category !== "test-integrity")
+        continue;
+      if (rule.applies_to === "test-files" && !isTestFile(filePath))
+        continue;
+      if (!matchRule(rule, content))
+        continue;
+      if (matchRuleUnless(rule, content, context.taskId))
+        continue;
+      allMatched.push({
+        id: rule.id,
+        category: rule.category,
+        ...rule.description !== undefined ? { description: rule.description } : {},
+        reason: rule.description || `Matched rule ${rule.id}`
+      });
+    }
+  }
+  if (tool_name === "Bash") {
+    const command = String(tool_input.command || tool_input.cmd || "");
+    if (command) {
+      const cmdContext = {
+        ...context,
+        evaluation: { type: "command", command }
+      };
+      const cmdResult = evaluateCommand(policy, cmdContext);
+      if (cmdResult.matchedRules.length > 0) {
+        allMatched.push(...cmdResult.matchedRules);
+      }
+    }
+  }
+  const seen = new Set;
+  const deduplicated = [];
+  for (const rule of allMatched) {
+    if (!seen.has(rule.id)) {
+      seen.add(rule.id);
+      deduplicated.push(rule);
+    }
+  }
+  const action = resolveAction(policy.mode, deduplicated);
+  return {
+    allowed: action !== "block",
+    matchedRules: deduplicated,
+    action,
+    failClosed: false
+  };
+}
+function isWriteTool(toolName) {
+  return toolName === "Write" || toolName === "Edit" || toolName === "MultiEdit";
+}
+function extractFilePathsFromToolInput(toolName, input) {
+  const paths = [];
+  const add = (value) => {
+    if (typeof value === "string" && value.trim()) {
+      paths.push(value.trim());
+    }
+  };
+  if (toolName === "Read" || toolName === "Write" || toolName === "Edit" || toolName === "MultiEdit") {
+    add(input.file_path);
+    add(input.path);
+  } else if (toolName === "Glob") {
+    add(input.path);
+  } else if (toolName === "Grep") {
+    add(input.path);
+  } else {
+    add(input.file_path);
+    add(input.path);
+  }
+  return paths;
+}
+function extractContentFromToolInput(input) {
+  if (typeof input.content === "string")
+    return input.content;
+  if (typeof input.new_string === "string")
+    return input.new_string;
+  return "";
+}
+var guardHotPathPrimed = false;
+function primeGuardHotPaths() {
+  if (guardHotPathPrimed) {
+    return;
+  }
+  guardHotPathPrimed = true;
+  try {
+    optimizeNextInvocation(matchRule);
+    optimizeNextInvocation(evaluate);
+  } catch {}
+}
+primeGuardHotPaths();
 
+// packages/cli-surface-plugin/src/control-plane/agent-binary-build.ts
+import { runtimeProvisioningEnv } from "@rig/core/runtime-provisioning-env";
+
+// packages/cli-surface-plugin/src/runner.ts
 class CliError extends RuntimeCliError {
-  hint;
   constructor(message, exitCode = 1, options = {}) {
-    super(message, exitCode);
-    if (options.hint?.trim()) {
-      this.hint = options.hint.trim();
-    }
+    super(message, exitCode, options);
   }
 }
 function takeFlag(args, flag) {
@@ -352,27 +875,84 @@ function takeOption(args, option) {
   return { value, rest };
 }
 
-// packages/cli-surface-plugin/src/commands/init.ts
-import { buildRigInitConfigSource } from "@rig/init-plugin";
+// packages/cli-surface-plugin/src/control-plane/rigfig.ts
+import { existsSync as existsSync2, mkdirSync, writeFileSync } from "fs";
+import { resolve as resolve2 } from "path";
+import { stringify as stringifyToml } from "smol-toml";
+import { getStandardPluginsResolver } from "@rig/core/embedded-plugins";
+function rigfigConfigPath(projectRoot) {
+  return resolve2(projectRoot, ".rig", "rigfig.toml");
+}
+function isPlainObject(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function deepMerge(base, overlay) {
+  const out = { ...base };
+  for (const [key, value] of Object.entries(overlay)) {
+    const previous = out[key];
+    out[key] = isPlainObject(previous) && isPlainObject(value) ? deepMerge(previous, value) : value;
+  }
+  return out;
+}
+function composeDeclarativeConfig(plugins, context) {
+  let merged = {};
+  for (const plugin of plugins) {
+    const fragment = plugin.contributes?.config?.defaults?.(context);
+    if (isPlainObject(fragment))
+      merged = deepMerge(merged, fragment);
+  }
+  return merged;
+}
+var HEADER = [
+  "# Declarative rig configuration \u2014 the happy path.",
+  "# Plain DATA, composed from the standard plugins' defaults. No top-level",
+  "# rig.config.ts and no @h-rig/* install: the global rig binary resolves",
+  "# plugins from its embedded standard collection. rig created this for you;",
+  "# edit it freely (each plugin owns the section it needs).",
+  "",
+  ""
+].join(`
+`);
+function writeRigfigConfig(projectRoot, config) {
+  mkdirSync(resolve2(projectRoot, ".rig"), { recursive: true });
+  const path = rigfigConfigPath(projectRoot);
+  writeFileSync(path, `${HEADER}${stringifyToml(config)}
+`, "utf-8");
+  return path;
+}
+function composeAndWriteRigfig(projectRoot, options = {}) {
+  const resolver = getStandardPluginsResolver();
+  if (!resolver) {
+    throw new Error("Cannot write rig config: embedded standard plugins are not registered (seed wiring error).");
+  }
+  const context = options.repoSlug ? { projectRoot, repoSlug: options.repoSlug } : { projectRoot };
+  let composed = composeDeclarativeConfig(resolver(), context);
+  if (options.overlay) {
+    if (isPlainObject(options.overlay.taskSource) && "taskSource" in composed)
+      delete composed.taskSource;
+    composed = deepMerge(composed, options.overlay);
+  }
+  return writeRigfigConfig(projectRoot, composed);
+}
 
 // packages/cli-surface-plugin/src/commands/_connection-state.ts
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
-import { dirname, resolve } from "path";
+import { existsSync as existsSync3, mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "fs";
+import { dirname, resolve as resolve3 } from "path";
 function resolveRepoConnectionPath(projectRoot) {
-  return resolve(projectRoot, ".rig", "state", "connection.json");
+  return resolve3(projectRoot, ".rig", "state", "connection.json");
 }
 function readJsonFile(path) {
-  if (!existsSync(path))
+  if (!existsSync3(path))
     return null;
   try {
-    return JSON.parse(readFileSync(path, "utf8"));
+    return JSON.parse(readFileSync2(path, "utf8"));
   } catch (error) {
     throw new CliError(`Invalid Rig connection state at ${path}: ${error instanceof Error ? error.message : String(error)}`, 1, { hint: "Fix or delete that file, then re-select a server with `rig server use <alias|local>`." });
   }
 }
 function writeJsonFile(path, value) {
-  mkdirSync(dirname(path), { recursive: true });
-  writeFileSync(path, `${JSON.stringify(value, null, 2)}
+  mkdirSync2(dirname(path), { recursive: true });
+  writeFileSync2(path, `${JSON.stringify(value, null, 2)}
 `, "utf8");
 }
 function readRepoConnection(projectRoot) {
@@ -397,11 +977,11 @@ function writeRepoConnection(projectRoot, state) {
 }
 
 // packages/cli-surface-plugin/src/commands/init.ts
-import { upsertManagedRemoteEndpoint } from "@rig/runtime/control-plane/remote-config";
+import { upsertManagedRemoteEndpoint } from "@rig/core/remote-config";
 import { loadConfig } from "@rig/core/load-config";
 
 // packages/cli-surface-plugin/src/commands/_inprocess-services.ts
-import { resolve as resolve2 } from "path";
+import { resolve as resolve4 } from "path";
 import {
   beginGitHubDeviceFlow,
   checkGitHubRepoPermissions,
@@ -411,7 +991,7 @@ import {
   resolveGitHubAuthStatus,
   resolveProjectStatusField,
   saveGitHubTokenForProject
-} from "@rig/github-provider-plugin";
+} from "@rig/github-lib";
 var scopedGitHubBearerTokens = new Map;
 function cleanToken(value) {
   const trimmed = value?.trim();
@@ -424,11 +1004,11 @@ function oauthClientId() {
   return cleanToken(process.env.RIG_GITHUB_OAUTH_CLIENT_ID);
 }
 function tokenForProject(projectRoot, override) {
-  const scoped = scopedGitHubBearerTokens.get(resolve2(projectRoot));
+  const scoped = scopedGitHubBearerTokens.get(resolve4(projectRoot));
   return cleanToken(override) ?? scoped ?? createGitHubAuthStore(projectRoot).readToken() ?? cleanToken(process.env.RIG_GITHUB_TOKEN);
 }
 function setGitHubBearerTokenForCurrentProcess(token, projectRoot) {
-  scopedGitHubBearerTokens.set(resolve2(projectRoot ?? process.cwd()), cleanToken(token));
+  scopedGitHubBearerTokens.set(resolve4(projectRoot ?? process.cwd()), cleanToken(token));
 }
 async function getGitHubAuthStatusInProcess(context) {
   return { ok: true, ...resolveGitHubAuthStatus({ projectRoot: context.projectRoot, oauthConfigured: Boolean(oauthClientId()) }) };
@@ -495,12 +1075,12 @@ async function requestGitHubAuthJsonInProcess(context, pathname, init = {}) {
 }
 
 // packages/cli-surface-plugin/src/commands/_pi-install.ts
-import { existsSync as existsSync2 } from "fs";
+import { existsSync as existsSync4 } from "fs";
 import { homedir } from "os";
-import { resolve as resolve3 } from "path";
+import { resolve as resolve5 } from "path";
 var PI_RIG_PACKAGE_NAME = "@h-rig/pi-rig";
 async function defaultCommandRunner(command, options = {}) {
-  const proc = Bun.spawn(command, { cwd: options.cwd, stdout: "pipe", stderr: "pipe" });
+  const proc = Bun.spawn(command, { ...options.cwd !== undefined ? { cwd: options.cwd } : {}, stdout: "pipe", stderr: "pipe" });
   const [stdout, stderr, exitCode] = await Promise.all([
     new Response(proc.stdout).text(),
     new Response(proc.stderr).text(),
@@ -509,11 +1089,11 @@ async function defaultCommandRunner(command, options = {}) {
   return { exitCode, stdout, stderr };
 }
 function resolvePiRigExtensionPath(homeDir) {
-  return resolve3(homeDir, ".pi", "agent", "extensions", "pi-rig");
+  return resolve5(homeDir, ".pi", "agent", "extensions", "pi-rig");
 }
-function resolvePiRigPackageSource(projectRoot, exists = existsSync2) {
-  const localPackage = resolve3(projectRoot, "packages", "pi-rig");
-  if (exists(resolve3(localPackage, "package.json")))
+function resolvePiRigPackageSource(projectRoot, exists = existsSync4) {
+  const localPackage = resolve5(projectRoot, "packages", "pi-rig");
+  if (exists(resolve5(localPackage, "package.json")))
     return localPackage;
   return `npm:${PI_RIG_PACKAGE_NAME}`;
 }
@@ -585,7 +1165,7 @@ async function checkPiRigInstall(input = {}) {
   const piListResult = piResult.exitCode === 0 ? await safeRun(runner, ["pi", "list"]) : { exitCode: 1, stdout: "", stderr: "" };
   const hasPiRig = piListResult.exitCode === 0 && piListContainsPiRig(`${piListResult.stdout}
 ${piListResult.stderr}`);
-  const hasLegacyBridgeScaffold = !hasPiRig && (input.exists ?? existsSync2)(extensionPath);
+  const hasLegacyBridgeScaffold = !hasPiRig && (input.exists ?? existsSync4)(extensionPath);
   return {
     extensionPath,
     pi: {
@@ -605,7 +1185,7 @@ ${piListResult.stderr}`);
 async function ensurePiRigInstalled(input) {
   const home = resolvePiHomeDir(input.homeDir);
   if (process.env.RIG_TEST_FAKE_PI_INSTALL === "1") {
-    const status = await checkPiRigInstall({ homeDir: home, commandRunner: input.commandRunner });
+    const status = await checkPiRigInstall({ homeDir: home, ...input.commandRunner ? { commandRunner: input.commandRunner } : {} });
     return { ...status, installedPath: status.extensionPath };
   }
   const runner = input.commandRunner ?? defaultCommandRunner;
@@ -623,10 +1203,17 @@ async function ensurePiRigInstalled(input) {
 }
 
 // packages/cli-surface-plugin/src/commands/_doctor-checks.ts
-import { countDoctorFailures } from "@rig/contracts";
-import { loadDoctorService } from "@rig/runtime/control-plane/doctor-service-port";
+import { DOCTOR } from "@rig/contracts";
+import { defineCapability } from "@rig/core/capability";
+import { loadCapabilityForRoot } from "@rig/core/capability-loaders";
+function doctorLevelToStatus(level) {
+  return level === "ok" ? "pass" : level;
+}
+function countDoctorFailures(checks) {
+  return checks.filter((entry) => (entry.status ?? doctorLevelToStatus(entry.level ?? "warn")) === "fail").length;
+}
 async function runRigDoctorChecks(options) {
-  const service = await loadDoctorService(options.projectRoot);
+  const service = await loadCapabilityForRoot(options.projectRoot, defineCapability(DOCTOR));
   if (!service) {
     return [
       {
@@ -642,64 +1229,6 @@ async function runRigDoctorChecks(options) {
   return service.runDoctorChecks(options);
 }
 
-// packages/cli-surface-plugin/src/version.ts
-import { existsSync as existsSync3, readFileSync as readFileSync2 } from "fs";
-import { dirname as dirname2, resolve as resolve4 } from "path";
-import { fileURLToPath } from "url";
-import { readBuildConfig } from "@rig/runtime/build-time-config";
-var SOURCE_CLI_VERSION = "0.0.0-alpha.1";
-var DEV_CLI_VERSION = "0.0.0-dev";
-function resolveInstalledCliVersion() {
-  const buildConfig = readBuildConfig();
-  const envVersion = process.env.RIG_CLI_VERSION?.trim();
-  const buildVersion = buildConfig.RIG_CLI_VERSION?.trim();
-  let version = envVersion || buildVersion || "";
-  if (!version) {
-    try {
-      const execPath = process.execPath || "";
-      const moduleDir = dirname2(fileURLToPath(import.meta.url));
-      const candidates = [
-        execPath ? resolve4(dirname2(execPath), "..", "manifest.json") : "",
-        resolve4(moduleDir, "..", "package.json"),
-        resolve4(moduleDir, "..", "..", "package.json"),
-        resolve4(process.cwd(), "packages/cli/package.json")
-      ].filter(Boolean);
-      for (const candidate of candidates) {
-        if (!existsSync3(candidate))
-          continue;
-        const parsed = JSON.parse(readFileSync2(candidate, "utf-8"));
-        const candidateVersion = parsed.version?.trim();
-        if (candidateVersion) {
-          version = candidateVersion;
-          break;
-        }
-      }
-    } catch {}
-  }
-  return version || DEV_CLI_VERSION;
-}
-function isPublishedCliVersion(version) {
-  const normalized = version.trim();
-  return normalized.length > 0 && normalized !== SOURCE_CLI_VERSION && normalized !== DEV_CLI_VERSION;
-}
-
-// packages/cli-surface-plugin/src/rig-config-package-deps.ts
-var REQUIRED_RIG_CONFIG_PACKAGE_NAMES = ["core", "standard-plugin"];
-function resolveRigConfigPackageVersion() {
-  const explicit = process.env.RIG_CONFIG_PACKAGE_VERSION?.trim();
-  if (explicit)
-    return explicit;
-  const installed = resolveInstalledCliVersion();
-  return isPublishedCliVersion(installed) ? installed : "latest";
-}
-function rigConfigDevDependencies() {
-  const version = resolveRigConfigPackageVersion();
-  return Object.fromEntries(REQUIRED_RIG_CONFIG_PACKAGE_NAMES.map((name) => [`@rig/${name}`, rigPackageSpec(name, version)]));
-}
-function rigPackageSpec(packageName, version = resolveRigConfigPackageVersion()) {
-  return `npm:@h-rig/${packageName}@${version}`;
-}
-
 // packages/cli-surface-plugin/src/commands/init.ts
 function parseRepoSlugFromRemote(remoteUrl) {
   const trimmed = remoteUrl.trim();
@@ -719,20 +1248,20 @@ function parseRepoSlug(value) {
   return { owner: match[1], repo: match[2], slug: `${match[1]}/${match[2]}` };
 }
 function ensureRigPrivateDirs(projectRoot) {
-  const rigDir = resolve5(projectRoot, ".rig");
-  mkdirSync2(resolve5(rigDir, "state"), { recursive: true });
-  mkdirSync2(resolve5(rigDir, "logs"), { recursive: true });
-  mkdirSync2(resolve5(rigDir, "runs"), { recursive: true });
-  mkdirSync2(resolve5(rigDir, "tmp"), { recursive: true });
-  mkdirSync2(resolve5(projectRoot, "artifacts"), { recursive: true });
-  const taskConfigPath = resolve5(rigDir, "task-config.json");
-  if (!existsSync4(taskConfigPath))
-    writeFileSync2(taskConfigPath, `{}
+  const rigDir = resolve6(projectRoot, ".rig");
+  mkdirSync3(resolve6(rigDir, "state"), { recursive: true });
+  mkdirSync3(resolve6(rigDir, "logs"), { recursive: true });
+  mkdirSync3(resolve6(rigDir, "runs"), { recursive: true });
+  mkdirSync3(resolve6(rigDir, "tmp"), { recursive: true });
+  mkdirSync3(resolve6(projectRoot, "artifacts"), { recursive: true });
+  const taskConfigPath = resolve6(rigDir, "task-config.json");
+  if (!existsSync5(taskConfigPath))
+    writeFileSync3(taskConfigPath, `{}
 `, "utf-8");
 }
 function ensureGitignoreEntries(projectRoot) {
-  const path = resolve5(projectRoot, ".gitignore");
-  const existing = existsSync4(path) ? readFileSync3(path, "utf8") : "";
+  const path = resolve6(projectRoot, ".gitignore");
+  const existing = existsSync5(path) ? readFileSync3(path, "utf8") : "";
   const entries = [".rig/state/", ".rig/logs/", ".rig/runs/", ".rig/tmp/"];
   const missing = entries.filter((entry) => !existing.split(/\r?\n/).includes(entry));
   if (missing.length === 0)
@@ -744,36 +1273,53 @@ function ensureGitignoreEntries(projectRoot) {
 `)}
 `, "utf8");
 }
-function ensureRigConfigPackageDependencies(projectRoot) {
-  const path = resolve5(projectRoot, "package.json");
-  const existing = existsSync4(path) ? JSON.parse(readFileSync3(path, "utf8")) : {};
-  const devDependencies = existing.devDependencies && typeof existing.devDependencies === "object" && !Array.isArray(existing.devDependencies) ? { ...existing.devDependencies } : {};
-  for (const [name, spec] of Object.entries(rigConfigDevDependencies())) {
-    devDependencies[name] = spec;
-  }
-  const next = {
-    ...existsSync4(path) ? existing : { name: "rig-project", private: true },
-    devDependencies
-  };
-  writeFileSync2(path, `${JSON.stringify(next, null, 2)}
-`, "utf8");
-}
-function applyGitHubProjectConfig(source, options) {
+function buildGitHubProjectsOverlay(options) {
   if (!options.githubProject || options.githubProject === "off")
-    return source;
-  const projectId = JSON.stringify(options.githubProject);
-  const statusFieldId = JSON.stringify(options.githubProjectStatusField ?? "Status");
-  const statuses = options.githubProjectStatuses && Object.keys(options.githubProjectStatuses).length > 0 ? `
-      statuses: ${JSON.stringify(options.githubProjectStatuses, null, 8).replace(/\n/g, `
-      `)},` : "";
-  return source.replace(`    projects: { enabled: false },`, [
-    `    projects: {`,
-    `      enabled: true,`,
-    `      projectId: ${projectId},`,
-    `      statusFieldId: ${statusFieldId},${statuses}`,
-    `    },`
-  ].join(`
-`));
+    return null;
+  const projects = {
+    enabled: true,
+    projectId: options.githubProject,
+    statusFieldId: options.githubProjectStatusField ?? "Status"
+  };
+  if (options.githubProjectStatuses && Object.keys(options.githubProjectStatuses).length > 0) {
+    projects.statuses = options.githubProjectStatuses;
+  }
+  return { github: { projects } };
+}
+function mergeOverlay(base, overlay) {
+  if (!overlay)
+    return base;
+  const out = { ...base };
+  for (const [key, value] of Object.entries(overlay)) {
+    const prev = out[key];
+    out[key] = prev && typeof prev === "object" && !Array.isArray(prev) && value && typeof value === "object" && !Array.isArray(value) ? mergeOverlay(prev, value) : value;
+  }
+  return out;
+}
+function configAlreadyExists(projectRoot) {
+  return existsSync5(resolve6(projectRoot, "rig.config.ts")) || existsSync5(resolve6(projectRoot, "rig.config.mts")) || existsSync5(resolve6(projectRoot, "rig.config.json")) || existsSync5(rigfigConfigPath(projectRoot));
+}
+function buildWizardOverlay(input) {
+  let overlay = {};
+  if (input.taskSource.kind === "github-issues") {
+    const taskSource = {
+      kind: "github-issues",
+      owner: input.taskSource.owner,
+      repo: input.taskSource.repo,
+      state: "open"
+    };
+    if (input.taskSource.assignee?.trim())
+      taskSource.options = { assignee: input.taskSource.assignee.trim() };
+    overlay.taskSource = taskSource;
+  } else {
+    overlay.taskSource = { kind: "files", path: input.taskSource.path };
+  }
+  if (input.sshTarget?.trim()) {
+    overlay = mergeOverlay(overlay, { runtime: { server: { sshTarget: input.sshTarget.trim() } } });
+  }
+  if (input.projects)
+    overlay = mergeOverlay(overlay, input.projects);
+  return overlay;
 }
 function checkoutForInit(projectRoot, options) {
   if (options.server === "remote") {
@@ -964,7 +1510,7 @@ async function promptGitHubProjectConfig(context, prompts, repoSlug, githubToken
       ...projects.map((project) => ({
         value: String(project.id),
         label: `${String(project.title ?? "Untitled project")} (#${String(project.number ?? "?")})`,
-        hint: typeof project.url === "string" ? project.url : undefined
+        ...typeof project.url === "string" ? { hint: project.url } : {}
       })),
       { value: "manual", label: "Enter ProjectV2 id manually" }
     ]
@@ -995,12 +1541,12 @@ async function promptGitHubProjectConfig(context, prompts, repoSlug, githubToken
   return {
     githubProject: projectId,
     githubProjectStatusField: fieldId,
-    githubProjectStatuses: Object.keys(statuses).length > 0 ? statuses : undefined,
+    ...Object.keys(statuses).length > 0 ? { githubProjectStatuses: statuses } : {},
     ...activeToken ? { githubToken: activeToken } : {}
   };
 }
 function sleep(ms) {
-  return new Promise((resolve6) => setTimeout(resolve6, ms));
+  return new Promise((resolve7) => setTimeout(resolve7, ms));
 }
 function positiveIntFromEnv(name, fallback) {
   const value = Number.parseInt(process.env[name] ?? "", 10);
@@ -1042,24 +1588,18 @@ function runLocalFilesInit(context, options) {
   ensureRigPrivateDirs(projectRoot);
   ensureGitignoreEntries(projectRoot);
   writeRepoConnection(projectRoot, { selected: "local", linkedAt: new Date().toISOString() });
-  const configTsPath = resolve5(projectRoot, "rig.config.ts");
-  const configExists = existsSync4(configTsPath) || existsSync4(resolve5(projectRoot, "rig.config.json"));
-  if (configExists && !options.repair) {
+  if (configAlreadyExists(projectRoot) && !options.repair) {
     if (context.outputMode !== "json")
-      console.log("rig.config already exists; leaving it unchanged. Pass --repair to rewrite it.");
+      console.log("rig config already exists; leaving it unchanged. Pass --repair to rewrite it.");
   } else {
-    const projectName = basename(projectRoot) || "rig-project";
-    writeFileSync2(configTsPath, buildRigInitConfigSource({
-      projectName,
-      taskSource: { kind: "files", path: "tasks" },
-      useStandardPlugin: true
-    }), "utf-8");
-  }
-  ensureRigConfigPackageDependencies(projectRoot);
-  const tasksDir = resolve5(projectRoot, "tasks");
-  if (!existsSync4(tasksDir)) {
-    mkdirSync2(tasksDir, { recursive: true });
-    writeFileSync2(resolve5(tasksDir, "T-1.json"), `${JSON.stringify({ id: "T-1", title: "My first Rig task", body: "Describe the change you want an agent to make." }, null, 2)}
+    composeAndWriteRigfig(projectRoot, {
+      overlay: buildWizardOverlay({ taskSource: { kind: "files", path: "tasks" } })
+    });
+  }
+  const tasksDir = resolve6(projectRoot, "tasks");
+  if (!existsSync5(tasksDir)) {
+    mkdirSync3(tasksDir, { recursive: true });
+    writeFileSync3(resolve6(tasksDir, "T-1.json"), `${JSON.stringify({ id: "T-1", title: "My first Rig task", body: "Describe the change you want an agent to make." }, null, 2)}
 `, "utf-8");
   }
   if (context.outputMode !== "json") {
@@ -1114,37 +1654,32 @@ function runDemoInit(context, options) {
   ensureRigPrivateDirs(projectRoot);
   ensureGitignoreEntries(projectRoot);
   writeRepoConnection(projectRoot, { selected: "local", linkedAt: new Date().toISOString() });
-  const configTsPath = resolve5(projectRoot, "rig.config.ts");
-  const configExists = existsSync4(configTsPath) || existsSync4(resolve5(projectRoot, "rig.config.json"));
   let configWritten = false;
-  if (configExists && !options.repair) {
+  if (configAlreadyExists(projectRoot) && !options.repair) {
     if (context.outputMode !== "json") {
-      console.log("rig.config already exists; leaving it unchanged. Pass --repair to rewrite it for the demo.");
+      console.log("rig config already exists; leaving it unchanged. Pass --repair to rewrite it for the demo.");
     }
   } else {
-    writeFileSync2(configTsPath, buildRigInitConfigSource({
-      projectName: basename(projectRoot) || "rig-demo",
-      taskSource: { kind: "files", path: DEMO_TASKS_RELATIVE_DIR },
-      useStandardPlugin: true
-    }), "utf-8");
+    composeAndWriteRigfig(projectRoot, {
+      overlay: buildWizardOverlay({ taskSource: { kind: "files", path: DEMO_TASKS_RELATIVE_DIR } })
+    });
     configWritten = true;
   }
-  ensureRigConfigPackageDependencies(projectRoot);
-  const demoTasksDir = resolve5(projectRoot, DEMO_TASKS_RELATIVE_DIR);
-  mkdirSync2(demoTasksDir, { recursive: true });
+  const demoTasksDir = resolve6(projectRoot, DEMO_TASKS_RELATIVE_DIR);
+  mkdirSync3(demoTasksDir, { recursive: true });
   const taskIds = [];
   for (const task of DEMO_TASKS) {
     const id = String(task.id);
     taskIds.push(id);
-    const taskPath = resolve5(demoTasksDir, `${id}.json`);
-    if (!existsSync4(taskPath)) {
-      writeFileSync2(taskPath, `${JSON.stringify(task, null, 2)}
+    const taskPath = resolve6(demoTasksDir, `${id}.json`);
+    if (!existsSync5(taskPath)) {
+      writeFileSync3(taskPath, `${JSON.stringify(task, null, 2)}
 `, "utf-8");
     }
   }
   if (context.outputMode !== "json") {
     console.log(`Demo Rig project ready (offline, no GitHub).`);
-    console.log(`  config: rig.config.ts (files task source -> ${DEMO_TASKS_RELATIVE_DIR}/)`);
+    console.log(`  config: .rig/rigfig.toml (files task source -> ${DEMO_TASKS_RELATIVE_DIR}/)`);
     console.log(`  tasks:  ${taskIds.join(", ")}`);
     console.log("Next steps:");
     console.log("  1. run bare `rig`");
@@ -1198,25 +1733,21 @@ async function runControlPlaneInit(context, options) {
   });
   ensureRigPrivateDirs(projectRoot);
   ensureGitignoreEntries(projectRoot);
-  const configTsPath = resolve5(projectRoot, "rig.config.ts");
-  const configJsonPath = resolve5(projectRoot, "rig.config.json");
-  const configExists = existsSync4(configTsPath) || existsSync4(configJsonPath);
   if (!options.privateStateOnly) {
-    if (configExists && !options.repair) {
+    if (configAlreadyExists(projectRoot) && !options.repair) {
       if (context.outputMode !== "json")
-        console.log("rig.config already exists; leaving it unchanged. Pass --repair to rewrite it.");
+        console.log("rig config already exists; leaving it unchanged. Pass --repair to rewrite it.");
     } else {
-      const source = applyGitHubProjectConfig(buildRigInitConfigSource({
-        projectName: repo.slug,
-        projectRepo: repo.slug,
-        taskSource: { kind: "github-issues", owner: repo.owner, repo: repo.repo },
-        useStandardPlugin: true
-      }), options);
-      writeFileSync2(configTsPath, source, "utf-8");
+      composeAndWriteRigfig(projectRoot, {
+        repoSlug: repo.slug,
+        overlay: buildWizardOverlay({
+          taskSource: { kind: "github-issues", owner: repo.owner, repo: repo.repo },
+          projects: buildGitHubProjectsOverlay(options)
+        })
+      });
     }
-    ensureRigConfigPackageDependencies(projectRoot);
   }
-  writeFileSync2(resolve5(projectRoot, ".rig", "state", "project-link.json"), `${JSON.stringify({ repoSlug: repo.slug, connection: connectionAlias, linkedAt: new Date().toISOString() }, null, 2)}
+  writeFileSync3(resolve6(projectRoot, ".rig", "state", "project-link.json"), `${JSON.stringify({ repoSlug: repo.slug, connection: connectionAlias, linkedAt: new Date().toISOString() }, null, 2)}
 `, "utf8");
   const checkout = checkoutForInit(projectRoot, options);
   let githubAuth = null;
@@ -1255,7 +1786,7 @@ async function runControlPlaneInit(context, options) {
     skipped: true,
     reason: "retired-server-label-bootstrap"
   };
-  const pi = await ensurePiRigInstalled({ projectRoot, homeDir: process.env.RIG_PI_HOME_DIR }).catch((error) => ({
+  const pi = await ensurePiRigInstalled({ projectRoot, ...process.env.RIG_PI_HOME_DIR !== undefined ? { homeDir: process.env.RIG_PI_HOME_DIR } : {} }).catch((error) => ({
     pi: { ok: false, label: "pi", hint: error instanceof Error ? error.message : String(error) },
     piRig: { ok: false, label: "pi-rig global extension", hint: "Local pi-rig installation failed." },
     extensionPath: null,
@@ -1346,7 +1877,7 @@ function parseInitOptions(args) {
 async function runInteractiveControlPlaneInit(context, prompts) {
   prompts.intro?.("Initialize a Rig control-plane project");
   const projectRoot = context.projectRoot;
-  const existingConfig = existsSync4(resolve5(projectRoot, "rig.config.ts")) || existsSync4(resolve5(projectRoot, "rig.config.json"));
+  const existingConfig = configAlreadyExists(projectRoot);
   let repair = false;
   let privateStateOnly = false;
   if (existingConfig) {
@@ -1370,7 +1901,7 @@ async function runInteractiveControlPlaneInit(context, prompts) {
   const repoSlug = await promptRequiredText(prompts, {
     message: "GitHub repo slug",
     placeholder: "owner/repo",
-    defaultValue: detectedRepo
+    ...detectedRepo !== undefined ? { defaultValue: detectedRepo } : {}
   });
   const placement = await promptSelect(prompts, {
     message: "Execution placement",
@@ -1459,7 +1990,6 @@ export {
   runInteractiveControlPlaneInit,
   runDemoInit,
   executeInit,
-  buildRigInitConfigSource,
   DEMO_TASKS_RELATIVE_DIR,
   DEMO_TASKS
 };