@h-rig/cli-surface-plugin 0.0.6-alpha.157 → 0.0.6-alpha.158

package/dist/src/commands/workspace.js

@@ -1,17 +1,656 @@
 // @bun
 // packages/cli-surface-plugin/src/runner.ts
-import { EventBus } from "@rig/runtime/control-plane/runtime/events";
-import { CliError as RuntimeCliError } from "@rig/runtime/control-plane/errors";
-import { evaluate, loadPolicy, resolveAction } from "@rig/runtime/control-plane/runtime/guard";
-import { buildBinary } from "@rig/runtime/control-plane/runtime/isolation";
+import { EventBus } from "@rig/core/runtime-events";
+import { CliError as RuntimeCliError } from "@rig/contracts";
 
+// packages/cli-surface-plugin/src/control-plane/guard.ts
+import { optimizeNextInvocation } from "bun:jsc";
+import { existsSync, readFileSync, statSync } from "fs";
+import { resolve } from "path";
+
+// packages/cli-surface-plugin/src/control-plane/scope.ts
+import { getScopeRules } from "@rig/core/scope-rules";
+var scopeRegexCache = new Map;
+function unique(values) {
+  return [...new Set(values)];
+}
+function normalizeRelativeScopePath(inputPath) {
+  let normalized = inputPath.replace(/^\.\//, "");
+  const rules = getScopeRules();
+  if (rules?.stripPrefixes) {
+    for (const prefix of rules.stripPrefixes) {
+      if (normalized.startsWith(prefix)) {
+        normalized = normalized.slice(prefix.length);
+      }
+    }
+  }
+  return normalized;
+}
+function normalizePathToScope(projectRoot, monorepoRoot, inputPath) {
+  let normalized = inputPath.replace(/^\.\//, "");
+  if (normalized.startsWith(projectRoot + "/")) {
+    normalized = normalized.slice(projectRoot.length + 1);
+  }
+  if (normalized.startsWith(monorepoRoot + "/")) {
+    normalized = normalized.slice(monorepoRoot.length + 1);
+  }
+  return normalizeRelativeScopePath(normalized);
+}
+function scopeGlobToRegex(glob) {
+  const cached = scopeRegexCache.get(glob);
+  if (cached) {
+    return cached;
+  }
+  const escaped = glob.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*\*/g, "__GLOBSTAR__").replace(/\*/g, "[^/]*").replace(/__GLOBSTAR__/g, ".*");
+  const compiled = new RegExp(`^${escaped}$`);
+  scopeRegexCache.set(glob, compiled);
+  return compiled;
+}
+function scopeMatches(path, scopes) {
+  const pathVariants = unique([path, normalizeRelativeScopePath(path)]);
+  for (const scope of scopes) {
+    const scopeVariants = unique([scope, normalizeRelativeScopePath(scope)]);
+    for (const candidatePath of pathVariants) {
+      for (const candidateScope of scopeVariants) {
+        if (candidatePath === candidateScope || scopeGlobToRegex(candidateScope).test(candidatePath)) {
+          return true;
+        }
+      }
+    }
+  }
+  return false;
+}
+
+// packages/cli-surface-plugin/src/control-plane/guard.ts
+import {
+  POLICY_VERSION
+} from "@rig/contracts";
+var DEFAULT_SCOPE = {
+  fail_closed: true,
+  harness_paths_exempt: true,
+  runtime_paths_exempt: true
+};
+var DEFAULT_SANDBOX = {
+  mode: "enforce",
+  network: true,
+  read_deny: [],
+  write_allow_from_runtime: true
+};
+var DEFAULT_ISOLATION = {
+  default_mode: "worktree",
+  repo_symlink_fallback: false,
+  strict_provisioning: true,
+  fail_closed_on_provision_error: true
+};
+var DEFAULT_COMPLETION = {
+  derive_checks_from_scope: true,
+  checks: [],
+  typescript_config_probe: ["tsconfig.json"],
+  eslint_config_probe: [".eslintrc.js", ".eslintrc.json", "eslint.config.js"]
+};
+var DEFAULT_RUNTIME_IMAGE = {
+  deps: {
+    monorepo_install: false,
+    hp_next_install: false
+  },
+  plugins_require_binaries: true
+};
+var DEFAULT_RUNTIME_SNAPSHOT = {
+  enabled: true
+};
+function defaultPolicy() {
+  return {
+    version: POLICY_VERSION,
+    mode: "enforce",
+    scope: { ...DEFAULT_SCOPE },
+    rules: [],
+    sandbox: { ...DEFAULT_SANDBOX },
+    isolation: { ...DEFAULT_ISOLATION },
+    completion: { ...DEFAULT_COMPLETION },
+    runtime_image: {
+      deps: { ...DEFAULT_RUNTIME_IMAGE.deps },
+      plugins_require_binaries: DEFAULT_RUNTIME_IMAGE.plugins_require_binaries
+    },
+    runtime_snapshot: { ...DEFAULT_RUNTIME_SNAPSHOT }
+  };
+}
+var policyCache = null;
+var policyCachePath = null;
+var seededPolicyConfig = null;
+var compiledRegexCache = new Map;
+function loadPolicy(projectRoot) {
+  if (seededPolicyConfig) {
+    return seededPolicyConfig;
+  }
+  const configPath = resolve(projectRoot, "rig/policy/policy.json");
+  if (!existsSync(configPath)) {
+    return defaultPolicy();
+  }
+  let mtimeMs;
+  try {
+    mtimeMs = statSync(configPath).mtimeMs;
+  } catch {
+    return defaultPolicy();
+  }
+  if (policyCache && policyCachePath === configPath && policyCache.mtimeMs === mtimeMs) {
+    return policyCache.config;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(readFileSync(configPath, "utf-8"));
+  } catch {
+    return defaultPolicy();
+  }
+  const config = mergeWithDefaults(parsed);
+  policyCache = { mtimeMs, config };
+  policyCachePath = configPath;
+  return config;
+}
+function mergeWithDefaults(parsed) {
+  const base = defaultPolicy();
+  if (typeof parsed.mode === "string" && isValidMode(parsed.mode)) {
+    base.mode = parsed.mode;
+  }
+  if (parsed.scope && typeof parsed.scope === "object" && !Array.isArray(parsed.scope)) {
+    const s = parsed.scope;
+    if (typeof s.fail_closed === "boolean")
+      base.scope.fail_closed = s.fail_closed;
+    if (typeof s.harness_paths_exempt === "boolean")
+      base.scope.harness_paths_exempt = s.harness_paths_exempt;
+    if (typeof s.runtime_paths_exempt === "boolean")
+      base.scope.runtime_paths_exempt = s.runtime_paths_exempt;
+  }
+  if (Array.isArray(parsed.rules)) {
+    base.rules = precompilePolicyRuleRegexes(parsed.rules.filter(isValidRule));
+  }
+  if (Array.isArray(parsed.deny) && base.rules.length === 0) {
+    base.rules = precompilePolicyRuleRegexes(migrateLegacyDeny(parsed.deny));
+  }
+  if (parsed.sandbox && typeof parsed.sandbox === "object" && !Array.isArray(parsed.sandbox)) {
+    const sb = parsed.sandbox;
+    if (typeof sb.mode === "string" && isValidMode(sb.mode))
+      base.sandbox.mode = sb.mode;
+    if (typeof sb.network === "boolean")
+      base.sandbox.network = sb.network;
+    if (Array.isArray(sb.read_deny))
+      base.sandbox.read_deny = sb.read_deny.filter((v) => typeof v === "string");
+    if (typeof sb.write_allow_from_runtime === "boolean")
+      base.sandbox.write_allow_from_runtime = sb.write_allow_from_runtime;
+  }
+  if (parsed.isolation && typeof parsed.isolation === "object" && !Array.isArray(parsed.isolation)) {
+    const iso = parsed.isolation;
+    if (iso.default_mode === "worktree")
+      base.isolation.default_mode = iso.default_mode;
+    if (typeof iso.repo_symlink_fallback === "boolean")
+      base.isolation.repo_symlink_fallback = iso.repo_symlink_fallback;
+    if (typeof iso.strict_provisioning === "boolean")
+      base.isolation.strict_provisioning = iso.strict_provisioning;
+    if (typeof iso.fail_closed_on_provision_error === "boolean")
+      base.isolation.fail_closed_on_provision_error = iso.fail_closed_on_provision_error;
+  }
+  if (parsed.completion && typeof parsed.completion === "object" && !Array.isArray(parsed.completion)) {
+    const comp = parsed.completion;
+    if (typeof comp.derive_checks_from_scope === "boolean")
+      base.completion.derive_checks_from_scope = comp.derive_checks_from_scope;
+    if (Array.isArray(comp.checks))
+      base.completion.checks = comp.checks.filter((v) => typeof v === "string");
+    if (Array.isArray(comp.typescript_config_probe))
+      base.completion.typescript_config_probe = comp.typescript_config_probe.filter((v) => typeof v === "string");
+    if (Array.isArray(comp.eslint_config_probe))
+      base.completion.eslint_config_probe = comp.eslint_config_probe.filter((v) => typeof v === "string");
+  }
+  if (parsed.runtime_image && typeof parsed.runtime_image === "object" && !Array.isArray(parsed.runtime_image)) {
+    const runtimeImage = parsed.runtime_image;
+    if (runtimeImage.deps && typeof runtimeImage.deps === "object" && !Array.isArray(runtimeImage.deps)) {
+      const deps = runtimeImage.deps;
+      if (typeof deps.monorepo_install === "boolean") {
+        base.runtime_image.deps.monorepo_install = deps.monorepo_install;
+      }
+      if (typeof deps.hp_next_install === "boolean") {
+        base.runtime_image.deps.hp_next_install = deps.hp_next_install;
+      }
+    }
+    if (typeof runtimeImage.plugins_require_binaries === "boolean") {
+      base.runtime_image.plugins_require_binaries = runtimeImage.plugins_require_binaries;
+    }
+  }
+  if (parsed.runtime_snapshot && typeof parsed.runtime_snapshot === "object" && !Array.isArray(parsed.runtime_snapshot)) {
+    const runtimeSnapshot = parsed.runtime_snapshot;
+    if (typeof runtimeSnapshot.enabled === "boolean") {
+      base.runtime_snapshot.enabled = runtimeSnapshot.enabled;
+    }
+  }
+  return base;
+}
+function isValidMode(value) {
+  return value === "off" || value === "observe" || value === "enforce";
+}
+function isValidRule(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value))
+    return false;
+  const r = value;
+  return typeof r.id === "string" && typeof r.category === "string" && r.match != null && typeof r.match === "object";
+}
+function migrateLegacyDeny(deny) {
+  const rules = [];
+  for (const entry of deny) {
+    if (typeof entry.id !== "string")
+      continue;
+    const match = {};
+    if (typeof entry.pattern === "string")
+      match.pattern = entry.pattern;
+    if (typeof entry.regex === "string")
+      match.regex = entry.regex;
+    if (!match.pattern && !match.regex)
+      continue;
+    rules.push({
+      id: entry.id,
+      category: "command",
+      match,
+      action: "block",
+      ...typeof entry.description === "string" ? { description: entry.description } : {}
+    });
+  }
+  return rules;
+}
+function precompilePolicyRuleRegexes(rules) {
+  return rules.map((rule) => {
+    const compiledRegex = rule.match.regex ? compileSafeRegex(rule.match.regex, `rules.${rule.id}.match.regex`, true) : undefined;
+    const compiledUnlessRegex = rule.unless?.regex ? compileSafeRegex(rule.unless.regex, `rules.${rule.id}.unless.regex`, true) : undefined;
+    return {
+      ...rule,
+      ...compiledRegex ? { compiledRegex } : {},
+      ...compiledUnlessRegex ? { compiledUnlessRegex } : {}
+    };
+  });
+}
+function getRegexUnsafeReason(pattern) {
+  if (pattern.length > 512) {
+    return "pattern exceeds max safe length (512 chars)";
+  }
+  if (/\\[1-9]/.test(pattern)) {
+    return "pattern uses backreferences";
+  }
+  if (/\((?:[^()\\]|\\.)*[+*](?:[^()\\]|\\.)*\)\s*[*+{]/.test(pattern)) {
+    return "pattern contains nested quantifiers";
+  }
+  if (/\((?:[^()\\]|\\.)*\.\\?[+*](?:[^()\\]|\\.)*\)\s*[*+{]/.test(pattern)) {
+    return "pattern contains nested broad quantifiers";
+  }
+  return null;
+}
+function compileSafeRegex(pattern, sourceLabel, logOnFailure) {
+  const cached = compiledRegexCache.get(pattern);
+  if (cached !== undefined) {
+    return cached ?? undefined;
+  }
+  const unsafeReason = getRegexUnsafeReason(pattern);
+  if (unsafeReason) {
+    if (logOnFailure) {
+      console.warn(`[policy] Skipping unsafe regex in ${sourceLabel}: ${unsafeReason}`);
+    }
+    compiledRegexCache.set(pattern, null);
+    return;
+  }
+  try {
+    const compiled = new RegExp(pattern);
+    compiledRegexCache.set(pattern, compiled);
+    return compiled;
+  } catch (error) {
+    if (logOnFailure) {
+      const message = error instanceof Error ? error.message : String(error);
+      console.warn(`[policy] Skipping invalid regex in ${sourceLabel}: ${message}`);
+    }
+    compiledRegexCache.set(pattern, null);
+    return;
+  }
+}
+function matchRule(rule, input) {
+  const { match } = rule;
+  if (match.pattern && input.includes(match.pattern)) {
+    return true;
+  }
+  if (match.regex) {
+    const compiled = rule.compiledRegex || compileSafeRegex(match.regex, `rules.${rule.id}.match.regex`, false);
+    if (!compiled) {
+      return false;
+    }
+    try {
+      return compiled.test(input);
+    } catch {
+      return false;
+    }
+  }
+  return false;
+}
+function matchRuleUnless(rule, command, taskId) {
+  if (!rule.unless)
+    return false;
+  if (rule.unless.regex) {
+    const compiled = rule.compiledUnlessRegex || compileSafeRegex(rule.unless.regex, `rules.${rule.id}.unless.regex`, false);
+    if (!compiled) {
+      return false;
+    }
+    try {
+      if (compiled.test(command))
+        return true;
+    } catch {}
+  }
+  if (rule.unless.task_in && taskId) {
+    if (rule.unless.task_in.includes(taskId))
+      return true;
+  }
+  return false;
+}
+function resolveAction(mode, matched) {
+  if (matched.length === 0)
+    return "allow";
+  if (mode === "off")
+    return "allow";
+  if (mode === "observe")
+    return "warn";
+  return "block";
+}
+function resolveAbsolutePath(projectRoot, rawPath) {
+  if (rawPath.startsWith("/"))
+    return resolve(rawPath);
+  return resolve(projectRoot, rawPath);
+}
+function isHarnessPath(projectRoot, rawPath) {
+  const absPath = resolveAbsolutePath(projectRoot, rawPath);
+  const managedRoots = [
+    resolve(projectRoot, "rig"),
+    resolve(projectRoot, ".rig"),
+    resolve(projectRoot, "artifacts")
+  ];
+  return managedRoots.some((root) => absPath === root || absPath.startsWith(root + "/"));
+}
+function isRuntimePath(projectRoot, rawPath, taskWorkspace) {
+  const absPath = resolveAbsolutePath(projectRoot, rawPath);
+  if (taskWorkspace) {
+    const workspaceRigRoot = resolve(taskWorkspace, ".rig");
+    const workspaceArtifactsRoot = resolve(taskWorkspace, "artifacts");
+    if (absPath === workspaceRigRoot || absPath.startsWith(workspaceRigRoot + "/") || absPath === workspaceArtifactsRoot || absPath.startsWith(workspaceArtifactsRoot + "/")) {
+      return true;
+    }
+  }
+  const runtimeRoot = resolve(projectRoot, ".rig/runtime/agents");
+  return absPath === runtimeRoot || absPath.startsWith(runtimeRoot + "/");
+}
+function isTestFile(path) {
+  return /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(path) || /\/(__tests__|tests|test)\//.test(path);
+}
+function evaluate(context) {
+  const policy = loadPolicy(context.projectRoot);
+  switch (context.evaluation.type) {
+    case "tool-call":
+      return evaluateToolCall(policy, context);
+    case "command":
+      return evaluateCommand(policy, context);
+    case "content-write":
+      return evaluateContent(policy, context);
+    case "file-access":
+      return evaluateScope(policy, context, context.evaluation.file_path, context.evaluation.access);
+  }
+}
+function evaluateScope(policy, context, filePath, access) {
+  const allowed = () => ({
+    allowed: true,
+    matchedRules: [],
+    action: "allow",
+    failClosed: false
+  });
+  if (policy.scope.harness_paths_exempt && isHarnessPath(context.projectRoot, filePath)) {
+    return allowed();
+  }
+  if (policy.scope.runtime_paths_exempt && isRuntimePath(context.projectRoot, filePath, context.taskWorkspace)) {
+    return allowed();
+  }
+  if (!context.taskId) {
+    if (access === "write" && policy.scope.fail_closed) {
+      return {
+        allowed: false,
+        matchedRules: [],
+        action: resolveAction(policy.mode, [{ id: "scope:no-task", category: "command", reason: "No active task; fail-closed for write operations" }]),
+        failClosed: true
+      };
+    }
+    return allowed();
+  }
+  const scopes = context.taskScopes || [];
+  if (scopes.length === 0) {
+    return allowed();
+  }
+  if (context.taskWorkspace && context.taskWorkspace !== context.projectRoot && filePath.startsWith("/")) {
+    const absPath = resolve(filePath);
+    if (!absPath.startsWith(context.taskWorkspace + "/") && !isHarnessPath(context.projectRoot, filePath)) {
+      const reason2 = `Absolute path '${filePath}' is outside task runtime boundary. Allowed root: ${context.taskWorkspace}`;
+      const matched2 = [{ id: "scope:workspace-boundary", category: "command", reason: reason2 }];
+      return {
+        allowed: policy.mode !== "enforce",
+        matchedRules: matched2,
+        action: resolveAction(policy.mode, matched2),
+        failClosed: false
+      };
+    }
+  }
+  const monorepoRoot = context.monorepoRoot || process.env.MONOREPO_ROOT?.trim() || context.taskWorkspace || context.projectRoot;
+  let normalizedPath = filePath;
+  if (context.taskWorkspace && context.taskWorkspace !== context.projectRoot && filePath.startsWith(context.taskWorkspace + "/")) {
+    normalizedPath = filePath.slice(context.taskWorkspace.length + 1);
+  }
+  normalizedPath = normalizePathToScope(context.projectRoot, monorepoRoot, normalizedPath);
+  if (scopeMatches(filePath, scopes) || scopeMatches(normalizedPath, scopes)) {
+    return allowed();
+  }
+  const reason = `File '${filePath}' (normalized: '${normalizedPath}') is outside scope of task ${context.taskId}`;
+  const matched = [{ id: "scope:out-of-scope", category: "command", reason }];
+  return {
+    allowed: policy.mode !== "enforce",
+    matchedRules: matched,
+    action: resolveAction(policy.mode, matched),
+    failClosed: false
+  };
+}
+function evaluateCommand(policy, context) {
+  const evaluation = context.evaluation;
+  if (evaluation.type !== "command") {
+    return { allowed: true, matchedRules: [], action: "allow", failClosed: false };
+  }
+  const command = evaluation.command;
+  const matchedRules = [];
+  for (const rule of policy.rules) {
+    if (rule.category !== "command")
+      continue;
+    if (!matchRule(rule, command))
+      continue;
+    if (matchRuleUnless(rule, command, context.taskId))
+      continue;
+    matchedRules.push({
+      id: rule.id,
+      category: rule.category,
+      ...rule.description !== undefined ? { description: rule.description } : {},
+      reason: rule.description || `Matched rule ${rule.id}`
+    });
+  }
+  const writeTarget = extractWriteTarget(command);
+  if (writeTarget && !/^\/dev\//.test(writeTarget) && !/^\/proc\//.test(writeTarget)) {
+    const scopeResult = evaluateScope(policy, context, writeTarget, "write");
+    if (!scopeResult.allowed || scopeResult.matchedRules.length > 0) {
+      matchedRules.push(...scopeResult.matchedRules);
+    }
+  }
+  const action = resolveAction(policy.mode, matchedRules);
+  return {
+    allowed: action !== "block",
+    matchedRules,
+    action,
+    failClosed: false
+  };
+}
+function extractWriteTarget(command) {
+  const redirect = command.match(/>>?\s+([^\s;|&]+)/);
+  if (redirect?.[1])
+    return redirect[1];
+  const tee = command.match(/tee\s+(-a\s+)?([^\s;|&]+)/);
+  if (tee?.[2])
+    return tee[2];
+  return "";
+}
+function evaluateContent(policy, context) {
+  const evaluation = context.evaluation;
+  if (evaluation.type !== "content-write") {
+    return { allowed: true, matchedRules: [], action: "allow", failClosed: false };
+  }
+  const { content, file_path } = evaluation;
+  const matchedRules = [];
+  const scopeResult = evaluateScope(policy, context, file_path, "write");
+  if (scopeResult.matchedRules.length > 0) {
+    matchedRules.push(...scopeResult.matchedRules);
+  }
+  for (const rule of policy.rules) {
+    if (rule.category !== "content" && rule.category !== "import" && rule.category !== "test-integrity")
+      continue;
+    if (rule.applies_to === "test-files" && !isTestFile(file_path))
+      continue;
+    if (!matchRule(rule, content))
+      continue;
+    if (matchRuleUnless(rule, content, context.taskId))
+      continue;
+    matchedRules.push({
+      id: rule.id,
+      category: rule.category,
+      ...rule.description !== undefined ? { description: rule.description } : {},
+      reason: rule.description || `Matched rule ${rule.id}`
+    });
+  }
+  const action = resolveAction(policy.mode, matchedRules);
+  return {
+    allowed: action !== "block",
+    matchedRules,
+    action,
+    failClosed: false
+  };
+}
+function evaluateToolCall(policy, context) {
+  const evaluation = context.evaluation;
+  if (evaluation.type !== "tool-call") {
+    return { allowed: true, matchedRules: [], action: "allow", failClosed: false };
+  }
+  const { tool_name, tool_input } = evaluation;
+  const allMatched = [];
+  const filePaths = extractFilePathsFromToolInput(tool_name, tool_input);
+  for (const fp of filePaths) {
+    const access = isWriteTool(tool_name) ? "write" : "read";
+    const scopeResult = evaluateScope(policy, context, fp, access);
+    if (scopeResult.matchedRules.length > 0) {
+      allMatched.push(...scopeResult.matchedRules);
+    }
+  }
+  const content = extractContentFromToolInput(tool_input);
+  if (content) {
+    const filePath = filePaths[0] || "";
+    const contentContext = {
+      ...context,
+      evaluation: { type: "content-write", file_path: filePath, content }
+    };
+    const contentPolicy = loadPolicy(context.projectRoot);
+    for (const rule of contentPolicy.rules) {
+      if (rule.category !== "content" && rule.category !== "import" && rule.category !== "test-integrity")
+        continue;
+      if (rule.applies_to === "test-files" && !isTestFile(filePath))
+        continue;
+      if (!matchRule(rule, content))
+        continue;
+      if (matchRuleUnless(rule, content, context.taskId))
+        continue;
+      allMatched.push({
+        id: rule.id,
+        category: rule.category,
+        ...rule.description !== undefined ? { description: rule.description } : {},
+        reason: rule.description || `Matched rule ${rule.id}`
+      });
+    }
+  }
+  if (tool_name === "Bash") {
+    const command = String(tool_input.command || tool_input.cmd || "");
+    if (command) {
+      const cmdContext = {
+        ...context,
+        evaluation: { type: "command", command }
+      };
+      const cmdResult = evaluateCommand(policy, cmdContext);
+      if (cmdResult.matchedRules.length > 0) {
+        allMatched.push(...cmdResult.matchedRules);
+      }
+    }
+  }
+  const seen = new Set;
+  const deduplicated = [];
+  for (const rule of allMatched) {
+    if (!seen.has(rule.id)) {
+      seen.add(rule.id);
+      deduplicated.push(rule);
+    }
+  }
+  const action = resolveAction(policy.mode, deduplicated);
+  return {
+    allowed: action !== "block",
+    matchedRules: deduplicated,
+    action,
+    failClosed: false
+  };
+}
+function isWriteTool(toolName) {
+  return toolName === "Write" || toolName === "Edit" || toolName === "MultiEdit";
+}
+function extractFilePathsFromToolInput(toolName, input) {
+  const paths = [];
+  const add = (value) => {
+    if (typeof value === "string" && value.trim()) {
+      paths.push(value.trim());
+    }
+  };
+  if (toolName === "Read" || toolName === "Write" || toolName === "Edit" || toolName === "MultiEdit") {
+    add(input.file_path);
+    add(input.path);
+  } else if (toolName === "Glob") {
+    add(input.path);
+  } else if (toolName === "Grep") {
+    add(input.path);
+  } else {
+    add(input.file_path);
+    add(input.path);
+  }
+  return paths;
+}
+function extractContentFromToolInput(input) {
+  if (typeof input.content === "string")
+    return input.content;
+  if (typeof input.new_string === "string")
+    return input.new_string;
+  return "";
+}
+var guardHotPathPrimed = false;
+function primeGuardHotPaths() {
+  if (guardHotPathPrimed) {
+    return;
+  }
+  guardHotPathPrimed = true;
+  try {
+    optimizeNextInvocation(matchRule);
+    optimizeNextInvocation(evaluate);
+  } catch {}
+}
+primeGuardHotPaths();
+
+// packages/cli-surface-plugin/src/control-plane/agent-binary-build.ts
+import { runtimeProvisioningEnv } from "@rig/core/runtime-provisioning-env";
+
+// packages/cli-surface-plugin/src/runner.ts
 class CliError extends RuntimeCliError {
-  hint;
   constructor(message, exitCode = 1, options = {}) {
-    super(message, exitCode);
-    if (options.hint?.trim()) {
-      this.hint = options.hint.trim();
-    }
+    super(message, exitCode, options);
   }
 }
 function takeOption(args, option) {
@@ -41,13 +680,639 @@ Usage: ${usage}`);
   }
 }
 
-// packages/cli-surface-plugin/src/commands/workspace.ts
+// packages/cli-surface-plugin/src/control-plane/workspace-ops.ts
+import { spawn } from "child_process";
 import {
-  mutateWorkspaceServiceFabric,
-  readWorkspaceRemoteFleet,
-  readWorkspaceSummary,
-  readWorkspaceTopology
-} from "@rig/runtime/control-plane/native/workspace-ops";
+  appendFileSync,
+  closeSync,
+  existsSync as existsSync2,
+  mkdirSync,
+  openSync,
+  readdirSync,
+  readFileSync as readFileSync2,
+  writeFileSync
+} from "fs";
+import { join, resolve as resolve2 } from "path";
+import { TASK_DATA_SERVICE_CAPABILITY } from "@rig/contracts";
+import { defineCapability } from "@rig/core/capability";
+import { requireInstalledCapability } from "@rig/core/capability-loaders";
+var TaskDataCap = defineCapability(TASK_DATA_SERVICE_CAPABILITY);
+var taskData = () => requireInstalledCapability(TaskDataCap, "task-data capability unavailable: load @rig/task-sources-plugin (default bundle) before reading workspace task counts.");
+var ONLINE_REMOTE_HOST_STATUSES = new Set(["ready", "busy", "degraded", "draining"]);
+function asRecord(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : null;
+}
+function asString(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function asStringArray(value) {
+  return Array.isArray(value) ? value.flatMap((entry) => typeof entry === "string" && entry.trim().length > 0 ? [entry.trim()] : []) : [];
+}
+function asStringMap(value) {
+  const record = asRecord(value);
+  if (!record) {
+    return {};
+  }
+  const entries = Object.entries(record).flatMap(([key, entry]) => {
+    if (typeof entry === "string" && entry.trim().length > 0) {
+      return [[key, entry]];
+    }
+    if (typeof entry === "number" || typeof entry === "boolean") {
+      return [[key, String(entry)]];
+    }
+    return [];
+  });
+  return Object.fromEntries(entries);
+}
+function parseScalar(raw) {
+  const value = raw.trim();
+  if (value.length === 0)
+    return "";
+  if (value === "null")
+    return null;
+  if (value === "true")
+    return true;
+  if (value === "false")
+    return false;
+  if (/^-?\d+$/.test(value))
+    return Number.parseInt(value, 10);
+  if (/^-?\d+\.\d+$/.test(value))
+    return Number.parseFloat(value);
+  if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+    return value.slice(1, -1);
+  }
+  return value;
+}
+function parseYamlSubset(source) {
+  const lines = source.split(/\r?\n/).map((line) => line.replace(/\t/g, "  ")).filter((line) => line.trim().length > 0 && !line.trimStart().startsWith("#"));
+  const root = {};
+  const stack = [
+    { indent: -1, value: root }
+  ];
+  const ensureContainer = (indent) => {
+    while (stack.length > 1 && indent <= stack[stack.length - 1].indent) {
+      stack.pop();
+    }
+    return stack[stack.length - 1];
+  };
+  for (let index = 0;index < lines.length; index += 1) {
+    const rawLine = lines[index];
+    const indent = rawLine.match(/^ */)?.[0].length ?? 0;
+    const line = rawLine.trim();
+    const parent = ensureContainer(indent);
+    if (line.startsWith("- ")) {
+      const itemContent = line.slice(2);
+      if (!Array.isArray(parent.value)) {
+        continue;
+      }
+      if (itemContent.includes(":")) {
+        const [firstKey, ...rest] = itemContent.split(":");
+        const valueText2 = rest.join(":").trim();
+        const entry = {};
+        entry[firstKey.trim()] = valueText2.length > 0 ? parseScalar(valueText2) : "";
+        parent.value.push(entry);
+        stack.push({ indent, value: entry });
+      } else {
+        parent.value.push(parseScalar(itemContent));
+      }
+      continue;
+    }
+    const colonIndex = line.indexOf(":");
+    if (colonIndex === -1 || !asRecord(parent.value)) {
+      continue;
+    }
+    const key = line.slice(0, colonIndex).trim();
+    const valueText = line.slice(colonIndex + 1).trim();
+    const parentRecord = parent.value;
+    if (valueText.length > 0) {
+      parentRecord[key] = parseScalar(valueText);
+      continue;
+    }
+    const nextLine = lines[index + 1]?.trim() ?? "";
+    const container = nextLine.startsWith("- ") ? [] : {};
+    parentRecord[key] = container;
+    stack.push({ indent, value: container });
+  }
+  return root;
+}
+function relativePath(rootPath, targetPath) {
+  return targetPath.startsWith(rootPath) ? targetPath.slice(rootPath.length + 1) || "." : targetPath;
+}
+function resolveRuntimeWorkspaceRoot(projectRoot) {
+  return resolve2(process.env.RIG_TASK_WORKSPACE?.trim() || projectRoot);
+}
+function resolveServiceFabricPaths(projectRoot) {
+  const workspaceRoot = resolveRuntimeWorkspaceRoot(projectRoot);
+  const fabricRoot = resolve2(workspaceRoot, ".rig", "service-fabric");
+  return {
+    workspaceRoot,
+    fabricRoot,
+    statePath: resolve2(fabricRoot, "fabric-state.json"),
+    logsDir: resolve2(fabricRoot, "logs")
+  };
+}
+function issueStatus(status) {
+  switch (status) {
+    case "ready":
+    case "open":
+    case "queued":
+    case "blocked":
+    case "completed":
+    case "draft":
+    case "cancelled":
+      return status;
+    case "in_progress":
+    case "under_review":
+      return "running";
+    case "unknown":
+      return "unknown";
+  }
+}
+function collectTaskCounts(projectRoot) {
+  const initial = {
+    total: 0,
+    ready: 0,
+    open: 0,
+    queued: 0,
+    running: 0,
+    blocked: 0,
+    failed: 0,
+    unknown: 0,
+    completed: 0,
+    draft: 0,
+    cancelled: 0
+  };
+  const snapshot = taskData().readSyncedTrackerState(projectRoot, {}, { allowLocalFallback: true });
+  for (const issue of snapshot.issues) {
+    if (!issue.id.startsWith("bd-"))
+      continue;
+    if (issue.issueType === "epic")
+      continue;
+    initial.total += 1;
+    initial[issueStatus(issue.status)] += 1;
+  }
+  return initial;
+}
+function listManifestDirs(rootPath) {
+  const candidates = [join(rootPath, "microservices")];
+  const discovered = new Set;
+  for (const candidate of candidates) {
+    if (!existsSync2(candidate))
+      continue;
+    for (const entry of readdirSync(candidate, { withFileTypes: true })) {
+      if (!entry.isDirectory() || entry.name.startsWith("_"))
+        continue;
+      const serviceDir = join(candidate, entry.name);
+      if (existsSync2(join(serviceDir, "service.yaml"))) {
+        discovered.add(serviceDir);
+      }
+    }
+  }
+  return [...discovered].sort((left, right) => left.localeCompare(right));
+}
+function parsePortValue(value) {
+  if (typeof value === "number" && Number.isFinite(value)) {
+    return Number(value);
+  }
+  if (typeof value === "string") {
+    const parsed = Number(value);
+    if (Number.isFinite(parsed)) {
+      return parsed;
+    }
+  }
+  return 0;
+}
+function resolveMonorepoWorkspaceRoot(projectRoot) {
+  return resolve2(process.env.MONOREPO_ROOT?.trim() || projectRoot);
+}
+function resolveLocalWorkingDir(monorepoRoot, serviceDir, rawWorkingDir) {
+  if (!rawWorkingDir) {
+    return serviceDir;
+  }
+  if (rawWorkingDir.startsWith("/")) {
+    return rawWorkingDir;
+  }
+  if (rawWorkingDir.startsWith(".")) {
+    return resolve2(serviceDir, rawWorkingDir);
+  }
+  return resolve2(monorepoRoot, rawWorkingDir);
+}
+function readNativeServicePlans(projectRoot, selectedServices = []) {
+  const manifestDirs = listManifestDirs(projectRoot);
+  const warnings = [];
+  const services = [];
+  const monorepoRoot = resolveMonorepoWorkspaceRoot(projectRoot);
+  for (const serviceDir of manifestDirs) {
+    const manifestPath = join(serviceDir, "service.yaml");
+    try {
+      const parsed = asRecord(parseYamlSubset(readFileSync2(manifestPath, "utf-8")));
+      const name = asString(parsed?.name) ?? serviceDir.split("/").at(-1) ?? "service";
+      if (selectedServices.length > 0 && !selectedServices.includes(name)) {
+        continue;
+      }
+      const localDev = asRecord(parsed?.local_dev);
+      const runtime = asString(parsed?.runtime) ?? "unknown";
+      const healthcheck = asString(parsed?.healthcheck) ?? "/health";
+      const routePrefix = asString(localDev?.route_prefix);
+      const command = asString(localDev?.command);
+      const requestedMode = asString(localDev?.mode);
+      const environment = asStringMap(localDev?.env);
+      const port = parsePortValue(environment.PORT) || parsePortValue(environment.HTTP_PORT) || parsePortValue(parsed?.port) || 0;
+      const workingDir = resolveLocalWorkingDir(monorepoRoot, serviceDir, asString(localDev?.working_dir));
+      const readinessPath = asString(localDev?.readiness_path) ?? healthcheck;
+      let mode = requestedMode === "process" || requestedMode !== "stub" && command ? "process" : "stub";
+      if (requestedMode === "proxy" && !command) {
+        warnings.push(`${relativePath(projectRoot, manifestPath)} declares local_dev.mode=proxy without a command; treating it as a stub`);
+        mode = "stub";
+      }
+      if (mode === "process" && !command) {
+        warnings.push(`${relativePath(projectRoot, manifestPath)} declares process local_dev mode without a command; treating it as a stub`);
+        mode = "stub";
+      }
+      services.push({
+        name,
+        relativeRootPath: relativePath(projectRoot, serviceDir),
+        absoluteRootPath: serviceDir,
+        runtime,
+        port,
+        healthcheck,
+        routePrefix,
+        mode,
+        command: mode === "process" ? command : null,
+        workingDir,
+        environment,
+        readinessPath
+      });
+    } catch (error) {
+      warnings.push(`Failed to parse ${relativePath(projectRoot, manifestPath)}: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+  return { services, warnings };
+}
+function readPersistedFabricState(projectRoot) {
+  const { statePath } = resolveServiceFabricPaths(projectRoot);
+  if (!existsSync2(statePath)) {
+    return null;
+  }
+  try {
+    return JSON.parse(readFileSync2(statePath, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+function writePersistedFabricState(projectRoot, state) {
+  const { fabricRoot, logsDir, statePath } = resolveServiceFabricPaths(projectRoot);
+  mkdirSync(fabricRoot, { recursive: true });
+  mkdirSync(logsDir, { recursive: true });
+  writeFileSync(statePath, `${JSON.stringify(state, null, 2)}
+`, "utf-8");
+}
+function isProcessRunning(pid) {
+  if (!pid || pid <= 0) {
+    return false;
+  }
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function stopProcess(pid) {
+  if (!pid || pid <= 0) {
+    return;
+  }
+  try {
+    process.kill(pid, "SIGTERM");
+  } catch {
+    return;
+  }
+  const deadline = Date.now() + 5000;
+  while (Date.now() < deadline) {
+    if (!isProcessRunning(pid)) {
+      return;
+    }
+    await Bun.sleep(100);
+  }
+  try {
+    process.kill(pid, "SIGKILL");
+  } catch {}
+}
+async function probeReadiness(service, timeoutMs = 1000) {
+  if (service.mode === "stub") {
+    return true;
+  }
+  if (!isProcessRunning(service.pid) || service.port <= 0) {
+    return false;
+  }
+  const controller = new AbortController;
+  const timeout = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(`http://127.0.0.1:${service.port}${service.readinessPath}`, {
+      signal: controller.signal
+    });
+    return response.ok;
+  } catch {
+    return false;
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function waitForServiceHealthy(service, timeoutMs = 30000) {
+  if (service.mode === "stub") {
+    return true;
+  }
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    if (await probeReadiness(service, 1000)) {
+      return true;
+    }
+    if (!isProcessRunning(service.pid)) {
+      return false;
+    }
+    await Bun.sleep(250);
+  }
+  return false;
+}
+function materializeStateFromPlans(projectRoot, plans, persisted) {
+  const persistedByName = new Map((persisted?.services ?? []).map((service) => [service.name, service]));
+  const { logsDir } = resolveServiceFabricPaths(projectRoot);
+  return plans.map((plan) => {
+    const previous = persistedByName.get(plan.name);
+    return {
+      ...plan,
+      pid: previous?.pid ?? null,
+      logPath: previous?.logPath ?? resolve2(logsDir, `${plan.name}.log`),
+      status: previous?.status ?? "stopped"
+    };
+  });
+}
+function summarizeFabricState(projectRoot, services, warnings, updatedAt) {
+  const { fabricRoot } = resolveServiceFabricPaths(projectRoot);
+  const healthyServiceCount = services.filter((service) => service.status === "healthy").length;
+  const status = services.length === 0 ? "empty" : services.every((service) => service.status === "stopped") ? "stopped" : services.every((service) => service.status === "healthy") ? "ready" : services.some((service) => service.status === "booting") ? "booting" : "degraded";
+  return {
+    updatedAt,
+    status,
+    serviceCount: services.length,
+    healthyServiceCount,
+    stateDir: fabricRoot,
+    services: services.map((service) => ({
+      name: service.name,
+      relativeRootPath: service.relativeRootPath,
+      absoluteRootPath: service.absoluteRootPath,
+      mode: service.mode,
+      port: service.port,
+      healthcheck: service.healthcheck,
+      routePrefix: service.routePrefix,
+      command: service.command,
+      environment: service.environment,
+      status: service.status,
+      pid: service.pid,
+      logPath: service.logPath
+    })),
+    warnings
+  };
+}
+function readWorkspaceTopology(projectRoot, compiledAt = new Date().toISOString()) {
+  const manifestDirs = listManifestDirs(projectRoot);
+  const warnings = [];
+  const services = [];
+  for (const serviceDir of manifestDirs) {
+    const manifestPath = join(serviceDir, "service.yaml");
+    try {
+      const parsed = asRecord(parseYamlSubset(readFileSync2(manifestPath, "utf-8")));
+      const name = asString(parsed?.name) ?? serviceDir.split("/").at(-1) ?? "service";
+      const runtime = asString(parsed?.runtime) ?? "unknown";
+      const portValue = typeof parsed?.port === "number" ? parsed.port : typeof parsed?.port === "string" ? Number(parsed.port) : NaN;
+      services.push({
+        name,
+        relativeRootPath: relativePath(projectRoot, serviceDir),
+        runtime,
+        port: Number.isFinite(portValue) ? Number(portValue) : null,
+        healthcheck: asString(parsed?.healthcheck),
+        splitReadyChecklist: asStringArray(parsed?.split_ready_checklist)
+      });
+    } catch (error) {
+      warnings.push(`Failed to parse ${relativePath(projectRoot, manifestPath)}: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+  return {
+    compiledAt,
+    status: services.length === 0 ? "empty" : warnings.length > 0 ? "degraded" : "ready",
+    manifestCount: manifestDirs.length,
+    serviceCount: services.length,
+    services,
+    warnings
+  };
+}
+function discoverRemoteHostManifests(projectRoot) {
+  const workspaceRoot = resolveRuntimeWorkspaceRoot(projectRoot);
+  return [
+    join(projectRoot, "rig.remote-hosts.yaml"),
+    resolve2(workspaceRoot, ".rig", "remote-hosts.yaml")
+  ].filter((candidate) => existsSync2(candidate));
+}
+function readWorkspaceRemoteFleet(projectRoot, updatedAt = new Date().toISOString()) {
+  const manifestPaths = discoverRemoteHostManifests(projectRoot);
+  const warnings = [];
+  const hostsById = new Map;
+  for (const manifestPath of manifestPaths) {
+    try {
+      const parsed = asRecord(parseYamlSubset(readFileSync2(manifestPath, "utf-8")));
+      const hosts2 = Array.isArray(parsed?.hosts) ? parsed.hosts : [];
+      for (const entry of hosts2) {
+        const host = asRecord(entry);
+        const id = asString(host?.id);
+        const name = asString(host?.name);
+        const baseUrl = asString(host?.base_url);
+        if (!id || !name || !baseUrl) {
+          warnings.push(`Skipped invalid remote host entry in ${relativePath(projectRoot, manifestPath)}`);
+          continue;
+        }
+        hostsById.set(id, {
+          id,
+          name,
+          baseUrl,
+          workspacePath: asString(host?.workspace_path),
+          transport: asString(host?.transport) ?? "websocket",
+          hostname: asString(host?.hostname),
+          region: asString(host?.region),
+          labels: asStringArray(host?.labels),
+          capabilities: asStringArray(host?.capabilities),
+          runtimeAdapters: ["pi"],
+          status: asString(host?.status) ?? "offline",
+          currentLeaseCount: typeof host?.current_lease_count === "number" ? Number(host.current_lease_count) : 0,
+          manifestPath: relativePath(projectRoot, manifestPath)
+        });
+      }
+    } catch (error) {
+      warnings.push(`Failed to parse ${relativePath(projectRoot, manifestPath)}: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+  const hosts = [...hostsById.values()].sort((left, right) => left.name.localeCompare(right.name));
+  const onlineHostCount = hosts.filter((host) => ONLINE_REMOTE_HOST_STATUSES.has(host.status)).length;
+  return {
+    updatedAt,
+    status: hosts.length === 0 ? "empty" : warnings.length > 0 || hosts.some((host) => host.status === "degraded" || host.status === "quarantined") ? "degraded" : onlineHostCount > 0 ? "ready" : "degraded",
+    manifestCount: manifestPaths.length,
+    hostCount: hosts.length,
+    onlineHostCount,
+    hosts,
+    warnings
+  };
+}
+async function readWorkspaceServiceFabric(projectRoot) {
+  try {
+    const updatedAt = new Date().toISOString();
+    const persisted = readPersistedFabricState(projectRoot);
+    const plans = readNativeServicePlans(projectRoot);
+    const services = materializeStateFromPlans(projectRoot, plans.services, persisted);
+    for (const service of services) {
+      if (service.status === "stopped") {
+        continue;
+      }
+      if (!isProcessRunning(service.pid)) {
+        service.pid = null;
+        service.status = "stopped";
+        continue;
+      }
+      service.status = await probeReadiness(service, 1000) ? "healthy" : "degraded";
+    }
+    const state = {
+      updatedAt,
+      rootPath: projectRoot,
+      services
+    };
+    writePersistedFabricState(projectRoot, state);
+    return summarizeFabricState(projectRoot, services, plans.warnings, updatedAt);
+  } catch (error) {
+    return {
+      status: "unavailable",
+      warnings: [error instanceof Error ? error.message : String(error)]
+    };
+  }
+}
+async function mutateWorkspaceServiceFabric(projectRoot, command, services = []) {
+  const updatedAt = new Date().toISOString();
+  const persisted = readPersistedFabricState(projectRoot);
+  const plans = readNativeServicePlans(projectRoot, services);
+  const stateServices = materializeStateFromPlans(projectRoot, plans.services, persisted);
+  if (command === "verify") {
+    for (const service of stateServices) {
+      if (service.status === "stopped") {
+        continue;
+      }
+      if (!isProcessRunning(service.pid)) {
+        service.pid = null;
+        service.status = "stopped";
+        continue;
+      }
+      service.status = await probeReadiness(service, 1000) ? "healthy" : "degraded";
+    }
+  } else if (command === "up") {
+    const { logsDir } = resolveServiceFabricPaths(projectRoot);
+    mkdirSync(logsDir, { recursive: true });
+    for (const service of stateServices) {
+      if (service.mode === "stub") {
+        service.pid = null;
+        service.status = "healthy";
+        continue;
+      }
+      if (isProcessRunning(service.pid) && await probeReadiness(service, 1000)) {
+        service.status = "healthy";
+        continue;
+      }
+      if (isProcessRunning(service.pid)) {
+        await stopProcess(service.pid);
+      }
+      const logPath = resolve2(logsDir, `${service.name}.log`);
+      service.logPath = logPath;
+      appendFileSync(logPath, `
+=== ${updatedAt} :: rig service-fabric up :: ${service.name} ===
+`, "utf-8");
+      const logFd = openSync(logPath, "a");
+      try {
+        const child = spawn(service.command || "true", {
+          cwd: service.workingDir,
+          env: { ...process.env, ...service.environment },
+          shell: true,
+          detached: true,
+          stdio: ["ignore", logFd, logFd]
+        });
+        child.unref();
+        service.pid = child.pid ?? null;
+        service.status = "booting";
+      } finally {
+        closeSync(logFd);
+      }
+      service.status = await waitForServiceHealthy(service) ? "healthy" : "degraded";
+      if (service.status !== "healthy" && !isProcessRunning(service.pid)) {
+        service.pid = null;
+        service.status = "failed";
+      }
+    }
+  } else if (command === "down") {
+    for (const service of stateServices) {
+      await stopProcess(service.pid);
+      service.pid = null;
+      service.status = "stopped";
+    }
+  }
+  const merged = new Map;
+  for (const service of persisted?.services ?? []) {
+    merged.set(service.name, service);
+  }
+  for (const service of stateServices) {
+    merged.set(service.name, service);
+  }
+  const nextState = {
+    updatedAt,
+    rootPath: projectRoot,
+    services: [...merged.values()].sort((left, right) => left.name.localeCompare(right.name))
+  };
+  writePersistedFabricState(projectRoot, nextState);
+  return summarizeFabricState(projectRoot, stateServices, plans.warnings, updatedAt);
+}
+function countRuntimeDirs(projectRoot) {
+  const runtimeRoot = resolve2(resolveRuntimeWorkspaceRoot(projectRoot), ".rig", "runtime", "agents");
+  if (!existsSync2(runtimeRoot)) {
+    return 0;
+  }
+  return readdirSync(runtimeRoot, { withFileTypes: true }).filter((entry) => entry.isDirectory()).length;
+}
+function countArtifactTaskDirs(projectRoot) {
+  const artifactRoot = resolve2(resolveRuntimeWorkspaceRoot(projectRoot), "artifacts");
+  if (!existsSync2(artifactRoot)) {
+    return 0;
+  }
+  return readdirSync(artifactRoot, { withFileTypes: true }).filter((entry) => entry.isDirectory() && entry.name !== "remote-runs").length;
+}
+async function readWorkspaceSummary(projectRoot) {
+  const generatedAt = new Date().toISOString();
+  const warnings = [];
+  const topology = readWorkspaceTopology(projectRoot, generatedAt);
+  const remoteFleet = readWorkspaceRemoteFleet(projectRoot, generatedAt);
+  const serviceFabric = await readWorkspaceServiceFabric(projectRoot);
+  if (serviceFabric?.warnings) {
+    warnings.push(...serviceFabric.warnings.map((warning) => String(warning)));
+  }
+  warnings.push(...topology.warnings, ...remoteFleet.warnings);
+  return {
+    rootPath: projectRoot,
+    taskCounts: collectTaskCounts(projectRoot),
+    runtimeCount: countRuntimeDirs(projectRoot),
+    artifactTaskCount: countArtifactTaskDirs(projectRoot),
+    failedApproachesPresent: existsSync2(resolve2(resolveRuntimeWorkspaceRoot(projectRoot), ".rig", "state", "failed_approaches.md")),
+    topology,
+    remoteFleet,
+    serviceFabric,
+    warnings,
+    generatedAt
+  };
+}
+
+// packages/cli-surface-plugin/src/commands/workspace.ts
 async function executeWorkspace(context, args) {
   const [command = "summary", ...rest] = args;
   switch (command) {