@h-rig/cli-surface-plugin 0.0.6-alpha.157 → 0.0.6-alpha.159

package/dist/src/commands/dist.js

@@ -1,33 +1,753 @@
 // @bun
 // packages/cli-surface-plugin/src/commands/dist.ts
 import {
-  chmodSync,
-  copyFileSync,
-  existsSync,
-  mkdirSync,
+  chmodSync as chmodSync2,
+  copyFileSync as copyFileSync2,
+  existsSync as existsSync2,
+  mkdirSync as mkdirSync2,
   readdirSync,
   readlinkSync,
-  rmSync,
-  statSync,
+  rmSync as rmSync2,
+  statSync as statSync2,
   symlinkSync,
   unlinkSync
 } from "fs";
 import { homedir as homedir2 } from "os";
-import { resolve as resolve3 } from "path";
+import { resolve as resolve5 } from "path";
 
 // packages/cli-surface-plugin/src/runner.ts
-import { EventBus } from "@rig/runtime/control-plane/runtime/events";
-import { CliError as RuntimeCliError } from "@rig/runtime/control-plane/errors";
-import { evaluate, loadPolicy, resolveAction } from "@rig/runtime/control-plane/runtime/guard";
-import { buildBinary } from "@rig/runtime/control-plane/runtime/isolation";
+import { EventBus } from "@rig/core/runtime-events";
+import { CliError as RuntimeCliError } from "@rig/contracts";
+
+// packages/cli-surface-plugin/src/control-plane/guard.ts
+import { optimizeNextInvocation } from "bun:jsc";
+import { existsSync, readFileSync, statSync } from "fs";
+import { resolve } from "path";
+
+// packages/cli-surface-plugin/src/control-plane/scope.ts
+import { getScopeRules } from "@rig/core/scope-rules";
+var scopeRegexCache = new Map;
+function unique(values) {
+  return [...new Set(values)];
+}
+function normalizeRelativeScopePath(inputPath) {
+  let normalized = inputPath.replace(/^\.\//, "");
+  const rules = getScopeRules();
+  if (rules?.stripPrefixes) {
+    for (const prefix of rules.stripPrefixes) {
+      if (normalized.startsWith(prefix)) {
+        normalized = normalized.slice(prefix.length);
+      }
+    }
+  }
+  return normalized;
+}
+function normalizePathToScope(projectRoot, monorepoRoot, inputPath) {
+  let normalized = inputPath.replace(/^\.\//, "");
+  if (normalized.startsWith(projectRoot + "/")) {
+    normalized = normalized.slice(projectRoot.length + 1);
+  }
+  if (normalized.startsWith(monorepoRoot + "/")) {
+    normalized = normalized.slice(monorepoRoot.length + 1);
+  }
+  return normalizeRelativeScopePath(normalized);
+}
+function scopeGlobToRegex(glob) {
+  const cached = scopeRegexCache.get(glob);
+  if (cached) {
+    return cached;
+  }
+  const escaped = glob.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*\*/g, "__GLOBSTAR__").replace(/\*/g, "[^/]*").replace(/__GLOBSTAR__/g, ".*");
+  const compiled = new RegExp(`^${escaped}$`);
+  scopeRegexCache.set(glob, compiled);
+  return compiled;
+}
+function scopeMatches(path, scopes) {
+  const pathVariants = unique([path, normalizeRelativeScopePath(path)]);
+  for (const scope of scopes) {
+    const scopeVariants = unique([scope, normalizeRelativeScopePath(scope)]);
+    for (const candidatePath of pathVariants) {
+      for (const candidateScope of scopeVariants) {
+        if (candidatePath === candidateScope || scopeGlobToRegex(candidateScope).test(candidatePath)) {
+          return true;
+        }
+      }
+    }
+  }
+  return false;
+}
 
+// packages/cli-surface-plugin/src/control-plane/guard.ts
+import {
+  POLICY_VERSION
+} from "@rig/contracts";
+var DEFAULT_SCOPE = {
+  fail_closed: true,
+  harness_paths_exempt: true,
+  runtime_paths_exempt: true
+};
+var DEFAULT_SANDBOX = {
+  mode: "enforce",
+  network: true,
+  read_deny: [],
+  write_allow_from_runtime: true
+};
+var DEFAULT_ISOLATION = {
+  default_mode: "worktree",
+  repo_symlink_fallback: false,
+  strict_provisioning: true,
+  fail_closed_on_provision_error: true
+};
+var DEFAULT_COMPLETION = {
+  derive_checks_from_scope: true,
+  checks: [],
+  typescript_config_probe: ["tsconfig.json"],
+  eslint_config_probe: [".eslintrc.js", ".eslintrc.json", "eslint.config.js"]
+};
+var DEFAULT_RUNTIME_IMAGE = {
+  deps: {
+    monorepo_install: false,
+    hp_next_install: false
+  },
+  plugins_require_binaries: true
+};
+var DEFAULT_RUNTIME_SNAPSHOT = {
+  enabled: true
+};
+function defaultPolicy() {
+  return {
+    version: POLICY_VERSION,
+    mode: "enforce",
+    scope: { ...DEFAULT_SCOPE },
+    rules: [],
+    sandbox: { ...DEFAULT_SANDBOX },
+    isolation: { ...DEFAULT_ISOLATION },
+    completion: { ...DEFAULT_COMPLETION },
+    runtime_image: {
+      deps: { ...DEFAULT_RUNTIME_IMAGE.deps },
+      plugins_require_binaries: DEFAULT_RUNTIME_IMAGE.plugins_require_binaries
+    },
+    runtime_snapshot: { ...DEFAULT_RUNTIME_SNAPSHOT }
+  };
+}
+var policyCache = null;
+var policyCachePath = null;
+var seededPolicyConfig = null;
+var compiledRegexCache = new Map;
+function loadPolicy(projectRoot) {
+  if (seededPolicyConfig) {
+    return seededPolicyConfig;
+  }
+  const configPath = resolve(projectRoot, "rig/policy/policy.json");
+  if (!existsSync(configPath)) {
+    return defaultPolicy();
+  }
+  let mtimeMs;
+  try {
+    mtimeMs = statSync(configPath).mtimeMs;
+  } catch {
+    return defaultPolicy();
+  }
+  if (policyCache && policyCachePath === configPath && policyCache.mtimeMs === mtimeMs) {
+    return policyCache.config;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(readFileSync(configPath, "utf-8"));
+  } catch {
+    return defaultPolicy();
+  }
+  const config = mergeWithDefaults(parsed);
+  policyCache = { mtimeMs, config };
+  policyCachePath = configPath;
+  return config;
+}
+function mergeWithDefaults(parsed) {
+  const base = defaultPolicy();
+  if (typeof parsed.mode === "string" && isValidMode(parsed.mode)) {
+    base.mode = parsed.mode;
+  }
+  if (parsed.scope && typeof parsed.scope === "object" && !Array.isArray(parsed.scope)) {
+    const s = parsed.scope;
+    if (typeof s.fail_closed === "boolean")
+      base.scope.fail_closed = s.fail_closed;
+    if (typeof s.harness_paths_exempt === "boolean")
+      base.scope.harness_paths_exempt = s.harness_paths_exempt;
+    if (typeof s.runtime_paths_exempt === "boolean")
+      base.scope.runtime_paths_exempt = s.runtime_paths_exempt;
+  }
+  if (Array.isArray(parsed.rules)) {
+    base.rules = precompilePolicyRuleRegexes(parsed.rules.filter(isValidRule));
+  }
+  if (Array.isArray(parsed.deny) && base.rules.length === 0) {
+    base.rules = precompilePolicyRuleRegexes(migrateLegacyDeny(parsed.deny));
+  }
+  if (parsed.sandbox && typeof parsed.sandbox === "object" && !Array.isArray(parsed.sandbox)) {
+    const sb = parsed.sandbox;
+    if (typeof sb.mode === "string" && isValidMode(sb.mode))
+      base.sandbox.mode = sb.mode;
+    if (typeof sb.network === "boolean")
+      base.sandbox.network = sb.network;
+    if (Array.isArray(sb.read_deny))
+      base.sandbox.read_deny = sb.read_deny.filter((v) => typeof v === "string");
+    if (typeof sb.write_allow_from_runtime === "boolean")
+      base.sandbox.write_allow_from_runtime = sb.write_allow_from_runtime;
+  }
+  if (parsed.isolation && typeof parsed.isolation === "object" && !Array.isArray(parsed.isolation)) {
+    const iso = parsed.isolation;
+    if (iso.default_mode === "worktree")
+      base.isolation.default_mode = iso.default_mode;
+    if (typeof iso.repo_symlink_fallback === "boolean")
+      base.isolation.repo_symlink_fallback = iso.repo_symlink_fallback;
+    if (typeof iso.strict_provisioning === "boolean")
+      base.isolation.strict_provisioning = iso.strict_provisioning;
+    if (typeof iso.fail_closed_on_provision_error === "boolean")
+      base.isolation.fail_closed_on_provision_error = iso.fail_closed_on_provision_error;
+  }
+  if (parsed.completion && typeof parsed.completion === "object" && !Array.isArray(parsed.completion)) {
+    const comp = parsed.completion;
+    if (typeof comp.derive_checks_from_scope === "boolean")
+      base.completion.derive_checks_from_scope = comp.derive_checks_from_scope;
+    if (Array.isArray(comp.checks))
+      base.completion.checks = comp.checks.filter((v) => typeof v === "string");
+    if (Array.isArray(comp.typescript_config_probe))
+      base.completion.typescript_config_probe = comp.typescript_config_probe.filter((v) => typeof v === "string");
+    if (Array.isArray(comp.eslint_config_probe))
+      base.completion.eslint_config_probe = comp.eslint_config_probe.filter((v) => typeof v === "string");
+  }
+  if (parsed.runtime_image && typeof parsed.runtime_image === "object" && !Array.isArray(parsed.runtime_image)) {
+    const runtimeImage = parsed.runtime_image;
+    if (runtimeImage.deps && typeof runtimeImage.deps === "object" && !Array.isArray(runtimeImage.deps)) {
+      const deps = runtimeImage.deps;
+      if (typeof deps.monorepo_install === "boolean") {
+        base.runtime_image.deps.monorepo_install = deps.monorepo_install;
+      }
+      if (typeof deps.hp_next_install === "boolean") {
+        base.runtime_image.deps.hp_next_install = deps.hp_next_install;
+      }
+    }
+    if (typeof runtimeImage.plugins_require_binaries === "boolean") {
+      base.runtime_image.plugins_require_binaries = runtimeImage.plugins_require_binaries;
+    }
+  }
+  if (parsed.runtime_snapshot && typeof parsed.runtime_snapshot === "object" && !Array.isArray(parsed.runtime_snapshot)) {
+    const runtimeSnapshot = parsed.runtime_snapshot;
+    if (typeof runtimeSnapshot.enabled === "boolean") {
+      base.runtime_snapshot.enabled = runtimeSnapshot.enabled;
+    }
+  }
+  return base;
+}
+function isValidMode(value) {
+  return value === "off" || value === "observe" || value === "enforce";
+}
+function isValidRule(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value))
+    return false;
+  const r = value;
+  return typeof r.id === "string" && typeof r.category === "string" && r.match != null && typeof r.match === "object";
+}
+function migrateLegacyDeny(deny) {
+  const rules = [];
+  for (const entry of deny) {
+    if (typeof entry.id !== "string")
+      continue;
+    const match = {};
+    if (typeof entry.pattern === "string")
+      match.pattern = entry.pattern;
+    if (typeof entry.regex === "string")
+      match.regex = entry.regex;
+    if (!match.pattern && !match.regex)
+      continue;
+    rules.push({
+      id: entry.id,
+      category: "command",
+      match,
+      action: "block",
+      ...typeof entry.description === "string" ? { description: entry.description } : {}
+    });
+  }
+  return rules;
+}
+function precompilePolicyRuleRegexes(rules) {
+  return rules.map((rule) => {
+    const compiledRegex = rule.match.regex ? compileSafeRegex(rule.match.regex, `rules.${rule.id}.match.regex`, true) : undefined;
+    const compiledUnlessRegex = rule.unless?.regex ? compileSafeRegex(rule.unless.regex, `rules.${rule.id}.unless.regex`, true) : undefined;
+    return {
+      ...rule,
+      ...compiledRegex ? { compiledRegex } : {},
+      ...compiledUnlessRegex ? { compiledUnlessRegex } : {}
+    };
+  });
+}
+function getRegexUnsafeReason(pattern) {
+  if (pattern.length > 512) {
+    return "pattern exceeds max safe length (512 chars)";
+  }
+  if (/\\[1-9]/.test(pattern)) {
+    return "pattern uses backreferences";
+  }
+  if (/\((?:[^()\\]|\\.)*[+*](?:[^()\\]|\\.)*\)\s*[*+{]/.test(pattern)) {
+    return "pattern contains nested quantifiers";
+  }
+  if (/\((?:[^()\\]|\\.)*\.\\?[+*](?:[^()\\]|\\.)*\)\s*[*+{]/.test(pattern)) {
+    return "pattern contains nested broad quantifiers";
+  }
+  return null;
+}
+function compileSafeRegex(pattern, sourceLabel, logOnFailure) {
+  const cached = compiledRegexCache.get(pattern);
+  if (cached !== undefined) {
+    return cached ?? undefined;
+  }
+  const unsafeReason = getRegexUnsafeReason(pattern);
+  if (unsafeReason) {
+    if (logOnFailure) {
+      console.warn(`[policy] Skipping unsafe regex in ${sourceLabel}: ${unsafeReason}`);
+    }
+    compiledRegexCache.set(pattern, null);
+    return;
+  }
+  try {
+    const compiled = new RegExp(pattern);
+    compiledRegexCache.set(pattern, compiled);
+    return compiled;
+  } catch (error) {
+    if (logOnFailure) {
+      const message = error instanceof Error ? error.message : String(error);
+      console.warn(`[policy] Skipping invalid regex in ${sourceLabel}: ${message}`);
+    }
+    compiledRegexCache.set(pattern, null);
+    return;
+  }
+}
+function matchRule(rule, input) {
+  const { match } = rule;
+  if (match.pattern && input.includes(match.pattern)) {
+    return true;
+  }
+  if (match.regex) {
+    const compiled = rule.compiledRegex || compileSafeRegex(match.regex, `rules.${rule.id}.match.regex`, false);
+    if (!compiled) {
+      return false;
+    }
+    try {
+      return compiled.test(input);
+    } catch {
+      return false;
+    }
+  }
+  return false;
+}
+function matchRuleUnless(rule, command, taskId) {
+  if (!rule.unless)
+    return false;
+  if (rule.unless.regex) {
+    const compiled = rule.compiledUnlessRegex || compileSafeRegex(rule.unless.regex, `rules.${rule.id}.unless.regex`, false);
+    if (!compiled) {
+      return false;
+    }
+    try {
+      if (compiled.test(command))
+        return true;
+    } catch {}
+  }
+  if (rule.unless.task_in && taskId) {
+    if (rule.unless.task_in.includes(taskId))
+      return true;
+  }
+  return false;
+}
+function resolveAction(mode, matched) {
+  if (matched.length === 0)
+    return "allow";
+  if (mode === "off")
+    return "allow";
+  if (mode === "observe")
+    return "warn";
+  return "block";
+}
+function resolveAbsolutePath(projectRoot, rawPath) {
+  if (rawPath.startsWith("/"))
+    return resolve(rawPath);
+  return resolve(projectRoot, rawPath);
+}
+function isHarnessPath(projectRoot, rawPath) {
+  const absPath = resolveAbsolutePath(projectRoot, rawPath);
+  const managedRoots = [
+    resolve(projectRoot, "rig"),
+    resolve(projectRoot, ".rig"),
+    resolve(projectRoot, "artifacts")
+  ];
+  return managedRoots.some((root) => absPath === root || absPath.startsWith(root + "/"));
+}
+function isRuntimePath(projectRoot, rawPath, taskWorkspace) {
+  const absPath = resolveAbsolutePath(projectRoot, rawPath);
+  if (taskWorkspace) {
+    const workspaceRigRoot = resolve(taskWorkspace, ".rig");
+    const workspaceArtifactsRoot = resolve(taskWorkspace, "artifacts");
+    if (absPath === workspaceRigRoot || absPath.startsWith(workspaceRigRoot + "/") || absPath === workspaceArtifactsRoot || absPath.startsWith(workspaceArtifactsRoot + "/")) {
+      return true;
+    }
+  }
+  const runtimeRoot = resolve(projectRoot, ".rig/runtime/agents");
+  return absPath === runtimeRoot || absPath.startsWith(runtimeRoot + "/");
+}
+function isTestFile(path) {
+  return /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(path) || /\/(__tests__|tests|test)\//.test(path);
+}
+function evaluate(context) {
+  const policy = loadPolicy(context.projectRoot);
+  switch (context.evaluation.type) {
+    case "tool-call":
+      return evaluateToolCall(policy, context);
+    case "command":
+      return evaluateCommand(policy, context);
+    case "content-write":
+      return evaluateContent(policy, context);
+    case "file-access":
+      return evaluateScope(policy, context, context.evaluation.file_path, context.evaluation.access);
+  }
+}
+function evaluateScope(policy, context, filePath, access) {
+  const allowed = () => ({
+    allowed: true,
+    matchedRules: [],
+    action: "allow",
+    failClosed: false
+  });
+  if (policy.scope.harness_paths_exempt && isHarnessPath(context.projectRoot, filePath)) {
+    return allowed();
+  }
+  if (policy.scope.runtime_paths_exempt && isRuntimePath(context.projectRoot, filePath, context.taskWorkspace)) {
+    return allowed();
+  }
+  if (!context.taskId) {
+    if (access === "write" && policy.scope.fail_closed) {
+      return {
+        allowed: false,
+        matchedRules: [],
+        action: resolveAction(policy.mode, [{ id: "scope:no-task", category: "command", reason: "No active task; fail-closed for write operations" }]),
+        failClosed: true
+      };
+    }
+    return allowed();
+  }
+  const scopes = context.taskScopes || [];
+  if (scopes.length === 0) {
+    return allowed();
+  }
+  if (context.taskWorkspace && context.taskWorkspace !== context.projectRoot && filePath.startsWith("/")) {
+    const absPath = resolve(filePath);
+    if (!absPath.startsWith(context.taskWorkspace + "/") && !isHarnessPath(context.projectRoot, filePath)) {
+      const reason2 = `Absolute path '${filePath}' is outside task runtime boundary. Allowed root: ${context.taskWorkspace}`;
+      const matched2 = [{ id: "scope:workspace-boundary", category: "command", reason: reason2 }];
+      return {
+        allowed: policy.mode !== "enforce",
+        matchedRules: matched2,
+        action: resolveAction(policy.mode, matched2),
+        failClosed: false
+      };
+    }
+  }
+  const monorepoRoot = context.monorepoRoot || process.env.MONOREPO_ROOT?.trim() || context.taskWorkspace || context.projectRoot;
+  let normalizedPath = filePath;
+  if (context.taskWorkspace && context.taskWorkspace !== context.projectRoot && filePath.startsWith(context.taskWorkspace + "/")) {
+    normalizedPath = filePath.slice(context.taskWorkspace.length + 1);
+  }
+  normalizedPath = normalizePathToScope(context.projectRoot, monorepoRoot, normalizedPath);
+  if (scopeMatches(filePath, scopes) || scopeMatches(normalizedPath, scopes)) {
+    return allowed();
+  }
+  const reason = `File '${filePath}' (normalized: '${normalizedPath}') is outside scope of task ${context.taskId}`;
+  const matched = [{ id: "scope:out-of-scope", category: "command", reason }];
+  return {
+    allowed: policy.mode !== "enforce",
+    matchedRules: matched,
+    action: resolveAction(policy.mode, matched),
+    failClosed: false
+  };
+}
+function evaluateCommand(policy, context) {
+  const evaluation = context.evaluation;
+  if (evaluation.type !== "command") {
+    return { allowed: true, matchedRules: [], action: "allow", failClosed: false };
+  }
+  const command = evaluation.command;
+  const matchedRules = [];
+  for (const rule of policy.rules) {
+    if (rule.category !== "command")
+      continue;
+    if (!matchRule(rule, command))
+      continue;
+    if (matchRuleUnless(rule, command, context.taskId))
+      continue;
+    matchedRules.push({
+      id: rule.id,
+      category: rule.category,
+      ...rule.description !== undefined ? { description: rule.description } : {},
+      reason: rule.description || `Matched rule ${rule.id}`
+    });
+  }
+  const writeTarget = extractWriteTarget(command);
+  if (writeTarget && !/^\/dev\//.test(writeTarget) && !/^\/proc\//.test(writeTarget)) {
+    const scopeResult = evaluateScope(policy, context, writeTarget, "write");
+    if (!scopeResult.allowed || scopeResult.matchedRules.length > 0) {
+      matchedRules.push(...scopeResult.matchedRules);
+    }
+  }
+  const action = resolveAction(policy.mode, matchedRules);
+  return {
+    allowed: action !== "block",
+    matchedRules,
+    action,
+    failClosed: false
+  };
+}
+function extractWriteTarget(command) {
+  const redirect = command.match(/>>?\s+([^\s;|&]+)/);
+  if (redirect?.[1])
+    return redirect[1];
+  const tee = command.match(/tee\s+(-a\s+)?([^\s;|&]+)/);
+  if (tee?.[2])
+    return tee[2];
+  return "";
+}
+function evaluateContent(policy, context) {
+  const evaluation = context.evaluation;
+  if (evaluation.type !== "content-write") {
+    return { allowed: true, matchedRules: [], action: "allow", failClosed: false };
+  }
+  const { content, file_path } = evaluation;
+  const matchedRules = [];
+  const scopeResult = evaluateScope(policy, context, file_path, "write");
+  if (scopeResult.matchedRules.length > 0) {
+    matchedRules.push(...scopeResult.matchedRules);
+  }
+  for (const rule of policy.rules) {
+    if (rule.category !== "content" && rule.category !== "import" && rule.category !== "test-integrity")
+      continue;
+    if (rule.applies_to === "test-files" && !isTestFile(file_path))
+      continue;
+    if (!matchRule(rule, content))
+      continue;
+    if (matchRuleUnless(rule, content, context.taskId))
+      continue;
+    matchedRules.push({
+      id: rule.id,
+      category: rule.category,
+      ...rule.description !== undefined ? { description: rule.description } : {},
+      reason: rule.description || `Matched rule ${rule.id}`
+    });
+  }
+  const action = resolveAction(policy.mode, matchedRules);
+  return {
+    allowed: action !== "block",
+    matchedRules,
+    action,
+    failClosed: false
+  };
+}
+function evaluateToolCall(policy, context) {
+  const evaluation = context.evaluation;
+  if (evaluation.type !== "tool-call") {
+    return { allowed: true, matchedRules: [], action: "allow", failClosed: false };
+  }
+  const { tool_name, tool_input } = evaluation;
+  const allMatched = [];
+  const filePaths = extractFilePathsFromToolInput(tool_name, tool_input);
+  for (const fp of filePaths) {
+    const access = isWriteTool(tool_name) ? "write" : "read";
+    const scopeResult = evaluateScope(policy, context, fp, access);
+    if (scopeResult.matchedRules.length > 0) {
+      allMatched.push(...scopeResult.matchedRules);
+    }
+  }
+  const content = extractContentFromToolInput(tool_input);
+  if (content) {
+    const filePath = filePaths[0] || "";
+    const contentContext = {
+      ...context,
+      evaluation: { type: "content-write", file_path: filePath, content }
+    };
+    const contentPolicy = loadPolicy(context.projectRoot);
+    for (const rule of contentPolicy.rules) {
+      if (rule.category !== "content" && rule.category !== "import" && rule.category !== "test-integrity")
+        continue;
+      if (rule.applies_to === "test-files" && !isTestFile(filePath))
+        continue;
+      if (!matchRule(rule, content))
+        continue;
+      if (matchRuleUnless(rule, content, context.taskId))
+        continue;
+      allMatched.push({
+        id: rule.id,
+        category: rule.category,
+        ...rule.description !== undefined ? { description: rule.description } : {},
+        reason: rule.description || `Matched rule ${rule.id}`
+      });
+    }
+  }
+  if (tool_name === "Bash") {
+    const command = String(tool_input.command || tool_input.cmd || "");
+    if (command) {
+      const cmdContext = {
+        ...context,
+        evaluation: { type: "command", command }
+      };
+      const cmdResult = evaluateCommand(policy, cmdContext);
+      if (cmdResult.matchedRules.length > 0) {
+        allMatched.push(...cmdResult.matchedRules);
+      }
+    }
+  }
+  const seen = new Set;
+  const deduplicated = [];
+  for (const rule of allMatched) {
+    if (!seen.has(rule.id)) {
+      seen.add(rule.id);
+      deduplicated.push(rule);
+    }
+  }
+  const action = resolveAction(policy.mode, deduplicated);
+  return {
+    allowed: action !== "block",
+    matchedRules: deduplicated,
+    action,
+    failClosed: false
+  };
+}
+function isWriteTool(toolName) {
+  return toolName === "Write" || toolName === "Edit" || toolName === "MultiEdit";
+}
+function extractFilePathsFromToolInput(toolName, input) {
+  const paths = [];
+  const add = (value) => {
+    if (typeof value === "string" && value.trim()) {
+      paths.push(value.trim());
+    }
+  };
+  if (toolName === "Read" || toolName === "Write" || toolName === "Edit" || toolName === "MultiEdit") {
+    add(input.file_path);
+    add(input.path);
+  } else if (toolName === "Glob") {
+    add(input.path);
+  } else if (toolName === "Grep") {
+    add(input.path);
+  } else {
+    add(input.file_path);
+    add(input.path);
+  }
+  return paths;
+}
+function extractContentFromToolInput(input) {
+  if (typeof input.content === "string")
+    return input.content;
+  if (typeof input.new_string === "string")
+    return input.new_string;
+  return "";
+}
+var guardHotPathPrimed = false;
+function primeGuardHotPaths() {
+  if (guardHotPathPrimed) {
+    return;
+  }
+  guardHotPathPrimed = true;
+  try {
+    optimizeNextInvocation(matchRule);
+    optimizeNextInvocation(evaluate);
+  } catch {}
+}
+primeGuardHotPaths();
+
+// packages/cli-surface-plugin/src/control-plane/agent-binary-build.ts
+import { chmodSync, copyFileSync, linkSync, mkdirSync, rmSync, writeFileSync } from "fs";
+import { basename, dirname, resolve as resolve2 } from "path";
+import { runtimeProvisioningEnv } from "@rig/core/runtime-provisioning-env";
+
+// packages/cli-surface-plugin/src/control-plane/embedded-native-assets.ts
+var embeddedNatives = null;
+
+// packages/cli-surface-plugin/src/control-plane/agent-binary-build.ts
+function materializeSelfExecRole(outputPath, define) {
+  const selfPath = process.execPath;
+  mkdirSync(dirname(outputPath), { recursive: true });
+  rmSync(outputPath, { force: true });
+  try {
+    linkSync(selfPath, outputPath);
+  } catch {
+    copyFileSync(selfPath, outputPath);
+  }
+  chmodSync(outputPath, 493);
+  const role = basename(outputPath).replace(/\.exe$/i, "");
+  writeFileSync(`${outputPath}.rig-runconfig.json`, `${JSON.stringify({ role, define: define ?? {} }, null, 2)}
+`, { mode: 384 });
+}
+function hasEmbeddedNatives() {
+  return embeddedNatives !== null;
+}
+async function buildAgentBinary(entrypoint, outputPath, cwd, defines) {
+  if (hasEmbeddedNatives()) {
+    materializeSelfExecRole(outputPath, defines);
+    return;
+  }
+  await buildRuntimeBinary({
+    entrypoint,
+    outputPath,
+    cwd,
+    ...defines ? { define: defines } : {},
+    env: runtimeProvisioningEnv()
+  });
+}
+async function buildRuntimeBinary(options) {
+  mkdirSync(dirname(options.outputPath), { recursive: true });
+  await withTemporaryEnv({
+    ...options.env,
+    ...options.define ? { RIG_BUILD_CONFIG_JSON: JSON.stringify(options.define) } : {}
+  }, async () => {
+    const result = await Bun.build({
+      entrypoints: [resolve2(options.cwd, options.entrypoint)],
+      compile: { outfile: options.outputPath },
+      target: "bun",
+      format: "esm",
+      minify: true,
+      bytecode: true,
+      ...options.define ? { define: { __RIG_BUILD_CONFIG__: JSON.stringify(options.define) } } : {}
+    });
+    if (!result.success) {
+      throw new Error(result.logs.map((log) => log.message).join(`
+`) || `Failed to compile ${options.entrypoint}`);
+    }
+  });
+  chmodSync(options.outputPath, 493);
+}
+async function withTemporaryEnv(env, callback) {
+  const previous = {};
+  for (const [key, value] of Object.entries(env)) {
+    previous[key] = process.env[key];
+    if (value === undefined) {
+      delete process.env[key];
+    } else {
+      process.env[key] = value;
+    }
+  }
+  try {
+    return await callback();
+  } finally {
+    for (const [key, value] of Object.entries(previous)) {
+      if (value === undefined) {
+        delete process.env[key];
+      } else {
+        process.env[key] = value;
+      }
+    }
+  }
+}
+
+// packages/cli-surface-plugin/src/runner.ts
 class CliError extends RuntimeCliError {
-  hint;
   constructor(message, exitCode = 1, options = {}) {
-    super(message, exitCode);
-    if (options.hint?.trim()) {
-      this.hint = options.hint.trim();
-    }
+    super(message, exitCode, options);
   }
 }
 function takeOption(args, option) {
@@ -58,15 +778,13 @@ Usage: ${usage}`);
 }
 
 // packages/cli-surface-plugin/src/commands/dist.ts
-import {
-  computeRuntimeImageFingerprint,
-  computeRuntimeImageId
-} from "@rig/runtime/control-plane/runtime/image/index";
-import { buildBinary as buildBinary2 } from "@rig/runtime/control-plane/runtime/isolation";
+import { GUARD_TOOLCHAIN_SOURCES, ISOLATION_BACKEND, LIFECYCLE_TOOLCHAIN_SOURCES } from "@rig/contracts";
+import { defineCapability } from "@rig/core/capability";
+import { loadCapabilityForRoot } from "@rig/core/capability-loaders";
 
 // packages/cli-surface-plugin/src/commands/_parsers.ts
 import { homedir } from "os";
-import { resolve } from "path";
+import { resolve as resolve3 } from "path";
 function parseInstallScope(value) {
   if (!value || value === "user") {
     return "user";
@@ -78,34 +796,34 @@ function parseInstallScope(value) {
 }
 function resolveInstallDir(scope, explicitPath) {
   if (explicitPath) {
-    return resolve(explicitPath);
+    return resolve3(explicitPath);
   }
   if (scope === "system") {
     return "/usr/local/bin";
   }
-  return resolve(homedir(), ".local/bin");
+  return resolve3(homedir(), ".local/bin");
 }
 
 // packages/cli-surface-plugin/src/commands/_paths.ts
-import { resolve as resolve2 } from "path";
-import { resolveMonorepoRoot } from "@rig/runtime/layout";
+import { resolve as resolve4 } from "path";
+import { resolveMonorepoRoot } from "@rig/core/layout";
 function resolveControlPlaneMonorepoRoot(projectRoot) {
   return resolveMonorepoRoot(projectRoot);
 }
 function resolveControlPlaneHostStateRoot(projectRoot) {
-  return resolve2(projectRoot, ".rig");
+  return resolve4(projectRoot, ".rig");
 }
 function resolveControlPlaneHostBinDir(projectRoot) {
-  return resolve2(resolveControlPlaneHostStateRoot(projectRoot), "bin");
+  return resolve4(resolveControlPlaneHostStateRoot(projectRoot), "bin");
 }
 function resolveControlPlaneHostDistDir(projectRoot) {
-  return resolve2(resolveControlPlaneHostStateRoot(projectRoot), "dist");
+  return resolve4(resolveControlPlaneHostStateRoot(projectRoot), "dist");
 }
 function resolveControlPlaneMonorepoStateRoot(projectRoot) {
-  return resolve2(resolveControlPlaneMonorepoRoot(projectRoot), ".rig");
+  return resolve4(resolveControlPlaneMonorepoRoot(projectRoot), ".rig");
 }
 function resolveControlPlaneMonorepoRuntimeDir(projectRoot) {
-  return resolve2(resolveControlPlaneMonorepoStateRoot(projectRoot), "runtime");
+  return resolve4(resolveControlPlaneMonorepoStateRoot(projectRoot), "runtime");
 }
 
 // packages/cli-surface-plugin/src/commands/_probes.ts
@@ -119,15 +837,29 @@ async function runQuietBinaryProbe(binaryPath, args, cwd) {
 }
 
 // packages/cli-surface-plugin/src/commands/dist.ts
+var GuardToolchainSourcesCap = defineCapability(GUARD_TOOLCHAIN_SOURCES);
+var LifecycleToolchainSourcesCap = defineCapability(LIFECYCLE_TOOLCHAIN_SOURCES);
+async function resolveToolchainBuildTargets(projectRoot) {
+  const contributions = [];
+  for (const cap of [GuardToolchainSourcesCap, LifecycleToolchainSourcesCap]) {
+    const contribution = await loadCapabilityForRoot(projectRoot, cap);
+    if (contribution)
+      contributions.push(contribution);
+  }
+  return contributions.flatMap((contribution) => [
+    ...Object.entries(contribution.namedSources ?? {}),
+    ...(contribution.hookBinaries ?? []).map((hook) => [hook.name, hook.source])
+  ]);
+}
 function collectRigValidatorBuildTargets(input) {
-  const validatorsRoot = resolve3(input.hostProjectRoot, "packages/runtime/src/control-plane/validators");
-  if (!existsSync(validatorsRoot))
+  const validatorsRoot = resolve5(input.hostProjectRoot, "packages/validator-kit/src/validators");
+  if (!existsSync2(validatorsRoot))
     return [];
   const targets = [];
   for (const category of readdirSync(validatorsRoot, { withFileTypes: true })) {
     if (!category.isDirectory())
       continue;
-    const categoryDir = resolve3(validatorsRoot, category.name);
+    const categoryDir = resolve5(validatorsRoot, category.name);
     for (const entry of readdirSync(categoryDir, { withFileTypes: true })) {
       if (!entry.isFile() || !entry.name.endsWith(".ts"))
         continue;
@@ -136,8 +868,8 @@ function collectRigValidatorBuildTargets(input) {
         continue;
       const validatorName = `${category.name}-${check}`;
       targets.push({
-        source: `packages/runtime/src/control-plane/validators/${category.name}/${entry.name}`,
-        dest: resolve3(input.imageDir, `bin/validators/${validatorName}`),
+        source: `packages/validator-kit/src/validators/${category.name}/${entry.name}`,
+        dest: resolve5(input.imageDir, `bin/validators/${validatorName}`),
         cwd: input.hostProjectRoot
       });
     }
@@ -146,17 +878,17 @@ function collectRigValidatorBuildTargets(input) {
 }
 async function findLatestDistBinary(projectRoot) {
   const distRoot = resolveControlPlaneHostDistDir(projectRoot);
-  if (!existsSync(distRoot)) {
+  if (!existsSync2(distRoot)) {
     return null;
   }
   const candidates = [];
   for (const entry of readdirSync(distRoot, { withFileTypes: true })) {
     if (!entry.name.startsWith("rig-") && entry.name !== "rig")
       continue;
-    const entryPath = resolve3(distRoot, entry.name);
-    const binary = entry.isDirectory() ? resolve3(entryPath, "bin", "rig") : entryPath;
+    const entryPath = resolve5(distRoot, entry.name);
+    const binary = entry.isDirectory() ? resolve5(entryPath, "bin", "rig") : entryPath;
     try {
-      const stat = statSync(binary);
+      const stat = statSync2(binary);
       if (stat.isFile())
         candidates.push({ path: binary, mtimeMs: stat.mtimeMs });
     } catch {}
@@ -174,7 +906,7 @@ async function isRunnableRigBinary(binaryPath, projectRoot) {
 async function runDistDoctor(projectRoot) {
   const bunPath = Bun.which("bun");
   const rigPath = Bun.which("rig");
-  const userBinDir = resolve3(homedir2(), ".local/bin");
+  const userBinDir = resolve5(homedir2(), ".local/bin");
   const userBinInPath = (process.env.PATH || "").split(":").filter(Boolean).includes(userBinDir);
   let rigRunnable = false;
   if (rigPath) {
@@ -201,16 +933,16 @@ function rigRunSiblingOf(binaryPath) {
   const suffix = name.toLowerCase().endsWith(".exe") ? ".exe" : "";
   const stem = suffix ? name.slice(0, -suffix.length) : name;
   const sibling = stem === "rig" ? `rig-run${suffix}` : stem.startsWith("rig-") ? `${stem.replace(/^rig/, "rig-run")}${suffix}` : `rig-run${suffix}`;
-  return resolve3(binaryPath, "..", sibling);
+  return resolve5(binaryPath, "..", sibling);
 }
 function installExecutable(source, target) {
-  if (resolve3(source) !== resolve3(target)) {
-    if (existsSync(target)) {
+  if (resolve5(source) !== resolve5(target)) {
+    if (existsSync2(target)) {
       unlinkSync(target);
     }
-    copyFileSync(source, target);
+    copyFileSync2(source, target);
   }
-  chmodSync(target, 493);
+  chmodSync2(target, 493);
 }
 async function executeDist(context, args) {
   const [command = "build", ...rest] = args;
@@ -233,22 +965,22 @@ async function executeDist(context, args) {
       requireNoExtraArgs(pending, "rig dist install [--scope user|system] [--dir <dir>]");
       const scope = parseInstallScope(scopeResult.value);
       const installDir = resolveInstallDir(scope, pathResult.value);
-      mkdirSync(installDir, { recursive: true });
+      mkdirSync2(installDir, { recursive: true });
       let source = await findLatestDistBinary(context.projectRoot);
       let buildDir = null;
       if (!source) {
-        buildDir = resolve3(resolveControlPlaneHostDistDir(context.projectRoot), `rig-install-${Date.now()}`);
+        buildDir = resolve5(resolveControlPlaneHostDistDir(context.projectRoot), `rig-install-${Date.now()}`);
         await context.runCommand(["bun", "run", "packages/cli/bin/build-rig-binaries.ts", "--output-dir", buildDir]);
-        source = resolve3(buildDir, "bin", "rig");
+        source = resolve5(buildDir, "bin", "rig");
       }
-      if (!existsSync(source)) {
+      if (!existsSync2(source)) {
         throw new CliError(`Unable to locate rig binary at ${source}.`, 2, { hint: "Build it first with `rig dist build`, then re-run `rig dist install`." });
       }
-      const installedPath = resolve3(installDir, "rig");
+      const installedPath = resolve5(installDir, "rig");
       const installedRigRunPath = rigRunSiblingOf(installedPath);
       const sourceRigRun = rigRunSiblingOf(source);
       installExecutable(source, installedPath);
-      installExecutable(existsSync(sourceRigRun) ? sourceRigRun : source, installedRigRunPath);
+      installExecutable(existsSync2(sourceRigRun) ? sourceRigRun : source, installedRigRunPath);
       const pathEntries = (process.env.PATH || "").split(":").filter(Boolean);
       const inPath = pathEntries.includes(installDir);
       if (context.outputMode === "text") {
@@ -268,7 +1000,7 @@ async function executeDist(context, args) {
           installedPath,
           installedRigRunPath,
           sourcePath: source,
-          sourceRigRunPath: existsSync(sourceRigRun) ? sourceRigRun : null,
+          sourceRigRunPath: existsSync2(sourceRigRun) ? sourceRigRun : null,
           builtNow: Boolean(buildDir),
           inPath
         }
@@ -287,56 +1019,50 @@ async function executeDist(context, args) {
     }
     case "rebuild-agent": {
       requireNoExtraArgs(rest, "rig dist rebuild-agent");
-      const fp = await computeRuntimeImageFingerprint(context.projectRoot);
-      const currentId = computeRuntimeImageId(fp);
-      const imagesDir = resolve3(resolveControlPlaneMonorepoRuntimeDir(context.projectRoot), "images");
-      mkdirSync(imagesDir, { recursive: true });
+      const isolationBackend = await loadCapabilityForRoot(context.projectRoot, defineCapability(ISOLATION_BACKEND));
+      if (!isolationBackend) {
+        throw new CliError("Isolation backend capability unavailable: ensure @rig/isolation-plugin is installed in rig.config.", 1, { hint: "Run `rig dist rebuild-agent` from a project with a valid rig.config." });
+      }
+      const fp = await isolationBackend.computeRuntimeImageFingerprint(context.projectRoot);
+      const currentId = isolationBackend.computeRuntimeImageId(fp);
+      const imagesDir = resolve5(resolveControlPlaneMonorepoRuntimeDir(context.projectRoot), "images");
+      mkdirSync2(imagesDir, { recursive: true });
       let pruned = 0;
       for (const entry of readdirSync(imagesDir, { withFileTypes: true })) {
         if (entry.isDirectory() && entry.name !== currentId) {
-          rmSync(resolve3(imagesDir, entry.name), { recursive: true, force: true });
+          rmSync2(resolve5(imagesDir, entry.name), { recursive: true, force: true });
           pruned++;
         }
       }
       if (pruned > 0 && context.outputMode === "text") {
         console.log(`Pruned ${pruned} stale image(s).`);
       }
-      const imageDir = resolve3(imagesDir, currentId);
-      mkdirSync(resolve3(imageDir, "bin/hooks"), { recursive: true });
-      mkdirSync(resolve3(imageDir, "bin/plugins"), { recursive: true });
-      mkdirSync(resolve3(imageDir, "bin/validators"), { recursive: true });
-      const hookNames = [
-        "scope-guard",
-        "import-guard",
-        "safety-guard",
-        "test-integrity-guard",
-        "audit-trail",
-        "post-edit-lint",
-        "completion-verification",
-        "inject-context",
-        "task-runtime-start"
-      ];
+      const imageDir = resolve5(imagesDir, currentId);
+      mkdirSync2(resolve5(imageDir, "bin/hooks"), { recursive: true });
+      mkdirSync2(resolve5(imageDir, "bin/plugins"), { recursive: true });
+      mkdirSync2(resolve5(imageDir, "bin/validators"), { recursive: true });
       const targets = [];
       const hostProjectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || context.projectRoot;
-      targets.push({ source: "packages/cli/bin/rig-agent.ts", dest: resolve3(imageDir, "bin/rig-agent"), cwd: hostProjectRoot });
-      targets.push({ source: "packages/runtime/bin/rig-agent-dispatch.ts", dest: resolve3(resolveControlPlaneHostBinDir(context.projectRoot), "rig-agent"), cwd: hostProjectRoot });
-      for (const hookName of hookNames) {
-        const src = `packages/runtime/src/control-plane/hooks/${hookName}.ts`;
-        targets.push({ source: src, dest: resolve3(imageDir, `bin/hooks/${hookName}`), cwd: hostProjectRoot });
-        targets.push({ source: src, dest: resolve3(resolveControlPlaneHostBinDir(context.projectRoot), `hooks/${hookName}`), cwd: hostProjectRoot });
+      for (const [name, src] of await resolveToolchainBuildTargets(context.projectRoot)) {
+        const subdir = name === "controlled-bash" ? "bin" : "bin/hooks";
+        const hostSubdir = name === "controlled-bash" ? "" : "hooks";
+        if (!existsSync2(resolve5(hostProjectRoot, src)))
+          continue;
+        targets.push({ source: src, dest: resolve5(imageDir, subdir, name), cwd: hostProjectRoot });
+        targets.push({ source: src, dest: resolve5(resolveControlPlaneHostBinDir(context.projectRoot), hostSubdir, name), cwd: hostProjectRoot });
       }
-      const pluginsDir = resolve3(context.projectRoot, "rig/plugins");
-      const binPluginsDir = resolve3(resolveControlPlaneHostBinDir(context.projectRoot), "plugins");
-      const validatorsRoot = resolve3(hostProjectRoot, "packages/runtime/src/control-plane/validators");
-      const binValidatorsDir = resolve3(resolveControlPlaneHostBinDir(context.projectRoot), "validators");
-      mkdirSync(binPluginsDir, { recursive: true });
-      mkdirSync(binValidatorsDir, { recursive: true });
-      if (existsSync(pluginsDir)) {
+      const pluginsDir = resolve5(context.projectRoot, "rig/plugins");
+      const binPluginsDir = resolve5(resolveControlPlaneHostBinDir(context.projectRoot), "plugins");
+      const validatorsRoot = resolve5(hostProjectRoot, "packages/validator-kit/src/validators");
+      const binValidatorsDir = resolve5(resolveControlPlaneHostBinDir(context.projectRoot), "validators");
+      mkdirSync2(binPluginsDir, { recursive: true });
+      mkdirSync2(binValidatorsDir, { recursive: true });
+      if (existsSync2(pluginsDir)) {
         for (const entry of readdirSync(pluginsDir, { withFileTypes: true })) {
           const m = entry.name.match(/^(.+)\.plugin\.(ts|js|mjs|cjs)$/);
           if (!m)
             continue;
-          targets.push({ source: `rig/plugins/${entry.name}`, dest: resolve3(imageDir, `bin/plugins/${m[1]}`), cwd: context.projectRoot });
+          targets.push({ source: `rig/plugins/${entry.name}`, dest: resolve5(imageDir, `bin/plugins/${m[1]}`), cwd: context.projectRoot });
         }
       }
       targets.push(...collectRigValidatorBuildTargets({ contextProjectRoot: context.projectRoot, hostProjectRoot, imageDir }));
@@ -345,19 +1071,19 @@ async function executeDist(context, args) {
           console.log(`Building: ${dest}`);
         }
         const isValidator = dest.includes("/bin/validators/");
-        await buildBinary2(source, dest, cwd, isValidator ? { AGENT_BUN_PATH: Bun.which("bun") || "bun" } : { AGENT_PROJECT_ROOT: context.projectRoot });
+        await buildAgentBinary(source, dest, cwd, isValidator ? { AGENT_BUN_PATH: Bun.which("bun") || "bun" } : { AGENT_PROJECT_ROOT: context.projectRoot });
       }
-      if (existsSync(pluginsDir)) {
+      if (existsSync2(pluginsDir)) {
         for (const entry of readdirSync(pluginsDir, { withFileTypes: true })) {
           const m = entry.name.match(/^(.+)\.plugin\.(ts|js|mjs|cjs)$/);
           if (!m)
             continue;
           const pluginName = m[1];
-          const imageBin = resolve3(imageDir, `bin/plugins/${pluginName}`);
+          const imageBin = resolve5(imageDir, `bin/plugins/${pluginName}`);
           if (!pluginName)
             continue;
-          const symlinkPath = resolve3(binPluginsDir, pluginName);
-          if (existsSync(imageBin)) {
+          const symlinkPath = resolve5(binPluginsDir, pluginName);
+          if (existsSync2(imageBin)) {
             try {
               unlinkSync(symlinkPath);
             } catch {}
@@ -365,10 +1091,10 @@ async function executeDist(context, args) {
           }
         }
       }
-      if (existsSync(validatorsRoot)) {
+      if (existsSync2(validatorsRoot)) {
         const categories = readdirSync(validatorsRoot, { withFileTypes: true }).filter((entry) => entry.isDirectory());
         for (const category of categories) {
-          const categoryDir = resolve3(validatorsRoot, category.name);
+          const categoryDir = resolve5(validatorsRoot, category.name);
           for (const entry of readdirSync(categoryDir, { withFileTypes: true })) {
             if (!entry.isFile() || !entry.name.endsWith(".ts"))
               continue;
@@ -376,9 +1102,9 @@ async function executeDist(context, args) {
             if (!check || check === "index" || check === "shared")
               continue;
             const validatorName = `${category.name}-${check}`;
-            const imageBin = resolve3(imageDir, `bin/validators/${validatorName}`);
-            const symlinkPath = resolve3(binValidatorsDir, validatorName);
-            if (existsSync(imageBin)) {
+            const imageBin = resolve5(imageDir, `bin/validators/${validatorName}`);
+            const symlinkPath = resolve5(binValidatorsDir, validatorName);
+            if (existsSync2(imageBin)) {
               try {
                 unlinkSync(symlinkPath);
               } catch {}
@@ -387,18 +1113,18 @@ async function executeDist(context, args) {
           }
         }
       }
-      const agentsDir = resolve3(resolveControlPlaneMonorepoRuntimeDir(context.projectRoot), "agents");
-      if (existsSync(agentsDir)) {
+      const agentsDir = resolve5(resolveControlPlaneMonorepoRuntimeDir(context.projectRoot), "agents");
+      if (existsSync2(agentsDir)) {
         let relinkCount = 0;
         for (const agentEntry of readdirSync(agentsDir, { withFileTypes: true })) {
           if (!agentEntry.isDirectory())
             continue;
-          const agentBinDir = resolve3(agentsDir, agentEntry.name, "worktree", ".rig", "bin");
-          if (!existsSync(agentBinDir))
+          const agentBinDir = resolve5(agentsDir, agentEntry.name, "worktree", ".rig", "bin");
+          if (!existsSync2(agentBinDir))
             continue;
           const walkDir = (dir) => {
             for (const entry of readdirSync(dir, { withFileTypes: true })) {
-              const fullPath = resolve3(dir, entry.name);
+              const fullPath = resolve5(dir, entry.name);
               if (entry.isDirectory()) {
                 walkDir(fullPath);
               } else if (entry.isSymbolicLink()) {