@h-rig/guard-plugin 0.0.6-alpha.157 → 0.0.6-alpha.158

package/dist/src/plugin.js

@@ -1,11 +1,679 @@
 // @bun
-// packages/guard-plugin/src/plugin.ts
-import { definePlugin } from "@rig/core/config";
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+var __require = import.meta.require;
+
+// packages/guard-plugin/src/hook-ids.ts
+var SAFETY_GUARD_HOOK_ID = "@rig/guard-plugin:safety-guard", SCOPE_GUARD_HOOK_ID = "@rig/guard-plugin:scope-guard", IMPORT_GUARD_HOOK_ID = "@rig/guard-plugin:import-guard", TEST_INTEGRITY_GUARD_HOOK_ID = "@rig/guard-plugin:test-integrity-guard", AUDIT_TRAIL_HOOK_ID = "@rig/guard-plugin:audit-trail", POST_EDIT_LINT_HOOK_ID = "@rig/guard-plugin:post-edit-lint";
+
+// packages/guard-plugin/src/scope.ts
+import { getScopeRules } from "@rig/core/scope-rules";
+function unique(values) {
+  return [...new Set(values)];
+}
+function normalizeRelativeScopePath(inputPath) {
+  let normalized = inputPath.replace(/^\.\//, "");
+  const rules = getScopeRules();
+  if (rules?.stripPrefixes) {
+    for (const prefix of rules.stripPrefixes) {
+      if (normalized.startsWith(prefix)) {
+        normalized = normalized.slice(prefix.length);
+      }
+    }
+  }
+  return normalized;
+}
+function normalizePathToScope(projectRoot, monorepoRoot, inputPath) {
+  let normalized = inputPath.replace(/^\.\//, "");
+  if (normalized.startsWith(projectRoot + "/")) {
+    normalized = normalized.slice(projectRoot.length + 1);
+  }
+  if (normalized.startsWith(monorepoRoot + "/")) {
+    normalized = normalized.slice(monorepoRoot.length + 1);
+  }
+  return normalizeRelativeScopePath(normalized);
+}
+function scopeGlobToRegex(glob) {
+  const cached = scopeRegexCache.get(glob);
+  if (cached) {
+    return cached;
+  }
+  const escaped = glob.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*\*/g, "__GLOBSTAR__").replace(/\*/g, "[^/]*").replace(/__GLOBSTAR__/g, ".*");
+  const compiled = new RegExp(`^${escaped}$`);
+  scopeRegexCache.set(glob, compiled);
+  return compiled;
+}
+function scopeMatches(path, scopes) {
+  const pathVariants = unique([path, normalizeRelativeScopePath(path)]);
+  for (const scope of scopes) {
+    const scopeVariants = unique([scope, normalizeRelativeScopePath(scope)]);
+    for (const candidatePath of pathVariants) {
+      for (const candidateScope of scopeVariants) {
+        if (candidatePath === candidateScope || scopeGlobToRegex(candidateScope).test(candidatePath)) {
+          return true;
+        }
+      }
+    }
+  }
+  return false;
+}
+var scopeRegexCache;
+var init_scope = __esm(() => {
+  scopeRegexCache = new Map;
+});
+
+// packages/guard-plugin/src/guard.ts
+import { optimizeNextInvocation } from "bun:jsc";
+import { existsSync, readFileSync, statSync } from "fs";
+import { resolve } from "path";
+import {
+  POLICY_VERSION
+} from "@rig/contracts";
+function defaultPolicy() {
+  return {
+    version: POLICY_VERSION,
+    mode: "enforce",
+    scope: { ...DEFAULT_SCOPE },
+    rules: [],
+    sandbox: { ...DEFAULT_SANDBOX },
+    isolation: { ...DEFAULT_ISOLATION },
+    completion: { ...DEFAULT_COMPLETION },
+    runtime_image: {
+      deps: { ...DEFAULT_RUNTIME_IMAGE.deps },
+      plugins_require_binaries: DEFAULT_RUNTIME_IMAGE.plugins_require_binaries
+    },
+    runtime_snapshot: { ...DEFAULT_RUNTIME_SNAPSHOT }
+  };
+}
+function seedPolicyFromContent(rawJson) {
+  try {
+    const parsed = JSON.parse(rawJson);
+    seededPolicyConfig = mergeWithDefaults(parsed);
+  } catch {}
+}
+function loadPolicy(projectRoot) {
+  if (seededPolicyConfig) {
+    return seededPolicyConfig;
+  }
+  const configPath = resolve(projectRoot, "rig/policy/policy.json");
+  if (!existsSync(configPath)) {
+    return defaultPolicy();
+  }
+  let mtimeMs;
+  try {
+    mtimeMs = statSync(configPath).mtimeMs;
+  } catch {
+    return defaultPolicy();
+  }
+  if (policyCache && policyCachePath === configPath && policyCache.mtimeMs === mtimeMs) {
+    return policyCache.config;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(readFileSync(configPath, "utf-8"));
+  } catch {
+    return defaultPolicy();
+  }
+  const config = mergeWithDefaults(parsed);
+  policyCache = { mtimeMs, config };
+  policyCachePath = configPath;
+  return config;
+}
+function mergeWithDefaults(parsed) {
+  const base = defaultPolicy();
+  if (typeof parsed.mode === "string" && isValidMode(parsed.mode)) {
+    base.mode = parsed.mode;
+  }
+  if (parsed.scope && typeof parsed.scope === "object" && !Array.isArray(parsed.scope)) {
+    const s = parsed.scope;
+    if (typeof s.fail_closed === "boolean")
+      base.scope.fail_closed = s.fail_closed;
+    if (typeof s.harness_paths_exempt === "boolean")
+      base.scope.harness_paths_exempt = s.harness_paths_exempt;
+    if (typeof s.runtime_paths_exempt === "boolean")
+      base.scope.runtime_paths_exempt = s.runtime_paths_exempt;
+  }
+  if (Array.isArray(parsed.rules)) {
+    base.rules = precompilePolicyRuleRegexes(parsed.rules.filter(isValidRule));
+  }
+  if (Array.isArray(parsed.deny) && base.rules.length === 0) {
+    base.rules = precompilePolicyRuleRegexes(migrateLegacyDeny(parsed.deny));
+  }
+  if (parsed.sandbox && typeof parsed.sandbox === "object" && !Array.isArray(parsed.sandbox)) {
+    const sb = parsed.sandbox;
+    if (typeof sb.mode === "string" && isValidMode(sb.mode))
+      base.sandbox.mode = sb.mode;
+    if (typeof sb.network === "boolean")
+      base.sandbox.network = sb.network;
+    if (Array.isArray(sb.read_deny))
+      base.sandbox.read_deny = sb.read_deny.filter((v) => typeof v === "string");
+    if (typeof sb.write_allow_from_runtime === "boolean")
+      base.sandbox.write_allow_from_runtime = sb.write_allow_from_runtime;
+  }
+  if (parsed.isolation && typeof parsed.isolation === "object" && !Array.isArray(parsed.isolation)) {
+    const iso = parsed.isolation;
+    if (iso.default_mode === "worktree")
+      base.isolation.default_mode = iso.default_mode;
+    if (typeof iso.repo_symlink_fallback === "boolean")
+      base.isolation.repo_symlink_fallback = iso.repo_symlink_fallback;
+    if (typeof iso.strict_provisioning === "boolean")
+      base.isolation.strict_provisioning = iso.strict_provisioning;
+    if (typeof iso.fail_closed_on_provision_error === "boolean")
+      base.isolation.fail_closed_on_provision_error = iso.fail_closed_on_provision_error;
+  }
+  if (parsed.completion && typeof parsed.completion === "object" && !Array.isArray(parsed.completion)) {
+    const comp = parsed.completion;
+    if (typeof comp.derive_checks_from_scope === "boolean")
+      base.completion.derive_checks_from_scope = comp.derive_checks_from_scope;
+    if (Array.isArray(comp.checks))
+      base.completion.checks = comp.checks.filter((v) => typeof v === "string");
+    if (Array.isArray(comp.typescript_config_probe))
+      base.completion.typescript_config_probe = comp.typescript_config_probe.filter((v) => typeof v === "string");
+    if (Array.isArray(comp.eslint_config_probe))
+      base.completion.eslint_config_probe = comp.eslint_config_probe.filter((v) => typeof v === "string");
+  }
+  if (parsed.runtime_image && typeof parsed.runtime_image === "object" && !Array.isArray(parsed.runtime_image)) {
+    const runtimeImage = parsed.runtime_image;
+    if (runtimeImage.deps && typeof runtimeImage.deps === "object" && !Array.isArray(runtimeImage.deps)) {
+      const deps = runtimeImage.deps;
+      if (typeof deps.monorepo_install === "boolean") {
+        base.runtime_image.deps.monorepo_install = deps.monorepo_install;
+      }
+      if (typeof deps.hp_next_install === "boolean") {
+        base.runtime_image.deps.hp_next_install = deps.hp_next_install;
+      }
+    }
+    if (typeof runtimeImage.plugins_require_binaries === "boolean") {
+      base.runtime_image.plugins_require_binaries = runtimeImage.plugins_require_binaries;
+    }
+  }
+  if (parsed.runtime_snapshot && typeof parsed.runtime_snapshot === "object" && !Array.isArray(parsed.runtime_snapshot)) {
+    const runtimeSnapshot = parsed.runtime_snapshot;
+    if (typeof runtimeSnapshot.enabled === "boolean") {
+      base.runtime_snapshot.enabled = runtimeSnapshot.enabled;
+    }
+  }
+  return base;
+}
+function isValidMode(value) {
+  return value === "off" || value === "observe" || value === "enforce";
+}
+function isValidRule(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value))
+    return false;
+  const r = value;
+  return typeof r.id === "string" && typeof r.category === "string" && r.match != null && typeof r.match === "object";
+}
+function migrateLegacyDeny(deny) {
+  const rules = [];
+  for (const entry of deny) {
+    if (typeof entry.id !== "string")
+      continue;
+    const match = {};
+    if (typeof entry.pattern === "string")
+      match.pattern = entry.pattern;
+    if (typeof entry.regex === "string")
+      match.regex = entry.regex;
+    if (!match.pattern && !match.regex)
+      continue;
+    rules.push({
+      id: entry.id,
+      category: "command",
+      match,
+      action: "block",
+      ...typeof entry.description === "string" ? { description: entry.description } : {}
+    });
+  }
+  return rules;
+}
+function precompilePolicyRuleRegexes(rules) {
+  return rules.map((rule) => {
+    const compiledRegex = rule.match.regex ? compileSafeRegex(rule.match.regex, `rules.${rule.id}.match.regex`, true) : undefined;
+    const compiledUnlessRegex = rule.unless?.regex ? compileSafeRegex(rule.unless.regex, `rules.${rule.id}.unless.regex`, true) : undefined;
+    return {
+      ...rule,
+      ...compiledRegex ? { compiledRegex } : {},
+      ...compiledUnlessRegex ? { compiledUnlessRegex } : {}
+    };
+  });
+}
+function getRegexUnsafeReason(pattern) {
+  if (pattern.length > 512) {
+    return "pattern exceeds max safe length (512 chars)";
+  }
+  if (/\\[1-9]/.test(pattern)) {
+    return "pattern uses backreferences";
+  }
+  if (/\((?:[^()\\]|\\.)*[+*](?:[^()\\]|\\.)*\)\s*[*+{]/.test(pattern)) {
+    return "pattern contains nested quantifiers";
+  }
+  if (/\((?:[^()\\]|\\.)*\.\\?[+*](?:[^()\\]|\\.)*\)\s*[*+{]/.test(pattern)) {
+    return "pattern contains nested broad quantifiers";
+  }
+  return null;
+}
+function compileSafeRegex(pattern, sourceLabel, logOnFailure) {
+  const cached = compiledRegexCache.get(pattern);
+  if (cached !== undefined) {
+    return cached ?? undefined;
+  }
+  const unsafeReason = getRegexUnsafeReason(pattern);
+  if (unsafeReason) {
+    if (logOnFailure) {
+      console.warn(`[policy] Skipping unsafe regex in ${sourceLabel}: ${unsafeReason}`);
+    }
+    compiledRegexCache.set(pattern, null);
+    return;
+  }
+  try {
+    const compiled = new RegExp(pattern);
+    compiledRegexCache.set(pattern, compiled);
+    return compiled;
+  } catch (error) {
+    if (logOnFailure) {
+      const message = error instanceof Error ? error.message : String(error);
+      console.warn(`[policy] Skipping invalid regex in ${sourceLabel}: ${message}`);
+    }
+    compiledRegexCache.set(pattern, null);
+    return;
+  }
+}
+function matchRule(rule, input) {
+  const { match } = rule;
+  if (match.pattern && input.includes(match.pattern)) {
+    return true;
+  }
+  if (match.regex) {
+    const compiled = rule.compiledRegex || compileSafeRegex(match.regex, `rules.${rule.id}.match.regex`, false);
+    if (!compiled) {
+      return false;
+    }
+    try {
+      return compiled.test(input);
+    } catch {
+      return false;
+    }
+  }
+  return false;
+}
+function matchRuleUnless(rule, command, taskId) {
+  if (!rule.unless)
+    return false;
+  if (rule.unless.regex) {
+    const compiled = rule.compiledUnlessRegex || compileSafeRegex(rule.unless.regex, `rules.${rule.id}.unless.regex`, false);
+    if (!compiled) {
+      return false;
+    }
+    try {
+      if (compiled.test(command))
+        return true;
+    } catch {}
+  }
+  if (rule.unless.task_in && taskId) {
+    if (rule.unless.task_in.includes(taskId))
+      return true;
+  }
+  return false;
+}
+function resolveAction(mode, matched) {
+  if (matched.length === 0)
+    return "allow";
+  if (mode === "off")
+    return "allow";
+  if (mode === "observe")
+    return "warn";
+  return "block";
+}
+function resolveAbsolutePath(projectRoot, rawPath) {
+  if (rawPath.startsWith("/"))
+    return resolve(rawPath);
+  return resolve(projectRoot, rawPath);
+}
+function isHarnessPath(projectRoot, rawPath) {
+  const absPath = resolveAbsolutePath(projectRoot, rawPath);
+  const managedRoots = [
+    resolve(projectRoot, "rig"),
+    resolve(projectRoot, ".rig"),
+    resolve(projectRoot, "artifacts")
+  ];
+  return managedRoots.some((root) => absPath === root || absPath.startsWith(root + "/"));
+}
+function isRuntimePath(projectRoot, rawPath, taskWorkspace) {
+  const absPath = resolveAbsolutePath(projectRoot, rawPath);
+  if (taskWorkspace) {
+    const workspaceRigRoot = resolve(taskWorkspace, ".rig");
+    const workspaceArtifactsRoot = resolve(taskWorkspace, "artifacts");
+    if (absPath === workspaceRigRoot || absPath.startsWith(workspaceRigRoot + "/") || absPath === workspaceArtifactsRoot || absPath.startsWith(workspaceArtifactsRoot + "/")) {
+      return true;
+    }
+  }
+  const runtimeRoot = resolve(projectRoot, ".rig/runtime/agents");
+  return absPath === runtimeRoot || absPath.startsWith(runtimeRoot + "/");
+}
+function isTestFile(path) {
+  return /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(path) || /\/(__tests__|tests|test)\//.test(path);
+}
+function evaluate(context) {
+  const policy = loadPolicy(context.projectRoot);
+  switch (context.evaluation.type) {
+    case "tool-call":
+      return evaluateToolCall(policy, context);
+    case "command":
+      return evaluateCommand(policy, context);
+    case "content-write":
+      return evaluateContent(policy, context);
+    case "file-access":
+      return evaluateScope(policy, context, context.evaluation.file_path, context.evaluation.access);
+  }
+}
+function evaluateScope(policy, context, filePath, access) {
+  const allowed = () => ({
+    allowed: true,
+    matchedRules: [],
+    action: "allow",
+    failClosed: false
+  });
+  if (policy.scope.harness_paths_exempt && isHarnessPath(context.projectRoot, filePath)) {
+    return allowed();
+  }
+  if (policy.scope.runtime_paths_exempt && isRuntimePath(context.projectRoot, filePath, context.taskWorkspace)) {
+    return allowed();
+  }
+  if (!context.taskId) {
+    if (access === "write" && policy.scope.fail_closed) {
+      return {
+        allowed: false,
+        matchedRules: [],
+        action: resolveAction(policy.mode, [{ id: "scope:no-task", category: "command", reason: "No active task; fail-closed for write operations" }]),
+        failClosed: true
+      };
+    }
+    return allowed();
+  }
+  const scopes = context.taskScopes || [];
+  if (scopes.length === 0) {
+    return allowed();
+  }
+  if (context.taskWorkspace && context.taskWorkspace !== context.projectRoot && filePath.startsWith("/")) {
+    const absPath = resolve(filePath);
+    if (!absPath.startsWith(context.taskWorkspace + "/") && !isHarnessPath(context.projectRoot, filePath)) {
+      const reason2 = `Absolute path '${filePath}' is outside task runtime boundary. Allowed root: ${context.taskWorkspace}`;
+      const matched2 = [{ id: "scope:workspace-boundary", category: "command", reason: reason2 }];
+      return {
+        allowed: policy.mode !== "enforce",
+        matchedRules: matched2,
+        action: resolveAction(policy.mode, matched2),
+        failClosed: false
+      };
+    }
+  }
+  const monorepoRoot = context.monorepoRoot || process.env.MONOREPO_ROOT?.trim() || context.taskWorkspace || context.projectRoot;
+  let normalizedPath = filePath;
+  if (context.taskWorkspace && context.taskWorkspace !== context.projectRoot && filePath.startsWith(context.taskWorkspace + "/")) {
+    normalizedPath = filePath.slice(context.taskWorkspace.length + 1);
+  }
+  normalizedPath = normalizePathToScope(context.projectRoot, monorepoRoot, normalizedPath);
+  if (scopeMatches(filePath, scopes) || scopeMatches(normalizedPath, scopes)) {
+    return allowed();
+  }
+  const reason = `File '${filePath}' (normalized: '${normalizedPath}') is outside scope of task ${context.taskId}`;
+  const matched = [{ id: "scope:out-of-scope", category: "command", reason }];
+  return {
+    allowed: policy.mode !== "enforce",
+    matchedRules: matched,
+    action: resolveAction(policy.mode, matched),
+    failClosed: false
+  };
+}
+function evaluateCommand(policy, context) {
+  const evaluation = context.evaluation;
+  if (evaluation.type !== "command") {
+    return { allowed: true, matchedRules: [], action: "allow", failClosed: false };
+  }
+  const command = evaluation.command;
+  const matchedRules = [];
+  for (const rule of policy.rules) {
+    if (rule.category !== "command")
+      continue;
+    if (!matchRule(rule, command))
+      continue;
+    if (matchRuleUnless(rule, command, context.taskId))
+      continue;
+    matchedRules.push({
+      id: rule.id,
+      category: rule.category,
+      ...rule.description !== undefined ? { description: rule.description } : {},
+      reason: rule.description || `Matched rule ${rule.id}`
+    });
+  }
+  const writeTarget = extractWriteTarget(command);
+  if (writeTarget && !/^\/dev\//.test(writeTarget) && !/^\/proc\//.test(writeTarget)) {
+    const scopeResult = evaluateScope(policy, context, writeTarget, "write");
+    if (!scopeResult.allowed || scopeResult.matchedRules.length > 0) {
+      matchedRules.push(...scopeResult.matchedRules);
+    }
+  }
+  const action = resolveAction(policy.mode, matchedRules);
+  return {
+    allowed: action !== "block",
+    matchedRules,
+    action,
+    failClosed: false
+  };
+}
+function extractWriteTarget(command) {
+  const redirect = command.match(/>>?\s+([^\s;|&]+)/);
+  if (redirect?.[1])
+    return redirect[1];
+  const tee = command.match(/tee\s+(-a\s+)?([^\s;|&]+)/);
+  if (tee?.[2])
+    return tee[2];
+  return "";
+}
+function evaluateContent(policy, context) {
+  const evaluation = context.evaluation;
+  if (evaluation.type !== "content-write") {
+    return { allowed: true, matchedRules: [], action: "allow", failClosed: false };
+  }
+  const { content, file_path } = evaluation;
+  const matchedRules = [];
+  const scopeResult = evaluateScope(policy, context, file_path, "write");
+  if (scopeResult.matchedRules.length > 0) {
+    matchedRules.push(...scopeResult.matchedRules);
+  }
+  for (const rule of policy.rules) {
+    if (rule.category !== "content" && rule.category !== "import" && rule.category !== "test-integrity")
+      continue;
+    if (rule.applies_to === "test-files" && !isTestFile(file_path))
+      continue;
+    if (!matchRule(rule, content))
+      continue;
+    if (matchRuleUnless(rule, content, context.taskId))
+      continue;
+    matchedRules.push({
+      id: rule.id,
+      category: rule.category,
+      ...rule.description !== undefined ? { description: rule.description } : {},
+      reason: rule.description || `Matched rule ${rule.id}`
+    });
+  }
+  const action = resolveAction(policy.mode, matchedRules);
+  return {
+    allowed: action !== "block",
+    matchedRules,
+    action,
+    failClosed: false
+  };
+}
+function evaluateToolCall(policy, context) {
+  const evaluation = context.evaluation;
+  if (evaluation.type !== "tool-call") {
+    return { allowed: true, matchedRules: [], action: "allow", failClosed: false };
+  }
+  const { tool_name, tool_input } = evaluation;
+  const allMatched = [];
+  const filePaths = extractFilePathsFromToolInput(tool_name, tool_input);
+  for (const fp of filePaths) {
+    const access = isWriteTool(tool_name) ? "write" : "read";
+    const scopeResult = evaluateScope(policy, context, fp, access);
+    if (scopeResult.matchedRules.length > 0) {
+      allMatched.push(...scopeResult.matchedRules);
+    }
+  }
+  const content = extractContentFromToolInput(tool_input);
+  if (content) {
+    const filePath = filePaths[0] || "";
+    const contentContext = {
+      ...context,
+      evaluation: { type: "content-write", file_path: filePath, content }
+    };
+    const contentPolicy = loadPolicy(context.projectRoot);
+    for (const rule of contentPolicy.rules) {
+      if (rule.category !== "content" && rule.category !== "import" && rule.category !== "test-integrity")
+        continue;
+      if (rule.applies_to === "test-files" && !isTestFile(filePath))
+        continue;
+      if (!matchRule(rule, content))
+        continue;
+      if (matchRuleUnless(rule, content, context.taskId))
+        continue;
+      allMatched.push({
+        id: rule.id,
+        category: rule.category,
+        ...rule.description !== undefined ? { description: rule.description } : {},
+        reason: rule.description || `Matched rule ${rule.id}`
+      });
+    }
+  }
+  if (tool_name === "Bash") {
+    const command = String(tool_input.command || tool_input.cmd || "");
+    if (command) {
+      const cmdContext = {
+        ...context,
+        evaluation: { type: "command", command }
+      };
+      const cmdResult = evaluateCommand(policy, cmdContext);
+      if (cmdResult.matchedRules.length > 0) {
+        allMatched.push(...cmdResult.matchedRules);
+      }
+    }
+  }
+  const seen = new Set;
+  const deduplicated = [];
+  for (const rule of allMatched) {
+    if (!seen.has(rule.id)) {
+      seen.add(rule.id);
+      deduplicated.push(rule);
+    }
+  }
+  const action = resolveAction(policy.mode, deduplicated);
+  return {
+    allowed: action !== "block",
+    matchedRules: deduplicated,
+    action,
+    failClosed: false
+  };
+}
+function isWriteTool(toolName) {
+  return toolName === "Write" || toolName === "Edit" || toolName === "MultiEdit";
+}
+function extractFilePathsFromToolInput(toolName, input) {
+  const paths = [];
+  const add = (value) => {
+    if (typeof value === "string" && value.trim()) {
+      paths.push(value.trim());
+    }
+  };
+  if (toolName === "Read" || toolName === "Write" || toolName === "Edit" || toolName === "MultiEdit") {
+    add(input.file_path);
+    add(input.path);
+  } else if (toolName === "Glob") {
+    add(input.path);
+  } else if (toolName === "Grep") {
+    add(input.path);
+  } else {
+    add(input.file_path);
+    add(input.path);
+  }
+  return paths;
+}
+function extractContentFromToolInput(input) {
+  if (typeof input.content === "string")
+    return input.content;
+  if (typeof input.new_string === "string")
+    return input.new_string;
+  return "";
+}
+function primeGuardHotPaths() {
+  if (guardHotPathPrimed) {
+    return;
+  }
+  guardHotPathPrimed = true;
+  try {
+    optimizeNextInvocation(matchRule);
+    optimizeNextInvocation(evaluate);
+  } catch {}
+}
+var DEFAULT_SCOPE, DEFAULT_SANDBOX, DEFAULT_ISOLATION, DEFAULT_COMPLETION, DEFAULT_RUNTIME_IMAGE, DEFAULT_RUNTIME_SNAPSHOT, policyCache = null, policyCachePath = null, seededPolicyConfig = null, compiledRegexCache, guardHotPathPrimed = false;
+var init_guard = __esm(() => {
+  init_scope();
+  DEFAULT_SCOPE = {
+    fail_closed: true,
+    harness_paths_exempt: true,
+    runtime_paths_exempt: true
+  };
+  DEFAULT_SANDBOX = {
+    mode: "enforce",
+    network: true,
+    read_deny: [],
+    write_allow_from_runtime: true
+  };
+  DEFAULT_ISOLATION = {
+    default_mode: "worktree",
+    repo_symlink_fallback: false,
+    strict_provisioning: true,
+    fail_closed_on_provision_error: true
+  };
+  DEFAULT_COMPLETION = {
+    derive_checks_from_scope: true,
+    checks: [],
+    typescript_config_probe: ["tsconfig.json"],
+    eslint_config_probe: [".eslintrc.js", ".eslintrc.json", "eslint.config.js"]
+  };
+  DEFAULT_RUNTIME_IMAGE = {
+    deps: {
+      monorepo_install: false,
+      hp_next_install: false
+    },
+    plugins_require_binaries: true
+  };
+  DEFAULT_RUNTIME_SNAPSHOT = {
+    enabled: true
+  };
+  compiledRegexCache = new Map;
+  primeGuardHotPaths();
+});
 
 // packages/guard-plugin/src/hooks/safety-guard.ts
+var exports_safety_guard = {};
+__export(exports_safety_guard, {
+  safetyGuardHandler: () => safetyGuardHandler,
+  SAFETY_GUARD_HOOK_ID: () => SAFETY_GUARD_HOOK_ID
+});
 import { resolveTaskScopes, resolvePolicyContent, runTypedHook } from "@rig/hook-kit";
-import { evaluate, seedPolicyFromContent } from "@rig/runtime/control-plane/runtime/guard";
-var SAFETY_GUARD_HOOK_ID = "@rig/guard-plugin:safety-guard";
 async function safetyGuardHandler(ctx) {
   const projectRoot = ctx.projectRoot;
   seedPolicyFromContent(resolvePolicyContent(projectRoot));
@@ -62,17 +730,23 @@ async function safetyGuardHandler(ctx) {
   }
   return { decision: "allow" };
 }
-if (process.env.RIG_HOOK_ROLE === "safety-guard") {
-  runTypedHook(safetyGuardHandler, { event: "PreToolUse" });
-}
+var init_safety_guard = __esm(() => {
+  init_guard();
+  if (process.env.RIG_HOOK_ROLE === "safety-guard") {
+    runTypedHook(safetyGuardHandler, { event: "PreToolUse" });
+  }
+});
 
 // packages/guard-plugin/src/hooks/scope-guard.ts
+var exports_scope_guard = {};
+__export(exports_scope_guard, {
+  scopeGuardHandler: () => scopeGuardHandler,
+  SCOPE_GUARD_HOOK_ID: () => SCOPE_GUARD_HOOK_ID
+});
 import { resolveTaskScopes as resolveTaskScopes2, resolvePolicyContent as resolvePolicyContent2, runTypedHook as runTypedHook2 } from "@rig/hook-kit";
-import { evaluate as evaluate2, seedPolicyFromContent as seedPolicyFromContent2 } from "@rig/runtime/control-plane/runtime/guard";
-var SCOPE_GUARD_HOOK_ID = "@rig/guard-plugin:scope-guard";
 async function scopeGuardHandler(ctx) {
   const projectRoot = ctx.projectRoot;
-  seedPolicyFromContent2(resolvePolicyContent2(projectRoot));
+  seedPolicyFromContent(resolvePolicyContent2(projectRoot));
   const tool = ctx.toolName ?? "";
   const toolInput = ctx.toolInput;
   const taskWorkspace = process.env.RIG_TASK_WORKSPACE || "";
@@ -111,7 +785,7 @@ async function scopeGuardHandler(ctx) {
   if (scopes.length === 0) {
     return { decision: "allow" };
   }
-  const decision = evaluate2({
+  const decision = evaluate({
     projectRoot,
     taskScopes: scopes,
     evaluation,
@@ -125,17 +799,23 @@ async function scopeGuardHandler(ctx) {
   }
   return { decision: "allow" };
 }
-if (process.env.RIG_HOOK_ROLE === "scope-guard") {
-  runTypedHook2(scopeGuardHandler, { event: "PreToolUse" });
-}
+var init_scope_guard = __esm(() => {
+  init_guard();
+  if (process.env.RIG_HOOK_ROLE === "scope-guard") {
+    runTypedHook2(scopeGuardHandler, { event: "PreToolUse" });
+  }
+});
 
 // packages/guard-plugin/src/hooks/import-guard.ts
+var exports_import_guard = {};
+__export(exports_import_guard, {
+  importGuardHandler: () => importGuardHandler,
+  IMPORT_GUARD_HOOK_ID: () => IMPORT_GUARD_HOOK_ID
+});
 import { resolveTaskScopes as resolveTaskScopes3, resolvePolicyContent as resolvePolicyContent3, runTypedHook as runTypedHook3 } from "@rig/hook-kit";
-import { evaluate as evaluate3, seedPolicyFromContent as seedPolicyFromContent3 } from "@rig/runtime/control-plane/runtime/guard";
-var IMPORT_GUARD_HOOK_ID = "@rig/guard-plugin:import-guard";
 async function importGuardHandler(ctx) {
   const projectRoot = ctx.projectRoot;
-  seedPolicyFromContent3(resolvePolicyContent3(projectRoot));
+  seedPolicyFromContent(resolvePolicyContent3(projectRoot));
   const toolInput = ctx.toolInput;
   const content = String(toolInput.content ?? toolInput.new_string ?? "");
   if (!content) {
@@ -150,7 +830,7 @@ async function importGuardHandler(ctx) {
   const taskId = ctx.taskId || "";
   const scopes = taskId ? await resolveTaskScopes3(projectRoot, taskId) : [];
   const taskWorkspace = process.env.RIG_TASK_WORKSPACE || "";
-  const decision = evaluate3({
+  const decision = evaluate({
     projectRoot,
     taskScopes: scopes,
     evaluation,
@@ -170,17 +850,23 @@ Only import from a module public API (index.ts) or npm packages.`
   }
   return { decision: "allow" };
 }
-if (process.env.RIG_HOOK_ROLE === "import-guard") {
-  runTypedHook3(importGuardHandler, { event: "PreToolUse" });
-}
+var init_import_guard = __esm(() => {
+  init_guard();
+  if (process.env.RIG_HOOK_ROLE === "import-guard") {
+    runTypedHook3(importGuardHandler, { event: "PreToolUse" });
+  }
+});
 
 // packages/guard-plugin/src/hooks/test-integrity-guard.ts
+var exports_test_integrity_guard = {};
+__export(exports_test_integrity_guard, {
+  testIntegrityGuardHandler: () => testIntegrityGuardHandler,
+  TEST_INTEGRITY_GUARD_HOOK_ID: () => TEST_INTEGRITY_GUARD_HOOK_ID
+});
 import { resolveTaskScopes as resolveTaskScopes4, resolvePolicyContent as resolvePolicyContent4, isTestFilePath, runTypedHook as runTypedHook4 } from "@rig/hook-kit";
-import { evaluate as evaluate4, seedPolicyFromContent as seedPolicyFromContent4 } from "@rig/runtime/control-plane/runtime/guard";
-var TEST_INTEGRITY_GUARD_HOOK_ID = "@rig/guard-plugin:test-integrity-guard";
 async function testIntegrityGuardHandler(ctx) {
   const projectRoot = ctx.projectRoot;
-  seedPolicyFromContent4(resolvePolicyContent4(projectRoot));
+  seedPolicyFromContent(resolvePolicyContent4(projectRoot));
   const toolInput = ctx.toolInput;
   const filePath = String(toolInput.file_path ?? toolInput.path ?? "");
   const content = String(toolInput.content ?? toolInput.new_string ?? "");
@@ -195,7 +881,7 @@ async function testIntegrityGuardHandler(ctx) {
   const taskId = ctx.taskId || "";
   const scopes = taskId ? await resolveTaskScopes4(projectRoot, taskId) : [];
   const taskWorkspace = process.env.RIG_TASK_WORKSPACE || "";
-  const decision = evaluate4({
+  const decision = evaluate({
     projectRoot,
     taskScopes: scopes,
     evaluation,
@@ -216,21 +902,28 @@ async function testIntegrityGuardHandler(ctx) {
   }
   return { decision: "allow" };
 }
-if (process.env.RIG_HOOK_ROLE === "test-integrity-guard") {
-  runTypedHook4(testIntegrityGuardHandler, { event: "PreToolUse" });
-}
+var init_test_integrity_guard = __esm(() => {
+  init_guard();
+  if (process.env.RIG_HOOK_ROLE === "test-integrity-guard") {
+    runTypedHook4(testIntegrityGuardHandler, { event: "PreToolUse" });
+  }
+});
 
 // packages/guard-plugin/src/hooks/audit-trail.ts
-import { appendFileSync, mkdirSync } from "fs";
-import { resolve } from "path";
+var exports_audit_trail = {};
+__export(exports_audit_trail, {
+  auditTrailHandler: () => auditTrailHandler,
+  AUDIT_TRAIL_HOOK_ID: () => AUDIT_TRAIL_HOOK_ID
+});
+import { appendFileSync, mkdirSync as mkdirSync3 } from "fs";
+import { resolve as resolve4 } from "path";
 import { runTypedHook as runTypedHook5 } from "@rig/hook-kit";
-import { resolveHarnessPaths } from "@rig/runtime/control-plane/native/utils";
-var AUDIT_TRAIL_HOOK_ID = "@rig/guard-plugin:audit-trail";
+import { resolveRigLayout } from "@rig/core/layout";
 function auditTrailHandler(ctx) {
   const projectRoot = ctx.projectRoot;
   const toolInput = ctx.toolInput;
-  const paths = resolveHarnessPaths(projectRoot);
-  mkdirSync(paths.logsDir, { recursive: true });
+  const logsDir = process.env.RIG_LOGS_DIR?.trim() || resolveRigLayout(projectRoot).logsDir;
+  mkdirSync3(logsDir, { recursive: true });
   const taskId = ctx.taskId || "unknown";
   const tool = ctx.toolName || "unknown";
   const filePath = String(toolInput.file_path ?? toolInput.path ?? "none");
@@ -244,25 +937,31 @@ function auditTrailHandler(ctx) {
   if (tool === "Bash" && command) {
     payload.command_preview = command;
   }
-  appendFileSync(resolve(paths.logsDir, "audit.jsonl"), `${JSON.stringify(payload)}
+  appendFileSync(resolve4(logsDir, "audit.jsonl"), `${JSON.stringify(payload)}
 `, "utf-8");
   return { decision: "allow" };
 }
-if (process.env.RIG_HOOK_ROLE === "audit-trail") {
-  runTypedHook5(auditTrailHandler, { event: "PreToolUse" });
-}
+var init_audit_trail = __esm(() => {
+  if (process.env.RIG_HOOK_ROLE === "audit-trail") {
+    runTypedHook5(auditTrailHandler, { event: "PreToolUse" });
+  }
+});
 
 // packages/guard-plugin/src/hooks/post-edit-lint.ts
-import { existsSync, readFileSync } from "fs";
+var exports_post_edit_lint = {};
+__export(exports_post_edit_lint, {
+  postEditLintHandler: () => postEditLintHandler,
+  POST_EDIT_LINT_HOOK_ID: () => POST_EDIT_LINT_HOOK_ID
+});
+import { existsSync as existsSync3, readFileSync as readFileSync2 } from "fs";
 import { runTypedHook as runTypedHook6 } from "@rig/hook-kit";
-var POST_EDIT_LINT_HOOK_ID = "@rig/guard-plugin:post-edit-lint";
 function postEditLintHandler(ctx) {
   const toolInput = ctx.toolInput;
   const filePath = String(toolInput.file_path ?? toolInput.path ?? "");
-  if (!filePath || !/\.(ts|tsx|js|jsx)$/.test(filePath) || !existsSync(filePath)) {
+  if (!filePath || !/\.(ts|tsx|js|jsx)$/.test(filePath) || !existsSync3(filePath)) {
     return { decision: "allow" };
   }
-  const content = readFileSync(filePath, "utf-8");
+  const content = readFileSync2(filePath, "utf-8");
   const warnings = [];
   const consoleCount = (content.match(/console\.(log|debug)\(/g) || []).length;
   if (consoleCount > 3) {
@@ -291,8 +990,306 @@ These are not blocking, but must be resolved before task completion.`
   }
   return { decision: "allow" };
 }
-if (process.env.RIG_HOOK_ROLE === "post-edit-lint") {
-  runTypedHook6(postEditLintHandler, { event: "PostToolUse" });
+var init_post_edit_lint = __esm(() => {
+  if (process.env.RIG_HOOK_ROLE === "post-edit-lint") {
+    runTypedHook6(postEditLintHandler, { event: "PostToolUse" });
+  }
+});
+
+// packages/guard-plugin/src/plugin.ts
+import { definePlugin } from "@rig/core/config";
+import { defineCapability } from "@rig/core/capability";
+import { CLI_RUNNER, GUARD_TOOLCHAIN_SOURCES } from "@rig/contracts";
+
+// packages/guard-plugin/src/agent-shell.ts
+init_guard();
+var {$ } = globalThis.Bun;
+import { existsSync as existsSync2, mkdirSync as mkdirSync2 } from "fs";
+import { resolve as resolve3 } from "path";
+import { EventBus } from "@rig/core/runtime-events";
+import { CliError } from "@rig/contracts";
+
+// packages/guard-plugin/src/agent-binary-build.ts
+import { chmodSync, copyFileSync, linkSync, mkdirSync, rmSync, writeFileSync } from "fs";
+import { basename, dirname, resolve as resolve2 } from "path";
+import { runtimeProvisioningEnv } from "@rig/core/runtime-provisioning-env";
+
+// packages/guard-plugin/src/embedded-native-assets.ts
+var embeddedNatives = null;
+
+// packages/guard-plugin/src/agent-binary-build.ts
+function materializeSelfExecRole(outputPath, define) {
+  const selfPath = process.execPath;
+  mkdirSync(dirname(outputPath), { recursive: true });
+  rmSync(outputPath, { force: true });
+  try {
+    linkSync(selfPath, outputPath);
+  } catch {
+    copyFileSync(selfPath, outputPath);
+  }
+  chmodSync(outputPath, 493);
+  const role = basename(outputPath).replace(/\.exe$/i, "");
+  writeFileSync(`${outputPath}.rig-runconfig.json`, `${JSON.stringify({ role, define: define ?? {} }, null, 2)}
+`, { mode: 384 });
+}
+function hasEmbeddedNatives() {
+  return embeddedNatives !== null;
+}
+async function buildAgentBinary(entrypoint, outputPath, cwd, defines) {
+  if (hasEmbeddedNatives()) {
+    materializeSelfExecRole(outputPath, defines);
+    return;
+  }
+  await buildRuntimeBinary({
+    entrypoint,
+    outputPath,
+    cwd,
+    ...defines ? { define: defines } : {},
+    env: runtimeProvisioningEnv()
+  });
+}
+async function buildRuntimeBinary(options) {
+  mkdirSync(dirname(options.outputPath), { recursive: true });
+  await withTemporaryEnv({
+    ...options.env,
+    ...options.define ? { RIG_BUILD_CONFIG_JSON: JSON.stringify(options.define) } : {}
+  }, async () => {
+    const result = await Bun.build({
+      entrypoints: [resolve2(options.cwd, options.entrypoint)],
+      compile: { outfile: options.outputPath },
+      target: "bun",
+      format: "esm",
+      minify: true,
+      bytecode: true,
+      ...options.define ? { define: { __RIG_BUILD_CONFIG__: JSON.stringify(options.define) } } : {}
+    });
+    if (!result.success) {
+      throw new Error(result.logs.map((log) => log.message).join(`
+`) || `Failed to compile ${options.entrypoint}`);
+    }
+  });
+  chmodSync(options.outputPath, 493);
+}
+async function withTemporaryEnv(env, callback) {
+  const previous = {};
+  for (const [key, value] of Object.entries(env)) {
+    previous[key] = process.env[key];
+    if (value === undefined) {
+      delete process.env[key];
+    } else {
+      process.env[key] = value;
+    }
+  }
+  try {
+    return await callback();
+  } finally {
+    for (const [key, value] of Object.entries(previous)) {
+      if (value === undefined) {
+        delete process.env[key];
+      } else {
+        process.env[key] = value;
+      }
+    }
+  }
+}
+
+// packages/guard-plugin/src/agent-shell.ts
+init_guard();
+function withProjectRoot(projectRoot) {
+  $.cwd(projectRoot);
+}
+function formatCommand(parts) {
+  return parts.map((part) => /[^a-zA-Z0-9_./:-]/.test(part) ? JSON.stringify(part) : part).join(" ");
+}
+var AGENT_DISPATCH_SOURCE = "packages/provider-plugin/src/agent-harness/agent-wrapper.ts";
+function hasAgentDispatchSource(root) {
+  return existsSync2(resolve3(root, AGENT_DISPATCH_SOURCE));
+}
+function resolveAgentMaterializationSourceRoot(projectRoot, options = {}) {
+  const env = options.env ?? process.env;
+  const candidates = [
+    env.RIG_HOST_PROJECT_ROOT?.trim(),
+    env.PROJECT_RIG_ROOT?.trim(),
+    options.cwd ?? process.cwd(),
+    resolve3(options.moduleDir ?? import.meta.dir, "../../.."),
+    projectRoot
+  ].filter((value) => Boolean(value));
+  for (const candidate of candidates) {
+    const root = resolve3(candidate);
+    if (hasAgentDispatchSource(root)) {
+      return root;
+    }
+  }
+  return resolve3(projectRoot);
+}
+async function ensureAgentShellBinary(projectRoot, options = {}) {
+  const agentBinary = resolve3(projectRoot, ".rig", "bin", "rig-agent");
+  if (existsSync2(agentBinary)) {
+    return agentBinary;
+  }
+  const sourceRoot = resolveAgentMaterializationSourceRoot(projectRoot, options);
+  if (!hasAgentDispatchSource(sourceRoot)) {
+    throw new CliError(`Missing compiled agent dispatch binary at ${agentBinary}, and no Rig source checkout with ${AGENT_DISPATCH_SOURCE} was found to materialize it automatically.`, 2);
+  }
+  mkdirSync2(resolve3(agentBinary, ".."), { recursive: true });
+  try {
+    await (options.build ?? buildAgentBinary)(AGENT_DISPATCH_SOURCE, agentBinary, sourceRoot, {
+      AGENT_PROJECT_ROOT: projectRoot
+    });
+  } catch (error) {
+    throw new CliError(`Missing compiled agent dispatch binary at ${agentBinary}, and automatic materialization from ${sourceRoot} failed: ${error instanceof Error ? error.message : String(error)}`, 2);
+  }
+  if (!existsSync2(agentBinary)) {
+    throw new CliError(`Automatic agent dispatch materialization from ${sourceRoot} did not create ${agentBinary}.`, 2);
+  }
+  return agentBinary;
+}
+async function initializeRuntime(options) {
+  const eventBus = new EventBus({
+    projectRoot: options.projectRoot,
+    ...options.runId ? { runId: options.runId } : {}
+  });
+  let context;
+  const baseContext = {
+    projectRoot: options.projectRoot,
+    dryRun: options.dryRun,
+    outputMode: options.outputMode,
+    runId: eventBus.getRunId(),
+    ...options.policyMode ? { policyMode: options.policyMode } : {},
+    eventBus,
+    emitEvent: async (type, payload) => {
+      await eventBus.emit(type, payload);
+    }
+  };
+  context = {
+    ...baseContext,
+    runCommand: async (parts) => runCommand(context, parts)
+  };
+  await context.emitEvent("runtime.init", {
+    runId: context.runId,
+    outputMode: context.outputMode,
+    dryRun: context.dryRun,
+    policyMode: context.policyMode ?? loadPolicy(options.projectRoot).mode,
+    policyFile: resolve3(options.projectRoot, "rig/policy/policy.json")
+  });
+  return context;
+}
+async function runCommand(context, parts) {
+  if (parts.length === 0) {
+    throw new CliError("Cannot execute an empty command.");
+  }
+  const envMode = process.env.RIG_BASH_MODE;
+  const effectiveMode = context.policyMode || (envMode === "off" || envMode === "observe" || envMode === "enforce" ? envMode : loadPolicy(context.projectRoot).mode);
+  const controlledPath = `${resolve3(context.projectRoot, ".rig", "bin")}:${context.projectRoot}/rig/tools:${process.env.PATH ?? ""}`;
+  const usesInfrastructureBinary = parts[0] === "rig-server";
+  const controlledBash = usesInfrastructureBinary ? null : await ensureAgentShellBinary(context.projectRoot);
+  const commandEnv = [
+    "env",
+    `PATH=${controlledPath}`,
+    `PROJECT_RIG_ROOT=${context.projectRoot}`,
+    ...controlledBash ? [`BASH=${controlledBash}`] : [],
+    `RIG_BASH_MODE=${effectiveMode}`,
+    `RIG_POLICY_FILE=${resolve3(context.projectRoot, "rig/policy/policy.json")}`,
+    ...context.eventBus.getEventsFile() ? [`RIG_EVENTS_FILE=${context.eventBus.getEventsFile()}`] : []
+  ];
+  const commandWithEnv = [...commandEnv, ...parts];
+  const formatted = formatCommand(commandWithEnv);
+  await context.emitEvent("command.received", {
+    command: commandWithEnv,
+    formattedCommand: formatted
+  });
+  const guardDecision = evaluate({
+    projectRoot: context.projectRoot,
+    evaluation: { type: "command", command: formatted }
+  });
+  const guardAction = resolveAction(effectiveMode, guardDecision.matchedRules);
+  await context.emitEvent("policy.decision", {
+    target: "command",
+    command: formatted,
+    mode: effectiveMode,
+    allowed: guardAction !== "block",
+    matchedRuleIds: guardDecision.matchedRules.map((r) => r.id),
+    reasons: guardDecision.matchedRules.map((r) => r.reason)
+  });
+  if (guardAction === "block") {
+    await context.emitEvent("command.failed", {
+      command: commandWithEnv,
+      formattedCommand: formatted,
+      reason: "Policy denied command",
+      matchedRuleIds: guardDecision.matchedRules.map((r) => r.id),
+      mode: effectiveMode
+    });
+    throw new CliError(`Policy blocked command: ${formatted}`, 126, { hint: "Review rig/policy/policy.json, or re-run with `--policy-mode observe` to log instead of block." });
+  }
+  const startedAt = new Date;
+  await context.emitEvent("command.started", {
+    command: commandWithEnv,
+    formattedCommand: formatted,
+    startedAt: startedAt.toISOString(),
+    dryRun: context.dryRun
+  });
+  if (context.dryRun) {
+    const dryResult = {
+      command: commandWithEnv,
+      formattedCommand: formatted,
+      exitCode: 0,
+      durationMs: 0,
+      startedAt: startedAt.toISOString(),
+      finishedAt: startedAt.toISOString()
+    };
+    if (context.outputMode === "text") {
+      console.log(`$ ${formatted}`);
+    }
+    await context.emitEvent("command.finished", {
+      ...dryResult,
+      dryRun: true
+    });
+    return dryResult;
+  }
+  let exitCode = 0;
+  let stdout = "";
+  let stderr = "";
+  if (context.outputMode === "json") {
+    const child = Bun.spawn(commandWithEnv, {
+      cwd: context.projectRoot,
+      stdin: "inherit",
+      stdout: "pipe",
+      stderr: "pipe"
+    });
+    exitCode = await child.exited;
+    stdout = await new Response(child.stdout).text();
+    stderr = await new Response(child.stderr).text();
+  } else {
+    const child = Bun.spawn(commandWithEnv, {
+      cwd: context.projectRoot,
+      stdin: "inherit",
+      stdout: "inherit",
+      stderr: "inherit"
+    });
+    exitCode = await child.exited;
+  }
+  const finishedAt = new Date;
+  const result = {
+    command: commandWithEnv,
+    formattedCommand: formatted,
+    exitCode,
+    durationMs: finishedAt.getTime() - startedAt.getTime(),
+    startedAt: startedAt.toISOString(),
+    finishedAt: finishedAt.toISOString(),
+    ...context.outputMode === "json" ? { stdout, stderr } : {}
+  };
+  if (exitCode !== 0) {
+    await context.emitEvent("command.failed", {
+      ...result
+    });
+    const errorSuffix = context.outputMode === "json" && stderr ? `
+${stderr.trim()}` : "";
+    throw new CliError(`Command failed (${exitCode}): ${formatted}${errorSuffix}`, exitCode);
+  }
+  await context.emitEvent("command.finished", {
+    ...result
+  });
+  return result;
 }
 
 // packages/guard-plugin/src/plugin.ts
@@ -303,42 +1300,123 @@ var GUARD_HOOKS = [
     event: "PreToolUse",
     matcher: { kind: "all" },
     description: "Blocks dangerous commands and content patterns.",
-    handler: safetyGuardHandler
+    handler: (input) => Promise.resolve().then(() => (init_safety_guard(), exports_safety_guard)).then((m) => m.safetyGuardHandler(input))
   },
   {
     id: SCOPE_GUARD_HOOK_ID,
     event: "PreToolUse",
     matcher: { kind: "all" },
     description: "Enforces task scope boundaries.",
-    handler: scopeGuardHandler
+    handler: (input) => Promise.resolve().then(() => (init_scope_guard(), exports_scope_guard)).then((m) => m.scopeGuardHandler(input))
   },
   {
     id: IMPORT_GUARD_HOOK_ID,
     event: "PreToolUse",
     matcher: { kind: "all" },
     description: "Blocks cross-module internal imports.",
-    handler: importGuardHandler
+    handler: (input) => Promise.resolve().then(() => (init_import_guard(), exports_import_guard)).then((m) => m.importGuardHandler(input))
   },
   {
     id: TEST_INTEGRITY_GUARD_HOOK_ID,
     event: "PreToolUse",
     matcher: { kind: "all" },
     description: "Prevents test tampering (.skip, .only, missing assertions).",
-    handler: testIntegrityGuardHandler
+    handler: (input) => Promise.resolve().then(() => (init_test_integrity_guard(), exports_test_integrity_guard)).then((m) => m.testIntegrityGuardHandler(input))
   },
   {
     id: AUDIT_TRAIL_HOOK_ID,
     event: "PreToolUse",
     matcher: { kind: "all" },
     description: "Logs tool invocations to audit.jsonl.",
-    handler: auditTrailHandler
+    handler: (input) => Promise.resolve().then(() => (init_audit_trail(), exports_audit_trail)).then((m) => m.auditTrailHandler(input))
   },
   {
     id: POST_EDIT_LINT_HOOK_ID,
     event: "PostToolUse",
     matcher: { kind: "all" },
     description: "Warns about console.log spam, TODO markers, and empty catches.",
-    handler: postEditLintHandler
+    handler: (input) => Promise.resolve().then(() => (init_post_edit_lint(), exports_post_edit_lint)).then((m) => m.postEditLintHandler(input))
+  }
+];
+var ToolchainSourcesCap = defineCapability(GUARD_TOOLCHAIN_SOURCES);
+var CliRunnerCap = defineCapability(CLI_RUNNER);
+var GUARD_TOOLCHAIN_SOURCE_CONTRIBUTION = {
+  hookBinaries: [
+    { name: "scope-guard", source: "packages/guard-plugin/src/hooks/scope-guard.ts" },
+    { name: "import-guard", source: "packages/guard-plugin/src/hooks/import-guard.ts" },
+    { name: "safety-guard", source: "packages/guard-plugin/src/hooks/safety-guard.ts" },
+    { name: "test-integrity-guard", source: "packages/guard-plugin/src/hooks/test-integrity-guard.ts" },
+    { name: "audit-trail", source: "packages/guard-plugin/src/hooks/audit-trail.ts" },
+    { name: "post-edit-lint", source: "packages/guard-plugin/src/hooks/post-edit-lint.ts" }
+  ],
+  namedSources: {
+    "controlled-bash": "packages/guard-plugin/src/controlled-bash.ts"
+  }
+};
+var GUARD_CLI_RUNNER = {
+  initializeRuntime: async (options) => initializeRuntime(options),
+  runCommand: async (context, parts) => runCommand(context, parts),
+  ensureAgentShellBinary,
+  resolveAgentMaterializationSourceRoot,
+  withProjectRoot,
+  formatCommand,
+  loadPolicy
+};
+var GUARD_CAPABILITIES = [
+  ToolchainSourcesCap.provide(() => GUARD_TOOLCHAIN_SOURCE_CONTRIBUTION, {
+    title: "Guard toolchain sources",
+    description: "Source paths for guard hook binaries and the controlled-bash wrapper, compiled by the isolation runtime toolchain."
+  }),
+  CliRunnerCap.provide(() => GUARD_CLI_RUNNER, {
+    title: "CLI guarded runner",
+    description: "Policy-guarded command runner used by CLI-surface commands through the host seam."
+  })
+];
+async function runHookRunner(pluginName, hookId, role) {
+  process.env.RIG_HOOK_ROLE = role;
+  const { main } = await import("@rig/core/hook-runner");
+  await main(["--plugin", pluginName, "--hook", hookId]);
+}
+var GUARD_SEED_ENTRYPOINTS = [
+  {
+    id: `${GUARD_PLUGIN_NAME}:controlled-bash`,
+    basename: "controlled-bash",
+    description: "Policy-guarded shell wrapper used by per-run toolchains.",
+    run: async ({ argv, execPath }) => {
+      const { runControlledBash } = await import("@rig/guard-plugin/controlled-bash");
+      const { dirname: dirname2 } = await import("path");
+      process.exit(await runControlledBash(argv.slice(2), { projectRootFallbackDir: dirname2(execPath ?? process.cwd()) }));
+    }
+  },
+  {
+    id: `${GUARD_PLUGIN_NAME}:scope-guard-entrypoint`,
+    basename: "scope-guard",
+    run: ({ basename: basename2 }) => runHookRunner(GUARD_PLUGIN_NAME, SCOPE_GUARD_HOOK_ID, basename2 ?? "scope-guard")
+  },
+  {
+    id: `${GUARD_PLUGIN_NAME}:import-guard-entrypoint`,
+    basename: "import-guard",
+    run: ({ basename: basename2 }) => runHookRunner(GUARD_PLUGIN_NAME, IMPORT_GUARD_HOOK_ID, basename2 ?? "import-guard")
+  },
+  {
+    id: `${GUARD_PLUGIN_NAME}:safety-guard-entrypoint`,
+    basename: "safety-guard",
+    run: ({ basename: basename2 }) => runHookRunner(GUARD_PLUGIN_NAME, SAFETY_GUARD_HOOK_ID, basename2 ?? "safety-guard")
+  },
+  {
+    id: `${GUARD_PLUGIN_NAME}:test-integrity-guard-entrypoint`,
+    basename: "test-integrity-guard",
+    run: ({ basename: basename2 }) => runHookRunner(GUARD_PLUGIN_NAME, TEST_INTEGRITY_GUARD_HOOK_ID, basename2 ?? "test-integrity-guard")
+  },
+  {
+    id: `${GUARD_PLUGIN_NAME}:audit-trail-entrypoint`,
+    basename: "audit-trail",
+    run: ({ basename: basename2 }) => runHookRunner(GUARD_PLUGIN_NAME, AUDIT_TRAIL_HOOK_ID, basename2 ?? "audit-trail")
+  },
+  {
+    id: `${GUARD_PLUGIN_NAME}:post-edit-lint-entrypoint`,
+    basename: "post-edit-lint",
+    run: ({ basename: basename2 }) => runHookRunner(GUARD_PLUGIN_NAME, POST_EDIT_LINT_HOOK_ID, basename2 ?? "post-edit-lint")
   }
 ];
 function createGuardPlugin() {
@@ -346,7 +1424,9 @@ function createGuardPlugin() {
     name: GUARD_PLUGIN_NAME,
     version: "0.0.0-alpha.1",
     contributes: {
-      hooks: GUARD_HOOKS
+      hooks: GUARD_HOOKS,
+      capabilities: GUARD_CAPABILITIES,
+      seedEntrypoints: GUARD_SEED_ENTRYPOINTS
     }
   });
 }