npm - @h-rig/guard-plugin - Versions diffs - 0.0.6-alpha.157 → 0.0.6-alpha.159 - Mend

@h-rig/guard-plugin 0.0.6-alpha.157 → 0.0.6-alpha.159

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

package/dist/src/agent-binary-build.d.ts +9 -0
package/dist/src/agent-binary-build.js +88 -0
package/dist/src/agent-shell.d.ts +24 -0
package/dist/src/agent-shell.js +939 -0
package/dist/src/controlled-bash.d.ts +5 -0
package/dist/src/controlled-bash.js +784 -0
package/dist/src/embedded-native-assets.d.ts +7 -0
package/dist/src/embedded-native-assets.js +6 -0
package/dist/src/guard.d.ts +17 -0
package/dist/src/guard.js +684 -0
package/dist/src/hook-ids.d.ts +6 -0
package/dist/src/hook-ids.js +16 -0
package/dist/src/hooks/audit-trail.d.ts +1 -1
package/dist/src/hooks/audit-trail.js +8 -4
package/dist/src/hooks/import-guard.d.ts +1 -1
package/dist/src/hooks/import-guard.js +651 -1
package/dist/src/hooks/post-edit-lint.d.ts +1 -1
package/dist/src/hooks/post-edit-lint.js +4 -0
package/dist/src/hooks/safety-guard.d.ts +1 -1
package/dist/src/hooks/safety-guard.js +651 -1
package/dist/src/hooks/scope-guard.d.ts +1 -1
package/dist/src/hooks/scope-guard.js +651 -1
package/dist/src/hooks/test-integrity-guard.d.ts +1 -1
package/dist/src/hooks/test-integrity-guard.js +651 -1
package/dist/src/index.d.ts +1 -0
package/dist/src/index.js +1175 -51
package/dist/src/plugin.js +1131 -51
package/dist/src/scope.d.ts +3 -0
package/dist/src/scope.js +58 -0
package/package.json +20 -5

package/dist/src/index.js CHANGED Viewed

@@ -1,11 +1,702 @@
 // @bun
-// packages/guard-plugin/src/plugin.ts
-import { definePlugin } from "@rig/core/config";
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+var __require = import.meta.require;
+// packages/guard-plugin/src/hook-ids.ts
+var SAFETY_GUARD_HOOK_ID = "@rig/guard-plugin:safety-guard", SCOPE_GUARD_HOOK_ID = "@rig/guard-plugin:scope-guard", IMPORT_GUARD_HOOK_ID = "@rig/guard-plugin:import-guard", TEST_INTEGRITY_GUARD_HOOK_ID = "@rig/guard-plugin:test-integrity-guard", AUDIT_TRAIL_HOOK_ID = "@rig/guard-plugin:audit-trail", POST_EDIT_LINT_HOOK_ID = "@rig/guard-plugin:post-edit-lint";
+// packages/guard-plugin/src/scope.ts
+import { getScopeRules } from "@rig/core/scope-rules";
+function unique(values) {
+  return [...new Set(values)];
+}
+function normalizeRelativeScopePath(inputPath) {
+  let normalized = inputPath.replace(/^\.\//, "");
+  const rules = getScopeRules();
+  if (rules?.stripPrefixes) {
+    for (const prefix of rules.stripPrefixes) {
+      if (normalized.startsWith(prefix)) {
+        normalized = normalized.slice(prefix.length);
+      }
+    }
+  }
+  return normalized;
+}
+function normalizePathToScope(projectRoot, monorepoRoot, inputPath) {
+  let normalized = inputPath.replace(/^\.\//, "");
+  if (normalized.startsWith(projectRoot + "/")) {
+    normalized = normalized.slice(projectRoot.length + 1);
+  }
+  if (normalized.startsWith(monorepoRoot + "/")) {
+    normalized = normalized.slice(monorepoRoot.length + 1);
+  }
+  return normalizeRelativeScopePath(normalized);
+}
+function scopeGlobToRegex(glob) {
+  const cached = scopeRegexCache.get(glob);
+  if (cached) {
+    return cached;
+  }
+  const escaped = glob.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*\*/g, "__GLOBSTAR__").replace(/\*/g, "[^/]*").replace(/__GLOBSTAR__/g, ".*");
+  const compiled = new RegExp(`^${escaped}$`);
+  scopeRegexCache.set(glob, compiled);
+  return compiled;
+}
+function scopeMatches(path, scopes) {
+  const pathVariants = unique([path, normalizeRelativeScopePath(path)]);
+  for (const scope of scopes) {
+    const scopeVariants = unique([scope, normalizeRelativeScopePath(scope)]);
+    for (const candidatePath of pathVariants) {
+      for (const candidateScope of scopeVariants) {
+        if (candidatePath === candidateScope || scopeGlobToRegex(candidateScope).test(candidatePath)) {
+          return true;
+        }
+      }
+    }
+  }
+  return false;
+}
+var scopeRegexCache;
+var init_scope = __esm(() => {
+  scopeRegexCache = new Map;
+});
+// packages/guard-plugin/src/guard.ts
+import { optimizeNextInvocation } from "bun:jsc";
+import { existsSync, readFileSync, statSync } from "fs";
+import { resolve } from "path";
+import {
+  POLICY_VERSION
+} from "@rig/contracts";
+function defaultPolicy() {
+  return {
+    version: POLICY_VERSION,
+    mode: "enforce",
+    scope: { ...DEFAULT_SCOPE },
+    rules: [],
+    sandbox: { ...DEFAULT_SANDBOX },
+    isolation: { ...DEFAULT_ISOLATION },
+    completion: { ...DEFAULT_COMPLETION },
+    runtime_image: {
+      deps: { ...DEFAULT_RUNTIME_IMAGE.deps },
+      plugins_require_binaries: DEFAULT_RUNTIME_IMAGE.plugins_require_binaries
+    },
+    runtime_snapshot: { ...DEFAULT_RUNTIME_SNAPSHOT }
+  };
+}
+function resetPolicyCache() {
+  policyCache = null;
+  policyCachePath = null;
+  seededPolicyConfig = null;
+}
+function seedPolicyFromContent(rawJson) {
+  try {
+    const parsed = JSON.parse(rawJson);
+    seededPolicyConfig = mergeWithDefaults(parsed);
+  } catch {}
+}
+function loadPolicy(projectRoot) {
+  if (seededPolicyConfig) {
+    return seededPolicyConfig;
+  }
+  const configPath = resolve(projectRoot, "rig/policy/policy.json");
+  if (!existsSync(configPath)) {
+    return defaultPolicy();
+  }
+  let mtimeMs;
+  try {
+    mtimeMs = statSync(configPath).mtimeMs;
+  } catch {
+    return defaultPolicy();
+  }
+  if (policyCache && policyCachePath === configPath && policyCache.mtimeMs === mtimeMs) {
+    return policyCache.config;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(readFileSync(configPath, "utf-8"));
+  } catch {
+    return defaultPolicy();
+  }
+  const config = mergeWithDefaults(parsed);
+  policyCache = { mtimeMs, config };
+  policyCachePath = configPath;
+  return config;
+}
+function mergeWithDefaults(parsed) {
+  const base = defaultPolicy();
+  if (typeof parsed.mode === "string" && isValidMode(parsed.mode)) {
+    base.mode = parsed.mode;
+  }
+  if (parsed.scope && typeof parsed.scope === "object" && !Array.isArray(parsed.scope)) {
+    const s = parsed.scope;
+    if (typeof s.fail_closed === "boolean")
+      base.scope.fail_closed = s.fail_closed;
+    if (typeof s.harness_paths_exempt === "boolean")
+      base.scope.harness_paths_exempt = s.harness_paths_exempt;
+    if (typeof s.runtime_paths_exempt === "boolean")
+      base.scope.runtime_paths_exempt = s.runtime_paths_exempt;
+  }
+  if (Array.isArray(parsed.rules)) {
+    base.rules = precompilePolicyRuleRegexes(parsed.rules.filter(isValidRule));
+  }
+  if (Array.isArray(parsed.deny) && base.rules.length === 0) {
+    base.rules = precompilePolicyRuleRegexes(migrateLegacyDeny(parsed.deny));
+  }
+  if (parsed.sandbox && typeof parsed.sandbox === "object" && !Array.isArray(parsed.sandbox)) {
+    const sb = parsed.sandbox;
+    if (typeof sb.mode === "string" && isValidMode(sb.mode))
+      base.sandbox.mode = sb.mode;
+    if (typeof sb.network === "boolean")
+      base.sandbox.network = sb.network;
+    if (Array.isArray(sb.read_deny))
+      base.sandbox.read_deny = sb.read_deny.filter((v) => typeof v === "string");
+    if (typeof sb.write_allow_from_runtime === "boolean")
+      base.sandbox.write_allow_from_runtime = sb.write_allow_from_runtime;
+  }
+  if (parsed.isolation && typeof parsed.isolation === "object" && !Array.isArray(parsed.isolation)) {
+    const iso = parsed.isolation;
+    if (iso.default_mode === "worktree")
+      base.isolation.default_mode = iso.default_mode;
+    if (typeof iso.repo_symlink_fallback === "boolean")
+      base.isolation.repo_symlink_fallback = iso.repo_symlink_fallback;
+    if (typeof iso.strict_provisioning === "boolean")
+      base.isolation.strict_provisioning = iso.strict_provisioning;
+    if (typeof iso.fail_closed_on_provision_error === "boolean")
+      base.isolation.fail_closed_on_provision_error = iso.fail_closed_on_provision_error;
+  }
+  if (parsed.completion && typeof parsed.completion === "object" && !Array.isArray(parsed.completion)) {
+    const comp = parsed.completion;
+    if (typeof comp.derive_checks_from_scope === "boolean")
+      base.completion.derive_checks_from_scope = comp.derive_checks_from_scope;
+    if (Array.isArray(comp.checks))
+      base.completion.checks = comp.checks.filter((v) => typeof v === "string");
+    if (Array.isArray(comp.typescript_config_probe))
+      base.completion.typescript_config_probe = comp.typescript_config_probe.filter((v) => typeof v === "string");
+    if (Array.isArray(comp.eslint_config_probe))
+      base.completion.eslint_config_probe = comp.eslint_config_probe.filter((v) => typeof v === "string");
+  }
+  if (parsed.runtime_image && typeof parsed.runtime_image === "object" && !Array.isArray(parsed.runtime_image)) {
+    const runtimeImage = parsed.runtime_image;
+    if (runtimeImage.deps && typeof runtimeImage.deps === "object" && !Array.isArray(runtimeImage.deps)) {
+      const deps = runtimeImage.deps;
+      if (typeof deps.monorepo_install === "boolean") {
+        base.runtime_image.deps.monorepo_install = deps.monorepo_install;
+      }
+      if (typeof deps.hp_next_install === "boolean") {
+        base.runtime_image.deps.hp_next_install = deps.hp_next_install;
+      }
+    }
+    if (typeof runtimeImage.plugins_require_binaries === "boolean") {
+      base.runtime_image.plugins_require_binaries = runtimeImage.plugins_require_binaries;
+    }
+  }
+  if (parsed.runtime_snapshot && typeof parsed.runtime_snapshot === "object" && !Array.isArray(parsed.runtime_snapshot)) {
+    const runtimeSnapshot = parsed.runtime_snapshot;
+    if (typeof runtimeSnapshot.enabled === "boolean") {
+      base.runtime_snapshot.enabled = runtimeSnapshot.enabled;
+    }
+  }
+  return base;
+}
+function isValidMode(value) {
+  return value === "off" || value === "observe" || value === "enforce";
+}
+function isValidRule(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value))
+    return false;
+  const r = value;
+  return typeof r.id === "string" && typeof r.category === "string" && r.match != null && typeof r.match === "object";
+}
+function migrateLegacyDeny(deny) {
+  const rules = [];
+  for (const entry of deny) {
+    if (typeof entry.id !== "string")
+      continue;
+    const match = {};
+    if (typeof entry.pattern === "string")
+      match.pattern = entry.pattern;
+    if (typeof entry.regex === "string")
+      match.regex = entry.regex;
+    if (!match.pattern && !match.regex)
+      continue;
+    rules.push({
+      id: entry.id,
+      category: "command",
+      match,
+      action: "block",
+      ...typeof entry.description === "string" ? { description: entry.description } : {}
+    });
+  }
+  return rules;
+}
+function precompilePolicyRuleRegexes(rules) {
+  return rules.map((rule) => {
+    const compiledRegex = rule.match.regex ? compileSafeRegex(rule.match.regex, `rules.${rule.id}.match.regex`, true) : undefined;
+    const compiledUnlessRegex = rule.unless?.regex ? compileSafeRegex(rule.unless.regex, `rules.${rule.id}.unless.regex`, true) : undefined;
+    return {
+      ...rule,
+      ...compiledRegex ? { compiledRegex } : {},
+      ...compiledUnlessRegex ? { compiledUnlessRegex } : {}
+    };
+  });
+}
+function getRegexUnsafeReason(pattern) {
+  if (pattern.length > 512) {
+    return "pattern exceeds max safe length (512 chars)";
+  }
+  if (/\\[1-9]/.test(pattern)) {
+    return "pattern uses backreferences";
+  }
+  if (/\((?:[^()\\]|\\.)*[+*](?:[^()\\]|\\.)*\)\s*[*+{]/.test(pattern)) {
+    return "pattern contains nested quantifiers";
+  }
+  if (/\((?:[^()\\]|\\.)*\.\\?[+*](?:[^()\\]|\\.)*\)\s*[*+{]/.test(pattern)) {
+    return "pattern contains nested broad quantifiers";
+  }
+  return null;
+}
+function compileSafeRegex(pattern, sourceLabel, logOnFailure) {
+  const cached = compiledRegexCache.get(pattern);
+  if (cached !== undefined) {
+    return cached ?? undefined;
+  }
+  const unsafeReason = getRegexUnsafeReason(pattern);
+  if (unsafeReason) {
+    if (logOnFailure) {
+      console.warn(`[policy] Skipping unsafe regex in ${sourceLabel}: ${unsafeReason}`);
+    }
+    compiledRegexCache.set(pattern, null);
+    return;
+  }
+  try {
+    const compiled = new RegExp(pattern);
+    compiledRegexCache.set(pattern, compiled);
+    return compiled;
+  } catch (error) {
+    if (logOnFailure) {
+      const message = error instanceof Error ? error.message : String(error);
+      console.warn(`[policy] Skipping invalid regex in ${sourceLabel}: ${message}`);
+    }
+    compiledRegexCache.set(pattern, null);
+    return;
+  }
+}
+function matchRule(rule, input) {
+  const { match } = rule;
+  if (match.pattern && input.includes(match.pattern)) {
+    return true;
+  }
+  if (match.regex) {
+    const compiled = rule.compiledRegex || compileSafeRegex(match.regex, `rules.${rule.id}.match.regex`, false);
+    if (!compiled) {
+      return false;
+    }
+    try {
+      return compiled.test(input);
+    } catch {
+      return false;
+    }
+  }
+  return false;
+}
+function matchRuleUnless(rule, command, taskId) {
+  if (!rule.unless)
+    return false;
+  if (rule.unless.regex) {
+    const compiled = rule.compiledUnlessRegex || compileSafeRegex(rule.unless.regex, `rules.${rule.id}.unless.regex`, false);
+    if (!compiled) {
+      return false;
+    }
+    try {
+      if (compiled.test(command))
+        return true;
+    } catch {}
+  }
+  if (rule.unless.task_in && taskId) {
+    if (rule.unless.task_in.includes(taskId))
+      return true;
+  }
+  return false;
+}
+function resolveAction(mode, matched) {
+  if (matched.length === 0)
+    return "allow";
+  if (mode === "off")
+    return "allow";
+  if (mode === "observe")
+    return "warn";
+  return "block";
+}
+function resolveAbsolutePath(projectRoot, rawPath) {
+  if (rawPath.startsWith("/"))
+    return resolve(rawPath);
+  return resolve(projectRoot, rawPath);
+}
+function isHarnessPath(projectRoot, rawPath) {
+  const absPath = resolveAbsolutePath(projectRoot, rawPath);
+  const managedRoots = [
+    resolve(projectRoot, "rig"),
+    resolve(projectRoot, ".rig"),
+    resolve(projectRoot, "artifacts")
+  ];
+  return managedRoots.some((root) => absPath === root || absPath.startsWith(root + "/"));
+}
+function isRuntimePath(projectRoot, rawPath, taskWorkspace) {
+  const absPath = resolveAbsolutePath(projectRoot, rawPath);
+  if (taskWorkspace) {
+    const workspaceRigRoot = resolve(taskWorkspace, ".rig");
+    const workspaceArtifactsRoot = resolve(taskWorkspace, "artifacts");
+    if (absPath === workspaceRigRoot || absPath.startsWith(workspaceRigRoot + "/") || absPath === workspaceArtifactsRoot || absPath.startsWith(workspaceArtifactsRoot + "/")) {
+      return true;
+    }
+  }
+  const runtimeRoot = resolve(projectRoot, ".rig/runtime/agents");
+  return absPath === runtimeRoot || absPath.startsWith(runtimeRoot + "/");
+}
+function isTestFile(path) {
+  return /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(path) || /\/(__tests__|tests|test)\//.test(path);
+}
+function evaluate(context) {
+  const policy = loadPolicy(context.projectRoot);
+  switch (context.evaluation.type) {
+    case "tool-call":
+      return evaluateToolCall(policy, context);
+    case "command":
+      return evaluateCommand(policy, context);
+    case "content-write":
+      return evaluateContent(policy, context);
+    case "file-access":
+      return evaluateScope(policy, context, context.evaluation.file_path, context.evaluation.access);
+  }
+}
+function evaluateScope(policy, context, filePath, access) {
+  const allowed = () => ({
+    allowed: true,
+    matchedRules: [],
+    action: "allow",
+    failClosed: false
+  });
+  if (policy.scope.harness_paths_exempt && isHarnessPath(context.projectRoot, filePath)) {
+    return allowed();
+  }
+  if (policy.scope.runtime_paths_exempt && isRuntimePath(context.projectRoot, filePath, context.taskWorkspace)) {
+    return allowed();
+  }
+  if (!context.taskId) {
+    if (access === "write" && policy.scope.fail_closed) {
+      return {
+        allowed: false,
+        matchedRules: [],
+        action: resolveAction(policy.mode, [{ id: "scope:no-task", category: "command", reason: "No active task; fail-closed for write operations" }]),
+        failClosed: true
+      };
+    }
+    return allowed();
+  }
+  const scopes = context.taskScopes || [];
+  if (scopes.length === 0) {
+    return allowed();
+  }
+  if (context.taskWorkspace && context.taskWorkspace !== context.projectRoot && filePath.startsWith("/")) {
+    const absPath = resolve(filePath);
+    if (!absPath.startsWith(context.taskWorkspace + "/") && !isHarnessPath(context.projectRoot, filePath)) {
+      const reason2 = `Absolute path '${filePath}' is outside task runtime boundary. Allowed root: ${context.taskWorkspace}`;
+      const matched2 = [{ id: "scope:workspace-boundary", category: "command", reason: reason2 }];
+      return {
+        allowed: policy.mode !== "enforce",
+        matchedRules: matched2,
+        action: resolveAction(policy.mode, matched2),
+        failClosed: false
+      };
+    }
+  }
+  const monorepoRoot = context.monorepoRoot || process.env.MONOREPO_ROOT?.trim() || context.taskWorkspace || context.projectRoot;
+  let normalizedPath = filePath;
+  if (context.taskWorkspace && context.taskWorkspace !== context.projectRoot && filePath.startsWith(context.taskWorkspace + "/")) {
+    normalizedPath = filePath.slice(context.taskWorkspace.length + 1);
+  }
+  normalizedPath = normalizePathToScope(context.projectRoot, monorepoRoot, normalizedPath);
+  if (scopeMatches(filePath, scopes) || scopeMatches(normalizedPath, scopes)) {
+    return allowed();
+  }
+  const reason = `File '${filePath}' (normalized: '${normalizedPath}') is outside scope of task ${context.taskId}`;
+  const matched = [{ id: "scope:out-of-scope", category: "command", reason }];
+  return {
+    allowed: policy.mode !== "enforce",
+    matchedRules: matched,
+    action: resolveAction(policy.mode, matched),
+    failClosed: false
+  };
+}
+function evaluateCommand(policy, context) {
+  const evaluation = context.evaluation;
+  if (evaluation.type !== "command") {
+    return { allowed: true, matchedRules: [], action: "allow", failClosed: false };
+  }
+  const command = evaluation.command;
+  const matchedRules = [];
+  for (const rule of policy.rules) {
+    if (rule.category !== "command")
+      continue;
+    if (!matchRule(rule, command))
+      continue;
+    if (matchRuleUnless(rule, command, context.taskId))
+      continue;
+    matchedRules.push({
+      id: rule.id,
+      category: rule.category,
+      ...rule.description !== undefined ? { description: rule.description } : {},
+      reason: rule.description || `Matched rule ${rule.id}`
+    });
+  }
+  const writeTarget = extractWriteTarget(command);
+  if (writeTarget && !/^\/dev\//.test(writeTarget) && !/^\/proc\//.test(writeTarget)) {
+    const scopeResult = evaluateScope(policy, context, writeTarget, "write");
+    if (!scopeResult.allowed || scopeResult.matchedRules.length > 0) {
+      matchedRules.push(...scopeResult.matchedRules);
+    }
+  }
+  const action = resolveAction(policy.mode, matchedRules);
+  return {
+    allowed: action !== "block",
+    matchedRules,
+    action,
+    failClosed: false
+  };
+}
+function extractWriteTarget(command) {
+  const redirect = command.match(/>>?\s+([^\s;|&]+)/);
+  if (redirect?.[1])
+    return redirect[1];
+  const tee = command.match(/tee\s+(-a\s+)?([^\s;|&]+)/);
+  if (tee?.[2])
+    return tee[2];
+  return "";
+}
+function evaluateContent(policy, context) {
+  const evaluation = context.evaluation;
+  if (evaluation.type !== "content-write") {
+    return { allowed: true, matchedRules: [], action: "allow", failClosed: false };
+  }
+  const { content, file_path } = evaluation;
+  const matchedRules = [];
+  const scopeResult = evaluateScope(policy, context, file_path, "write");
+  if (scopeResult.matchedRules.length > 0) {
+    matchedRules.push(...scopeResult.matchedRules);
+  }
+  for (const rule of policy.rules) {
+    if (rule.category !== "content" && rule.category !== "import" && rule.category !== "test-integrity")
+      continue;
+    if (rule.applies_to === "test-files" && !isTestFile(file_path))
+      continue;
+    if (!matchRule(rule, content))
+      continue;
+    if (matchRuleUnless(rule, content, context.taskId))
+      continue;
+    matchedRules.push({
+      id: rule.id,
+      category: rule.category,
+      ...rule.description !== undefined ? { description: rule.description } : {},
+      reason: rule.description || `Matched rule ${rule.id}`
+    });
+  }
+  const action = resolveAction(policy.mode, matchedRules);
+  return {
+    allowed: action !== "block",
+    matchedRules,
+    action,
+    failClosed: false
+  };
+}
+function evaluateToolCall(policy, context) {
+  const evaluation = context.evaluation;
+  if (evaluation.type !== "tool-call") {
+    return { allowed: true, matchedRules: [], action: "allow", failClosed: false };
+  }
+  const { tool_name, tool_input } = evaluation;
+  const allMatched = [];
+  const filePaths = extractFilePathsFromToolInput(tool_name, tool_input);
+  for (const fp of filePaths) {
+    const access = isWriteTool(tool_name) ? "write" : "read";
+    const scopeResult = evaluateScope(policy, context, fp, access);
+    if (scopeResult.matchedRules.length > 0) {
+      allMatched.push(...scopeResult.matchedRules);
+    }
+  }
+  const content = extractContentFromToolInput(tool_input);
+  if (content) {
+    const filePath = filePaths[0] || "";
+    const contentContext = {
+      ...context,
+      evaluation: { type: "content-write", file_path: filePath, content }
+    };
+    const contentPolicy = loadPolicy(context.projectRoot);
+    for (const rule of contentPolicy.rules) {
+      if (rule.category !== "content" && rule.category !== "import" && rule.category !== "test-integrity")
+        continue;
+      if (rule.applies_to === "test-files" && !isTestFile(filePath))
+        continue;
+      if (!matchRule(rule, content))
+        continue;
+      if (matchRuleUnless(rule, content, context.taskId))
+        continue;
+      allMatched.push({
+        id: rule.id,
+        category: rule.category,
+        ...rule.description !== undefined ? { description: rule.description } : {},
+        reason: rule.description || `Matched rule ${rule.id}`
+      });
+    }
+  }
+  if (tool_name === "Bash") {
+    const command = String(tool_input.command || tool_input.cmd || "");
+    if (command) {
+      const cmdContext = {
+        ...context,
+        evaluation: { type: "command", command }
+      };
+      const cmdResult = evaluateCommand(policy, cmdContext);
+      if (cmdResult.matchedRules.length > 0) {
+        allMatched.push(...cmdResult.matchedRules);
+      }
+    }
+  }
+  const seen = new Set;
+  const deduplicated = [];
+  for (const rule of allMatched) {
+    if (!seen.has(rule.id)) {
+      seen.add(rule.id);
+      deduplicated.push(rule);
+    }
+  }
+  const action = resolveAction(policy.mode, deduplicated);
+  return {
+    allowed: action !== "block",
+    matchedRules: deduplicated,
+    action,
+    failClosed: false
+  };
+}
+function isWriteTool(toolName) {
+  return toolName === "Write" || toolName === "Edit" || toolName === "MultiEdit";
+}
+function extractFilePathsFromToolInput(toolName, input) {
+  const paths = [];
+  const add = (value) => {
+    if (typeof value === "string" && value.trim()) {
+      paths.push(value.trim());
+    }
+  };
+  if (toolName === "Read" || toolName === "Write" || toolName === "Edit" || toolName === "MultiEdit") {
+    add(input.file_path);
+    add(input.path);
+  } else if (toolName === "Glob") {
+    add(input.path);
+  } else if (toolName === "Grep") {
+    add(input.path);
+  } else {
+    add(input.file_path);
+    add(input.path);
+  }
+  return paths;
+}
+function extractContentFromToolInput(input) {
+  if (typeof input.content === "string")
+    return input.content;
+  if (typeof input.new_string === "string")
+    return input.new_string;
+  return "";
+}
+function loadSandboxConfig(projectRoot) {
+  return loadPolicy(projectRoot).sandbox;
+}
+function loadIsolationConfig(projectRoot) {
+  return loadPolicy(projectRoot).isolation;
+}
+function loadCompletionConfig(projectRoot) {
+  return loadPolicy(projectRoot).completion;
+}
+function loadRuntimeImageConfig(projectRoot) {
+  return loadPolicy(projectRoot).runtime_image ?? {
+    deps: { ...DEFAULT_RUNTIME_IMAGE.deps },
+    plugins_require_binaries: DEFAULT_RUNTIME_IMAGE.plugins_require_binaries
+  };
+}
+function loadRuntimeSnapshotConfig(projectRoot) {
+  return loadPolicy(projectRoot).runtime_snapshot ?? { ...DEFAULT_RUNTIME_SNAPSHOT };
+}
+function primeGuardHotPaths() {
+  if (guardHotPathPrimed) {
+    return;
+  }
+  guardHotPathPrimed = true;
+  try {
+    optimizeNextInvocation(matchRule);
+    optimizeNextInvocation(evaluate);
+  } catch {}
+}
+var DEFAULT_SCOPE, DEFAULT_SANDBOX, DEFAULT_ISOLATION, DEFAULT_COMPLETION, DEFAULT_RUNTIME_IMAGE, DEFAULT_RUNTIME_SNAPSHOT, policyCache = null, policyCachePath = null, seededPolicyConfig = null, compiledRegexCache, guardHotPathPrimed = false;
+var init_guard = __esm(() => {
+  init_scope();
+  DEFAULT_SCOPE = {
+    fail_closed: true,
+    harness_paths_exempt: true,
+    runtime_paths_exempt: true
+  };
+  DEFAULT_SANDBOX = {
+    mode: "enforce",
+    network: true,
+    read_deny: [],
+    write_allow_from_runtime: true
+  };
+  DEFAULT_ISOLATION = {
+    default_mode: "worktree",
+    repo_symlink_fallback: false,
+    strict_provisioning: true,
+    fail_closed_on_provision_error: true
+  };
+  DEFAULT_COMPLETION = {
+    derive_checks_from_scope: true,
+    checks: [],
+    typescript_config_probe: ["tsconfig.json"],
+    eslint_config_probe: [".eslintrc.js", ".eslintrc.json", "eslint.config.js"]
+  };
+  DEFAULT_RUNTIME_IMAGE = {
+    deps: {
+      monorepo_install: false,
+      hp_next_install: false
+    },
+    plugins_require_binaries: true
+  };
+  DEFAULT_RUNTIME_SNAPSHOT = {
+    enabled: true
+  };
+  compiledRegexCache = new Map;
+  primeGuardHotPaths();
+});
 // packages/guard-plugin/src/hooks/safety-guard.ts
+var exports_safety_guard = {};
+__export(exports_safety_guard, {
+  safetyGuardHandler: () => safetyGuardHandler,
+  SAFETY_GUARD_HOOK_ID: () => SAFETY_GUARD_HOOK_ID
+});
 import { resolveTaskScopes, resolvePolicyContent, runTypedHook } from "@rig/hook-kit";
-import { evaluate, seedPolicyFromContent } from "@rig/runtime/control-plane/runtime/guard";
-var SAFETY_GUARD_HOOK_ID = "@rig/guard-plugin:safety-guard";
 async function safetyGuardHandler(ctx) {
   const projectRoot = ctx.projectRoot;
   seedPolicyFromContent(resolvePolicyContent(projectRoot));
@@ -62,17 +753,23 @@ async function safetyGuardHandler(ctx) {
   }
   return { decision: "allow" };
 }
-if (process.env.RIG_HOOK_ROLE === "safety-guard") {
-  runTypedHook(safetyGuardHandler, { event: "PreToolUse" });
-}
+var init_safety_guard = __esm(() => {
+  init_guard();
+  if (process.env.RIG_HOOK_ROLE === "safety-guard") {
+    runTypedHook(safetyGuardHandler, { event: "PreToolUse" });
+  }
+});
 // packages/guard-plugin/src/hooks/scope-guard.ts
+var exports_scope_guard = {};
+__export(exports_scope_guard, {
+  scopeGuardHandler: () => scopeGuardHandler,
+  SCOPE_GUARD_HOOK_ID: () => SCOPE_GUARD_HOOK_ID
+});
 import { resolveTaskScopes as resolveTaskScopes2, resolvePolicyContent as resolvePolicyContent2, runTypedHook as runTypedHook2 } from "@rig/hook-kit";
-import { evaluate as evaluate2, seedPolicyFromContent as seedPolicyFromContent2 } from "@rig/runtime/control-plane/runtime/guard";
-var SCOPE_GUARD_HOOK_ID = "@rig/guard-plugin:scope-guard";
 async function scopeGuardHandler(ctx) {
   const projectRoot = ctx.projectRoot;
-  seedPolicyFromContent2(resolvePolicyContent2(projectRoot));
+  seedPolicyFromContent(resolvePolicyContent2(projectRoot));
   const tool = ctx.toolName ?? "";
   const toolInput = ctx.toolInput;
   const taskWorkspace = process.env.RIG_TASK_WORKSPACE || "";
@@ -111,7 +808,7 @@ async function scopeGuardHandler(ctx) {
   if (scopes.length === 0) {
     return { decision: "allow" };
   }
-  const decision = evaluate2({
+  const decision = evaluate({
     projectRoot,
     taskScopes: scopes,
     evaluation,
@@ -125,17 +822,23 @@ async function scopeGuardHandler(ctx) {
   }
   return { decision: "allow" };
 }
-if (process.env.RIG_HOOK_ROLE === "scope-guard") {
-  runTypedHook2(scopeGuardHandler, { event: "PreToolUse" });
-}
+var init_scope_guard = __esm(() => {
+  init_guard();
+  if (process.env.RIG_HOOK_ROLE === "scope-guard") {
+    runTypedHook2(scopeGuardHandler, { event: "PreToolUse" });
+  }
+});
 // packages/guard-plugin/src/hooks/import-guard.ts
+var exports_import_guard = {};
+__export(exports_import_guard, {
+  importGuardHandler: () => importGuardHandler,
+  IMPORT_GUARD_HOOK_ID: () => IMPORT_GUARD_HOOK_ID
+});
 import { resolveTaskScopes as resolveTaskScopes3, resolvePolicyContent as resolvePolicyContent3, runTypedHook as runTypedHook3 } from "@rig/hook-kit";
-import { evaluate as evaluate3, seedPolicyFromContent as seedPolicyFromContent3 } from "@rig/runtime/control-plane/runtime/guard";
-var IMPORT_GUARD_HOOK_ID = "@rig/guard-plugin:import-guard";
 async function importGuardHandler(ctx) {
   const projectRoot = ctx.projectRoot;
-  seedPolicyFromContent3(resolvePolicyContent3(projectRoot));
+  seedPolicyFromContent(resolvePolicyContent3(projectRoot));
   const toolInput = ctx.toolInput;
   const content = String(toolInput.content ?? toolInput.new_string ?? "");
   if (!content) {
@@ -150,7 +853,7 @@ async function importGuardHandler(ctx) {
   const taskId = ctx.taskId || "";
   const scopes = taskId ? await resolveTaskScopes3(projectRoot, taskId) : [];
   const taskWorkspace = process.env.RIG_TASK_WORKSPACE || "";
-  const decision = evaluate3({
+  const decision = evaluate({
     projectRoot,
     taskScopes: scopes,
     evaluation,
@@ -170,17 +873,23 @@ Only import from a module public API (index.ts) or npm packages.`
   }
   return { decision: "allow" };
 }
-if (process.env.RIG_HOOK_ROLE === "import-guard") {
-  runTypedHook3(importGuardHandler, { event: "PreToolUse" });
-}
+var init_import_guard = __esm(() => {
+  init_guard();
+  if (process.env.RIG_HOOK_ROLE === "import-guard") {
+    runTypedHook3(importGuardHandler, { event: "PreToolUse" });
+  }
+});
 // packages/guard-plugin/src/hooks/test-integrity-guard.ts
+var exports_test_integrity_guard = {};
+__export(exports_test_integrity_guard, {
+  testIntegrityGuardHandler: () => testIntegrityGuardHandler,
+  TEST_INTEGRITY_GUARD_HOOK_ID: () => TEST_INTEGRITY_GUARD_HOOK_ID
+});
 import { resolveTaskScopes as resolveTaskScopes4, resolvePolicyContent as resolvePolicyContent4, isTestFilePath, runTypedHook as runTypedHook4 } from "@rig/hook-kit";
-import { evaluate as evaluate4, seedPolicyFromContent as seedPolicyFromContent4 } from "@rig/runtime/control-plane/runtime/guard";
-var TEST_INTEGRITY_GUARD_HOOK_ID = "@rig/guard-plugin:test-integrity-guard";
 async function testIntegrityGuardHandler(ctx) {
   const projectRoot = ctx.projectRoot;
-  seedPolicyFromContent4(resolvePolicyContent4(projectRoot));
+  seedPolicyFromContent(resolvePolicyContent4(projectRoot));
   const toolInput = ctx.toolInput;
   const filePath = String(toolInput.file_path ?? toolInput.path ?? "");
   const content = String(toolInput.content ?? toolInput.new_string ?? "");
@@ -195,7 +904,7 @@ async function testIntegrityGuardHandler(ctx) {
   const taskId = ctx.taskId || "";
   const scopes = taskId ? await resolveTaskScopes4(projectRoot, taskId) : [];
   const taskWorkspace = process.env.RIG_TASK_WORKSPACE || "";
-  const decision = evaluate4({
+  const decision = evaluate({
     projectRoot,
     taskScopes: scopes,
     evaluation,
@@ -216,21 +925,28 @@ async function testIntegrityGuardHandler(ctx) {
   }
   return { decision: "allow" };
 }
-if (process.env.RIG_HOOK_ROLE === "test-integrity-guard") {
-  runTypedHook4(testIntegrityGuardHandler, { event: "PreToolUse" });
-}
+var init_test_integrity_guard = __esm(() => {
+  init_guard();
+  if (process.env.RIG_HOOK_ROLE === "test-integrity-guard") {
+    runTypedHook4(testIntegrityGuardHandler, { event: "PreToolUse" });
+  }
+});
 // packages/guard-plugin/src/hooks/audit-trail.ts
-import { appendFileSync, mkdirSync } from "fs";
-import { resolve } from "path";
+var exports_audit_trail = {};
+__export(exports_audit_trail, {
+  auditTrailHandler: () => auditTrailHandler,
+  AUDIT_TRAIL_HOOK_ID: () => AUDIT_TRAIL_HOOK_ID
+});
+import { appendFileSync, mkdirSync as mkdirSync3 } from "fs";
+import { resolve as resolve4 } from "path";
 import { runTypedHook as runTypedHook5 } from "@rig/hook-kit";
-import { resolveHarnessPaths } from "@rig/runtime/control-plane/native/utils";
-var AUDIT_TRAIL_HOOK_ID = "@rig/guard-plugin:audit-trail";
+import { resolveRigLayout } from "@rig/core/layout";
 function auditTrailHandler(ctx) {
   const projectRoot = ctx.projectRoot;
   const toolInput = ctx.toolInput;
-  const paths = resolveHarnessPaths(projectRoot);
-  mkdirSync(paths.logsDir, { recursive: true });
+  const logsDir = process.env.RIG_LOGS_DIR?.trim() || resolveRigLayout(projectRoot).logsDir;
+  mkdirSync3(logsDir, { recursive: true });
   const taskId = ctx.taskId || "unknown";
   const tool = ctx.toolName || "unknown";
   const filePath = String(toolInput.file_path ?? toolInput.path ?? "none");
@@ -244,25 +960,31 @@ function auditTrailHandler(ctx) {
   if (tool === "Bash" && command) {
     payload.command_preview = command;
   }
-  appendFileSync(resolve(paths.logsDir, "audit.jsonl"), `${JSON.stringify(payload)}
+  appendFileSync(resolve4(logsDir, "audit.jsonl"), `${JSON.stringify(payload)}
 `, "utf-8");
   return { decision: "allow" };
 }
-if (process.env.RIG_HOOK_ROLE === "audit-trail") {
-  runTypedHook5(auditTrailHandler, { event: "PreToolUse" });
-}
+var init_audit_trail = __esm(() => {
+  if (process.env.RIG_HOOK_ROLE === "audit-trail") {
+    runTypedHook5(auditTrailHandler, { event: "PreToolUse" });
+  }
+});
 // packages/guard-plugin/src/hooks/post-edit-lint.ts
-import { existsSync, readFileSync } from "fs";
+var exports_post_edit_lint = {};
+__export(exports_post_edit_lint, {
+  postEditLintHandler: () => postEditLintHandler,
+  POST_EDIT_LINT_HOOK_ID: () => POST_EDIT_LINT_HOOK_ID
+});
+import { existsSync as existsSync3, readFileSync as readFileSync2 } from "fs";
 import { runTypedHook as runTypedHook6 } from "@rig/hook-kit";
-var POST_EDIT_LINT_HOOK_ID = "@rig/guard-plugin:post-edit-lint";
 function postEditLintHandler(ctx) {
   const toolInput = ctx.toolInput;
   const filePath = String(toolInput.file_path ?? toolInput.path ?? "");
-  if (!filePath || !/\.(ts|tsx|js|jsx)$/.test(filePath) || !existsSync(filePath)) {
+  if (!filePath || !/\.(ts|tsx|js|jsx)$/.test(filePath) || !existsSync3(filePath)) {
     return { decision: "allow" };
   }
-  const content = readFileSync(filePath, "utf-8");
+  const content = readFileSync2(filePath, "utf-8");
   const warnings = [];
   const consoleCount = (content.match(/console\.(log|debug)\(/g) || []).length;
   if (consoleCount > 3) {
@@ -291,8 +1013,306 @@ These are not blocking, but must be resolved before task completion.`
   }
   return { decision: "allow" };
 }
-if (process.env.RIG_HOOK_ROLE === "post-edit-lint") {
-  runTypedHook6(postEditLintHandler, { event: "PostToolUse" });
+var init_post_edit_lint = __esm(() => {
+  if (process.env.RIG_HOOK_ROLE === "post-edit-lint") {
+    runTypedHook6(postEditLintHandler, { event: "PostToolUse" });
+  }
+});
+// packages/guard-plugin/src/plugin.ts
+import { definePlugin } from "@rig/core/config";
+import { defineCapability } from "@rig/core/capability";
+import { CLI_RUNNER, GUARD_TOOLCHAIN_SOURCES } from "@rig/contracts";
+// packages/guard-plugin/src/agent-shell.ts
+init_guard();
+var {$ } = globalThis.Bun;
+import { existsSync as existsSync2, mkdirSync as mkdirSync2 } from "fs";
+import { resolve as resolve3 } from "path";
+import { EventBus } from "@rig/core/runtime-events";
+import { CliError } from "@rig/contracts";
+// packages/guard-plugin/src/agent-binary-build.ts
+import { chmodSync, copyFileSync, linkSync, mkdirSync, rmSync, writeFileSync } from "fs";
+import { basename, dirname, resolve as resolve2 } from "path";
+import { runtimeProvisioningEnv } from "@rig/core/runtime-provisioning-env";
+// packages/guard-plugin/src/embedded-native-assets.ts
+var embeddedNatives = null;
+// packages/guard-plugin/src/agent-binary-build.ts
+function materializeSelfExecRole(outputPath, define) {
+  const selfPath = process.execPath;
+  mkdirSync(dirname(outputPath), { recursive: true });
+  rmSync(outputPath, { force: true });
+  try {
+    linkSync(selfPath, outputPath);
+  } catch {
+    copyFileSync(selfPath, outputPath);
+  }
+  chmodSync(outputPath, 493);
+  const role = basename(outputPath).replace(/\.exe$/i, "");
+  writeFileSync(`${outputPath}.rig-runconfig.json`, `${JSON.stringify({ role, define: define ?? {} }, null, 2)}
+`, { mode: 384 });
+}
+function hasEmbeddedNatives() {
+  return embeddedNatives !== null;
+}
+async function buildAgentBinary(entrypoint, outputPath, cwd, defines) {
+  if (hasEmbeddedNatives()) {
+    materializeSelfExecRole(outputPath, defines);
+    return;
+  }
+  await buildRuntimeBinary({
+    entrypoint,
+    outputPath,
+    cwd,
+    ...defines ? { define: defines } : {},
+    env: runtimeProvisioningEnv()
+  });
+}
+async function buildRuntimeBinary(options) {
+  mkdirSync(dirname(options.outputPath), { recursive: true });
+  await withTemporaryEnv({
+    ...options.env,
+    ...options.define ? { RIG_BUILD_CONFIG_JSON: JSON.stringify(options.define) } : {}
+  }, async () => {
+    const result = await Bun.build({
+      entrypoints: [resolve2(options.cwd, options.entrypoint)],
+      compile: { outfile: options.outputPath },
+      target: "bun",
+      format: "esm",
+      minify: true,
+      bytecode: true,
+      ...options.define ? { define: { __RIG_BUILD_CONFIG__: JSON.stringify(options.define) } } : {}
+    });
+    if (!result.success) {
+      throw new Error(result.logs.map((log) => log.message).join(`
+`) || `Failed to compile ${options.entrypoint}`);
+    }
+  });
+  chmodSync(options.outputPath, 493);
+}
+async function withTemporaryEnv(env, callback) {
+  const previous = {};
+  for (const [key, value] of Object.entries(env)) {
+    previous[key] = process.env[key];
+    if (value === undefined) {
+      delete process.env[key];
+    } else {
+      process.env[key] = value;
+    }
+  }
+  try {
+    return await callback();
+  } finally {
+    for (const [key, value] of Object.entries(previous)) {
+      if (value === undefined) {
+        delete process.env[key];
+      } else {
+        process.env[key] = value;
+      }
+    }
+  }
+}
+// packages/guard-plugin/src/agent-shell.ts
+init_guard();
+function withProjectRoot(projectRoot) {
+  $.cwd(projectRoot);
+}
+function formatCommand(parts) {
+  return parts.map((part) => /[^a-zA-Z0-9_./:-]/.test(part) ? JSON.stringify(part) : part).join(" ");
+}
+var AGENT_DISPATCH_SOURCE = "packages/provider-plugin/src/agent-harness/agent-wrapper.ts";
+function hasAgentDispatchSource(root) {
+  return existsSync2(resolve3(root, AGENT_DISPATCH_SOURCE));
+}
+function resolveAgentMaterializationSourceRoot(projectRoot, options = {}) {
+  const env = options.env ?? process.env;
+  const candidates = [
+    env.RIG_HOST_PROJECT_ROOT?.trim(),
+    env.PROJECT_RIG_ROOT?.trim(),
+    options.cwd ?? process.cwd(),
+    resolve3(options.moduleDir ?? import.meta.dir, "../../.."),
+    projectRoot
+  ].filter((value) => Boolean(value));
+  for (const candidate of candidates) {
+    const root = resolve3(candidate);
+    if (hasAgentDispatchSource(root)) {
+      return root;
+    }
+  }
+  return resolve3(projectRoot);
+}
+async function ensureAgentShellBinary(projectRoot, options = {}) {
+  const agentBinary = resolve3(projectRoot, ".rig", "bin", "rig-agent");
+  if (existsSync2(agentBinary)) {
+    return agentBinary;
+  }
+  const sourceRoot = resolveAgentMaterializationSourceRoot(projectRoot, options);
+  if (!hasAgentDispatchSource(sourceRoot)) {
+    throw new CliError(`Missing compiled agent dispatch binary at ${agentBinary}, and no Rig source checkout with ${AGENT_DISPATCH_SOURCE} was found to materialize it automatically.`, 2);
+  }
+  mkdirSync2(resolve3(agentBinary, ".."), { recursive: true });
+  try {
+    await (options.build ?? buildAgentBinary)(AGENT_DISPATCH_SOURCE, agentBinary, sourceRoot, {
+      AGENT_PROJECT_ROOT: projectRoot
+    });
+  } catch (error) {
+    throw new CliError(`Missing compiled agent dispatch binary at ${agentBinary}, and automatic materialization from ${sourceRoot} failed: ${error instanceof Error ? error.message : String(error)}`, 2);
+  }
+  if (!existsSync2(agentBinary)) {
+    throw new CliError(`Automatic agent dispatch materialization from ${sourceRoot} did not create ${agentBinary}.`, 2);
+  }
+  return agentBinary;
+}
+async function initializeRuntime(options) {
+  const eventBus = new EventBus({
+    projectRoot: options.projectRoot,
+    ...options.runId ? { runId: options.runId } : {}
+  });
+  let context;
+  const baseContext = {
+    projectRoot: options.projectRoot,
+    dryRun: options.dryRun,
+    outputMode: options.outputMode,
+    runId: eventBus.getRunId(),
+    ...options.policyMode ? { policyMode: options.policyMode } : {},
+    eventBus,
+    emitEvent: async (type, payload) => {
+      await eventBus.emit(type, payload);
+    }
+  };
+  context = {
+    ...baseContext,
+    runCommand: async (parts) => runCommand(context, parts)
+  };
+  await context.emitEvent("runtime.init", {
+    runId: context.runId,
+    outputMode: context.outputMode,
+    dryRun: context.dryRun,
+    policyMode: context.policyMode ?? loadPolicy(options.projectRoot).mode,
+    policyFile: resolve3(options.projectRoot, "rig/policy/policy.json")
+  });
+  return context;
+}
+async function runCommand(context, parts) {
+  if (parts.length === 0) {
+    throw new CliError("Cannot execute an empty command.");
+  }
+  const envMode = process.env.RIG_BASH_MODE;
+  const effectiveMode = context.policyMode || (envMode === "off" || envMode === "observe" || envMode === "enforce" ? envMode : loadPolicy(context.projectRoot).mode);
+  const controlledPath = `${resolve3(context.projectRoot, ".rig", "bin")}:${context.projectRoot}/rig/tools:${process.env.PATH ?? ""}`;
+  const usesInfrastructureBinary = parts[0] === "rig-server";
+  const controlledBash = usesInfrastructureBinary ? null : await ensureAgentShellBinary(context.projectRoot);
+  const commandEnv = [
+    "env",
+    `PATH=${controlledPath}`,
+    `PROJECT_RIG_ROOT=${context.projectRoot}`,
+    ...controlledBash ? [`BASH=${controlledBash}`] : [],
+    `RIG_BASH_MODE=${effectiveMode}`,
+    `RIG_POLICY_FILE=${resolve3(context.projectRoot, "rig/policy/policy.json")}`,
+    ...context.eventBus.getEventsFile() ? [`RIG_EVENTS_FILE=${context.eventBus.getEventsFile()}`] : []
+  ];
+  const commandWithEnv = [...commandEnv, ...parts];
+  const formatted = formatCommand(commandWithEnv);
+  await context.emitEvent("command.received", {
+    command: commandWithEnv,
+    formattedCommand: formatted
+  });
+  const guardDecision = evaluate({
+    projectRoot: context.projectRoot,
+    evaluation: { type: "command", command: formatted }
+  });
+  const guardAction = resolveAction(effectiveMode, guardDecision.matchedRules);
+  await context.emitEvent("policy.decision", {
+    target: "command",
+    command: formatted,
+    mode: effectiveMode,
+    allowed: guardAction !== "block",
+    matchedRuleIds: guardDecision.matchedRules.map((r) => r.id),
+    reasons: guardDecision.matchedRules.map((r) => r.reason)
+  });
+  if (guardAction === "block") {
+    await context.emitEvent("command.failed", {
+      command: commandWithEnv,
+      formattedCommand: formatted,
+      reason: "Policy denied command",
+      matchedRuleIds: guardDecision.matchedRules.map((r) => r.id),
+      mode: effectiveMode
+    });
+    throw new CliError(`Policy blocked command: ${formatted}`, 126, { hint: "Review rig/policy/policy.json, or re-run with `--policy-mode observe` to log instead of block." });
+  }
+  const startedAt = new Date;
+  await context.emitEvent("command.started", {
+    command: commandWithEnv,
+    formattedCommand: formatted,
+    startedAt: startedAt.toISOString(),
+    dryRun: context.dryRun
+  });
+  if (context.dryRun) {
+    const dryResult = {
+      command: commandWithEnv,
+      formattedCommand: formatted,
+      exitCode: 0,
+      durationMs: 0,
+      startedAt: startedAt.toISOString(),
+      finishedAt: startedAt.toISOString()
+    };
+    if (context.outputMode === "text") {
+      console.log(`$ ${formatted}`);
+    }
+    await context.emitEvent("command.finished", {
+      ...dryResult,
+      dryRun: true
+    });
+    return dryResult;
+  }
+  let exitCode = 0;
+  let stdout = "";
+  let stderr = "";
+  if (context.outputMode === "json") {
+    const child = Bun.spawn(commandWithEnv, {
+      cwd: context.projectRoot,
+      stdin: "inherit",
+      stdout: "pipe",
+      stderr: "pipe"
+    });
+    exitCode = await child.exited;
+    stdout = await new Response(child.stdout).text();
+    stderr = await new Response(child.stderr).text();
+  } else {
+    const child = Bun.spawn(commandWithEnv, {
+      cwd: context.projectRoot,
+      stdin: "inherit",
+      stdout: "inherit",
+      stderr: "inherit"
+    });
+    exitCode = await child.exited;
+  }
+  const finishedAt = new Date;
+  const result = {
+    command: commandWithEnv,
+    formattedCommand: formatted,
+    exitCode,
+    durationMs: finishedAt.getTime() - startedAt.getTime(),
+    startedAt: startedAt.toISOString(),
+    finishedAt: finishedAt.toISOString(),
+    ...context.outputMode === "json" ? { stdout, stderr } : {}
+  };
+  if (exitCode !== 0) {
+    await context.emitEvent("command.failed", {
+      ...result
+    });
+    const errorSuffix = context.outputMode === "json" && stderr ? `
+${stderr.trim()}` : "";
+    throw new CliError(`Command failed (${exitCode}): ${formatted}${errorSuffix}`, exitCode);
+  }
+  await context.emitEvent("command.finished", {
+    ...result
+  });
+  return result;
 }
 // packages/guard-plugin/src/plugin.ts
@@ -303,42 +1323,123 @@ var GUARD_HOOKS = [
     event: "PreToolUse",
     matcher: { kind: "all" },
     description: "Blocks dangerous commands and content patterns.",
-    handler: safetyGuardHandler
+    handler: (input) => Promise.resolve().then(() => (init_safety_guard(), exports_safety_guard)).then((m) => m.safetyGuardHandler(input))
   },
   {
     id: SCOPE_GUARD_HOOK_ID,
     event: "PreToolUse",
     matcher: { kind: "all" },
     description: "Enforces task scope boundaries.",
-    handler: scopeGuardHandler
+    handler: (input) => Promise.resolve().then(() => (init_scope_guard(), exports_scope_guard)).then((m) => m.scopeGuardHandler(input))
   },
   {
     id: IMPORT_GUARD_HOOK_ID,
     event: "PreToolUse",
     matcher: { kind: "all" },
     description: "Blocks cross-module internal imports.",
-    handler: importGuardHandler
+    handler: (input) => Promise.resolve().then(() => (init_import_guard(), exports_import_guard)).then((m) => m.importGuardHandler(input))
   },
   {
     id: TEST_INTEGRITY_GUARD_HOOK_ID,
     event: "PreToolUse",
     matcher: { kind: "all" },
     description: "Prevents test tampering (.skip, .only, missing assertions).",
-    handler: testIntegrityGuardHandler
+    handler: (input) => Promise.resolve().then(() => (init_test_integrity_guard(), exports_test_integrity_guard)).then((m) => m.testIntegrityGuardHandler(input))
   },
   {
     id: AUDIT_TRAIL_HOOK_ID,
     event: "PreToolUse",
     matcher: { kind: "all" },
     description: "Logs tool invocations to audit.jsonl.",
-    handler: auditTrailHandler
+    handler: (input) => Promise.resolve().then(() => (init_audit_trail(), exports_audit_trail)).then((m) => m.auditTrailHandler(input))
   },
   {
     id: POST_EDIT_LINT_HOOK_ID,
     event: "PostToolUse",
     matcher: { kind: "all" },
     description: "Warns about console.log spam, TODO markers, and empty catches.",
-    handler: postEditLintHandler
+    handler: (input) => Promise.resolve().then(() => (init_post_edit_lint(), exports_post_edit_lint)).then((m) => m.postEditLintHandler(input))
+  }
+];
+var ToolchainSourcesCap = defineCapability(GUARD_TOOLCHAIN_SOURCES);
+var CliRunnerCap = defineCapability(CLI_RUNNER);
+var GUARD_TOOLCHAIN_SOURCE_CONTRIBUTION = {
+  hookBinaries: [
+    { name: "scope-guard", source: "packages/guard-plugin/src/hooks/scope-guard.ts" },
+    { name: "import-guard", source: "packages/guard-plugin/src/hooks/import-guard.ts" },
+    { name: "safety-guard", source: "packages/guard-plugin/src/hooks/safety-guard.ts" },
+    { name: "test-integrity-guard", source: "packages/guard-plugin/src/hooks/test-integrity-guard.ts" },
+    { name: "audit-trail", source: "packages/guard-plugin/src/hooks/audit-trail.ts" },
+    { name: "post-edit-lint", source: "packages/guard-plugin/src/hooks/post-edit-lint.ts" }
+  ],
+  namedSources: {
+    "controlled-bash": "packages/guard-plugin/src/controlled-bash.ts"
+  }
+};
+var GUARD_CLI_RUNNER = {
+  initializeRuntime: async (options) => initializeRuntime(options),
+  runCommand: async (context, parts) => runCommand(context, parts),
+  ensureAgentShellBinary,
+  resolveAgentMaterializationSourceRoot,
+  withProjectRoot,
+  formatCommand,
+  loadPolicy
+};
+var GUARD_CAPABILITIES = [
+  ToolchainSourcesCap.provide(() => GUARD_TOOLCHAIN_SOURCE_CONTRIBUTION, {
+    title: "Guard toolchain sources",
+    description: "Source paths for guard hook binaries and the controlled-bash wrapper, compiled by the isolation runtime toolchain."
+  }),
+  CliRunnerCap.provide(() => GUARD_CLI_RUNNER, {
+    title: "CLI guarded runner",
+    description: "Policy-guarded command runner used by CLI-surface commands through the host seam."
+  })
+];
+async function runHookRunner(pluginName, hookId, role) {
+  process.env.RIG_HOOK_ROLE = role;
+  const { main } = await import("@rig/core/hook-runner");
+  await main(["--plugin", pluginName, "--hook", hookId]);
+}
+var GUARD_SEED_ENTRYPOINTS = [
+  {
+    id: `${GUARD_PLUGIN_NAME}:controlled-bash`,
+    basename: "controlled-bash",
+    description: "Policy-guarded shell wrapper used by per-run toolchains.",
+    run: async ({ argv, execPath }) => {
+      const { runControlledBash } = await import("@rig/guard-plugin/controlled-bash");
+      const { dirname: dirname2 } = await import("path");
+      process.exit(await runControlledBash(argv.slice(2), { projectRootFallbackDir: dirname2(execPath ?? process.cwd()) }));
+    }
+  },
+  {
+    id: `${GUARD_PLUGIN_NAME}:scope-guard-entrypoint`,
+    basename: "scope-guard",
+    run: ({ basename: basename2 }) => runHookRunner(GUARD_PLUGIN_NAME, SCOPE_GUARD_HOOK_ID, basename2 ?? "scope-guard")
+  },
+  {
+    id: `${GUARD_PLUGIN_NAME}:import-guard-entrypoint`,
+    basename: "import-guard",
+    run: ({ basename: basename2 }) => runHookRunner(GUARD_PLUGIN_NAME, IMPORT_GUARD_HOOK_ID, basename2 ?? "import-guard")
+  },
+  {
+    id: `${GUARD_PLUGIN_NAME}:safety-guard-entrypoint`,
+    basename: "safety-guard",
+    run: ({ basename: basename2 }) => runHookRunner(GUARD_PLUGIN_NAME, SAFETY_GUARD_HOOK_ID, basename2 ?? "safety-guard")
+  },
+  {
+    id: `${GUARD_PLUGIN_NAME}:test-integrity-guard-entrypoint`,
+    basename: "test-integrity-guard",
+    run: ({ basename: basename2 }) => runHookRunner(GUARD_PLUGIN_NAME, TEST_INTEGRITY_GUARD_HOOK_ID, basename2 ?? "test-integrity-guard")
+  },
+  {
+    id: `${GUARD_PLUGIN_NAME}:audit-trail-entrypoint`,
+    basename: "audit-trail",
+    run: ({ basename: basename2 }) => runHookRunner(GUARD_PLUGIN_NAME, AUDIT_TRAIL_HOOK_ID, basename2 ?? "audit-trail")
+  },
+  {
+    id: `${GUARD_PLUGIN_NAME}:post-edit-lint-entrypoint`,
+    basename: "post-edit-lint",
+    run: ({ basename: basename2 }) => runHookRunner(GUARD_PLUGIN_NAME, POST_EDIT_LINT_HOOK_ID, basename2 ?? "post-edit-lint")
   }
 ];
 function createGuardPlugin() {
@@ -346,16 +1447,39 @@ function createGuardPlugin() {
     name: GUARD_PLUGIN_NAME,
     version: "0.0.0-alpha.1",
     contributes: {
-      hooks: GUARD_HOOKS
+      hooks: GUARD_HOOKS,
+      capabilities: GUARD_CAPABILITIES,
+      seedEntrypoints: GUARD_SEED_ENTRYPOINTS
     }
   });
 }
+// packages/guard-plugin/src/index.ts
+init_safety_guard();
+init_scope_guard();
+init_import_guard();
+init_test_integrity_guard();
+init_audit_trail();
+init_post_edit_lint();
+init_guard();
 export {
   testIntegrityGuardHandler,
+  seedPolicyFromContent,
   scopeGuardHandler,
   safetyGuardHandler,
+  resolveAction,
+  resetPolicyCache,
   postEditLintHandler,
+  matchRule,
+  loadSandboxConfig,
+  loadRuntimeSnapshotConfig,
+  loadRuntimeImageConfig,
+  loadPolicy,
+  loadIsolationConfig,
+  loadCompletionConfig,
+  isHarnessPath,
   importGuardHandler,
+  evaluate,
   createGuardPlugin,
   auditTrailHandler,
   TEST_INTEGRITY_GUARD_HOOK_ID,