@h-rig/isolation-plugin 0.0.6-alpha.156 → 0.0.6-alpha.158

package/dist/src/isolation/runtime-binary-build.d.ts

@@ -0,0 +1,88 @@
+export declare const runtimeBinaryAssetEntries: readonly ["hooks", "lib", "tools", "templates", "policy", "plugins", "config.sh", "task-config.json"];
+export type RuntimeBinaryAssetEntry = (typeof runtimeBinaryAssetEntries)[number];
+export type RuntimeBinarySpec = {
+    name: string;
+    sourcePath: string;
+    outputPath: string;
+};
+export type RuntimeBinaryBuildManifest = {
+    name: string;
+    builtAt: string;
+    gitHead: string;
+    bunVersion: string;
+    binaries: Record<string, string>;
+    runtimeAssets: RuntimeBinaryAssetEntry[];
+};
+export declare const runtimeRigCliBinaryExternals: string[];
+export type RuntimeBinaryBuildOptions = {
+    sourcePath: string;
+    outputPath: string;
+    cwd: string;
+    define?: Record<string, string>;
+    external?: string[];
+    env?: Record<string, string | undefined>;
+};
+type ResolvedRuntimeBinaryBuildOptions = RuntimeBinaryBuildOptions & {
+    entrypoint: string;
+    outputPath: string;
+};
+export type RuntimeBinaryLaunchRequest = {
+    binaryPath: string;
+    args: string[];
+    cwd: string;
+    env?: Record<string, string | undefined>;
+    timeoutMs?: number;
+};
+export type RuntimeBinaryLaunchResult = {
+    exitCode: number;
+    stdout: string;
+    stderr: string;
+    timedOut: boolean;
+};
+export type RuntimeBinaryAssetCopyResult = {
+    copiedEntries: RuntimeBinaryAssetEntry[];
+    runtimeDir: string;
+};
+export declare function isRuntimeBinaryAssetEntry(value: string): value is RuntimeBinaryAssetEntry;
+export declare function createRuntimeBinaryBuildManifest(input: {
+    builtAt?: string;
+    gitHead?: string;
+    bunVersion: string;
+    binaries: Record<string, string>;
+    runtimeAssets?: readonly RuntimeBinaryAssetEntry[];
+    name?: string;
+}): RuntimeBinaryBuildManifest;
+/**
+ * Compiled-binary replacement for building a per-run helper binary from source.
+ * The single-file `rig` binary has no rig source to compile, so instead of building
+ * `<outputPath>`, hardlink it to THIS executable and drop a `<outputPath>.rig-runconfig.json`
+ * carrying its role (basename) + build `define`s. `bin/rig.ts` routes by execPath
+ * basename and rehydrates the config (incl. RIG_BAKED_* secrets) into the same
+ * `RIG_BUILD_CONFIG_JSON` channel `readBuildConfig()` reads — so the role behaves
+ * exactly as the from-source binary did. Secrets land in the run's private binDir,
+ * the same place (and protection) the baked binary held them.
+ */
+export declare function materializeSelfExecRole(outputPath: string, define?: Record<string, string>): void;
+/**
+ * Build (or, for the compiled single-file binary, self-exec-materialize) a rig
+ * runtime helper binary. Floor-level wrapper: when natives are embedded there is
+ * no rig source to compile, so hardlink this executable into the role + drop its
+ * run-config; otherwise compile from source via buildRuntimeBinary with the
+ * runtime provisioning env. Owned by the kernel floor so build-time CLI commands
+ * resolve it without importing the isolation plugin's impl.
+ */
+export declare function buildBinary(entrypoint: string, outputPath: string, cwd: string, defines?: Record<string, string>, external?: string[]): Promise<void>;
+export declare function buildRuntimeBinary(options: RuntimeBinaryBuildOptions): Promise<void>;
+export declare function buildRuntimeBinarySync(options: RuntimeBinaryBuildOptions): void;
+export declare function buildRuntimeBinaryInProcess(options: ResolvedRuntimeBinaryBuildOptions, manifest?: {
+    manifestPath: string;
+    buildKey: string;
+}): Promise<void>;
+export declare function copyRuntimeBinaryAssets(options: {
+    projectRoot: string;
+    outputDir: string;
+    rigDir?: string;
+    entries?: readonly RuntimeBinaryAssetEntry[];
+}): RuntimeBinaryAssetCopyResult;
+export declare function launchRuntimeBinary(request: RuntimeBinaryLaunchRequest): Promise<RuntimeBinaryLaunchResult>;
+export {};

package/dist/src/isolation/runtime-binary-build.js

@@ -0,0 +1,480 @@
+// @bun
+// packages/isolation-plugin/src/isolation/runtime-binary-build.ts
+import { spawn as nodeSpawn } from "child_process";
+import { chmodSync, copyFileSync, cpSync, existsSync, linkSync, mkdirSync, renameSync, rmSync, writeFileSync } from "fs";
+import { basename, dirname, resolve as resolve2 } from "path";
+import { fileURLToPath } from "url";
+import { drainMicrotasks, gcAndSweep } from "bun:jsc";
+import { resolveRigLayout } from "@rig/core/layout";
+import { runtimeProvisioningEnv } from "@rig/core/runtime-provisioning-env";
+
+// packages/isolation-plugin/src/native-extract.ts
+import { tmpdir } from "os";
+import { resolve } from "path";
+
+// packages/isolation-plugin/src/embedded-native-assets.ts
+var embeddedNatives = null;
+
+// packages/isolation-plugin/src/native-extract.ts
+var sharedNativeOutputDir = resolve(tmpdir(), "rig-native");
+function hasEmbeddedNatives() {
+  return embeddedNatives != null;
+}
+
+// packages/isolation-plugin/src/isolation/runtime-binary-build.ts
+var runtimeBinaryAssetEntries = [
+  "hooks",
+  "lib",
+  "tools",
+  "templates",
+  "policy",
+  "plugins",
+  "config.sh",
+  "task-config.json"
+];
+var runtimeRigCliBinaryExternals = ["mupdf"];
+var runtimeBinaryBuildQueue = Promise.resolve();
+function isRuntimeBinaryAssetEntry(value) {
+  return runtimeBinaryAssetEntries.includes(value);
+}
+function createRuntimeBinaryBuildManifest(input) {
+  return {
+    name: input.name ?? "project-rig-harness",
+    builtAt: input.builtAt ?? new Date().toISOString(),
+    gitHead: input.gitHead ?? "unknown",
+    bunVersion: input.bunVersion,
+    binaries: { ...input.binaries },
+    runtimeAssets: [...input.runtimeAssets ?? runtimeBinaryAssetEntries]
+  };
+}
+function materializeSelfExecRole(outputPath, define) {
+  const selfPath = process.execPath;
+  mkdirSync(dirname(outputPath), { recursive: true });
+  rmSync(outputPath, { force: true });
+  try {
+    linkSync(selfPath, outputPath);
+  } catch {
+    copyFileSync(selfPath, outputPath);
+  }
+  chmodSync(outputPath, 493);
+  const role = basename(outputPath).replace(/\.exe$/i, "");
+  writeFileSync(`${outputPath}.rig-runconfig.json`, `${JSON.stringify({ role, define: define ?? {} }, null, 2)}
+`, { mode: 384 });
+}
+async function buildBinary(entrypoint, outputPath, cwd, defines, external) {
+  if (hasEmbeddedNatives()) {
+    materializeSelfExecRole(outputPath, defines);
+    return;
+  }
+  await buildRuntimeBinary({
+    sourcePath: entrypoint,
+    outputPath,
+    cwd,
+    ...defines ? { define: defines } : {},
+    env: runtimeProvisioningEnv(),
+    ...external ? { external } : {}
+  });
+}
+async function buildRuntimeBinary(options) {
+  return runSerializedRuntimeBinaryBuild(async () => {
+    const resolved = resolveRuntimeBinaryBuildOptions(options);
+    runBestEffortBuildGc();
+    const manifestPath = runtimeBinaryCacheManifestPath(resolved.outputPath);
+    const buildKey = createRuntimeBinaryBuildKey({
+      entrypoint: resolved.entrypoint,
+      define: resolved.define,
+      env: resolved.env,
+      external: resolved.external
+    });
+    if (await isRuntimeBinaryBuildFresh({ outputPath: resolved.outputPath, manifestPath, buildKey })) {
+      return;
+    }
+    if (shouldUseRuntimeBinaryBuildWorker()) {
+      await buildRuntimeBinaryViaWorker(resolved);
+    } else {
+      await buildRuntimeBinaryInProcess(resolved, { manifestPath, buildKey });
+    }
+    runBestEffortBuildGc();
+  });
+}
+function buildRuntimeBinarySync(options) {
+  const resolved = resolveRuntimeBinaryBuildOptions(options);
+  runBestEffortBuildGc();
+  runRuntimeBinaryBuildWorkerSync(resolved);
+  runBestEffortBuildGc();
+}
+async function buildRuntimeBinaryInProcess(options, manifest) {
+  const tempBuildDir = resolve2(dirname(options.outputPath), `.bun-build-${process.pid}-${Date.now()}-${Math.random().toString(36).slice(2)}`);
+  const tempOutputPath = resolve2(tempBuildDir, basename(options.outputPath));
+  mkdirSync(tempBuildDir, { recursive: true });
+  await withTemporaryEnv({
+    ...options.env,
+    ...options.define ? { RIG_BUILD_CONFIG_JSON: JSON.stringify(options.define) } : {}
+  }, async () => withTemporaryCwd(tempBuildDir, async () => {
+    const buildResult = await Bun.build({
+      entrypoints: [options.entrypoint],
+      compile: {
+        target: currentCompileTarget(),
+        outfile: tempOutputPath
+      },
+      target: "bun",
+      format: "esm",
+      minify: true,
+      bytecode: true,
+      metafile: true,
+      ...options.external ? { external: options.external } : {},
+      ...options.define ? { define: { __RIG_BUILD_CONFIG__: JSON.stringify(options.define) } } : {}
+    });
+    if (!buildResult.success) {
+      const details = buildResult.logs.map((log) => [log.message, log.position?.file ? `${log.position.file}:${log.position.line}:${log.position.column}` : ""].filter(Boolean).join(" ")).filter(Boolean).join(`
+`);
+      throw new Error(`Failed to build ${options.entrypoint}: ${details || "Bun.build() returned errors"}`);
+    }
+    if (!existsSync(tempOutputPath)) {
+      const emitted = buildResult.outputs.map((output) => output.path).join(", ") || "(none)";
+      throw new Error(`Failed to build ${options.entrypoint}: Bun.build() did not emit ${tempOutputPath}. Emitted: ${emitted}`);
+    }
+    renameSync(tempOutputPath, options.outputPath);
+    chmodSync(options.outputPath, 493);
+    if (manifest) {
+      await writeRuntimeBinaryCacheManifest({
+        manifestPath: manifest.manifestPath,
+        buildKey: manifest.buildKey,
+        cwd: tempBuildDir,
+        metafile: buildResult.metafile
+      });
+    }
+  })).finally(() => {
+    rmSync(tempBuildDir, { recursive: true, force: true });
+  });
+}
+function runBestEffortBuildGc() {
+  try {
+    drainMicrotasks();
+  } catch {}
+  try {
+    gcAndSweep();
+  } catch {}
+}
+function runtimeBinaryCacheManifestPath(outputPath) {
+  return `${outputPath}.build-manifest.json`;
+}
+function resolveRuntimeBinaryBuildOptions(options) {
+  return {
+    ...options,
+    entrypoint: resolve2(options.cwd, options.sourcePath),
+    outputPath: resolve2(options.outputPath)
+  };
+}
+function shouldUseRuntimeBinaryBuildWorker() {
+  if (process.env.RIG_RUNTIME_BUILD_WORKER === "1") {
+    return false;
+  }
+  if (process.env.RIG_RUNTIME_BUILD_IN_PROCESS === "1") {
+    return false;
+  }
+  return true;
+}
+async function buildRuntimeBinaryViaWorker(options) {
+  const workerSourcePath = resolveRuntimeBinaryBuildWorkerSourcePath(options);
+  if (!workerSourcePath || !existsSync(workerSourcePath)) {
+    await buildRuntimeBinaryInProcess(options, {
+      manifestPath: runtimeBinaryCacheManifestPath(options.outputPath),
+      buildKey: createRuntimeBinaryBuildKey({
+        entrypoint: options.entrypoint,
+        define: options.define,
+        env: options.env,
+        external: options.external
+      })
+    });
+    return;
+  }
+  const payloadPath = createRuntimeBinaryBuildWorkerPayloadPath(options.outputPath);
+  const bunCli = resolveRuntimeBinaryBuildWorkerInvocation();
+  await Bun.write(payloadPath, `${JSON.stringify(options)}
+`);
+  const build = Bun.spawn([bunCli.command, workerSourcePath, payloadPath], {
+    cwd: options.cwd,
+    stdout: "pipe",
+    stderr: "pipe",
+    env: {
+      ...process.env,
+      ...options.env,
+      ...bunCli.env,
+      RIG_RUNTIME_BUILD_WORKER: "1"
+    }
+  });
+  const [exitCode, stdout, stderr] = await Promise.all([
+    build.exited,
+    new Response(build.stdout).text(),
+    new Response(build.stderr).text()
+  ]);
+  rmSync(payloadPath, { force: true });
+  if (exitCode !== 0) {
+    throw new Error(`Failed to build ${options.entrypoint}: ${(stderr || stdout || `worker exited ${exitCode}`).trim()}`);
+  }
+}
+function runRuntimeBinaryBuildWorkerSync(options) {
+  const workerSourcePath = resolveRuntimeBinaryBuildWorkerSourcePath(options);
+  if (!workerSourcePath || !existsSync(workerSourcePath)) {
+    throw new Error(`Failed to build ${options.entrypoint}: runtime binary build worker not found`);
+  }
+  const payloadPath = createRuntimeBinaryBuildWorkerPayloadPath(options.outputPath);
+  const bunCli = resolveRuntimeBinaryBuildWorkerInvocation();
+  try {
+    writeFileSync(payloadPath, `${JSON.stringify(options)}
+`, "utf-8");
+    const result = Bun.spawnSync([bunCli.command, workerSourcePath, payloadPath], {
+      cwd: options.cwd,
+      stdout: "pipe",
+      stderr: "pipe",
+      env: {
+        ...process.env,
+        ...options.env,
+        ...bunCli.env,
+        RIG_RUNTIME_BUILD_WORKER: "1"
+      }
+    });
+    if (result.exitCode !== 0) {
+      const stderr = result.stderr.toString();
+      const stdout = result.stdout.toString();
+      throw new Error(`Failed to build ${options.entrypoint}: ${(stderr || stdout || `worker exited ${result.exitCode}`).trim()}`);
+    }
+  } finally {
+    rmSync(payloadPath, { force: true });
+  }
+}
+function createRuntimeBinaryBuildWorkerPayloadPath(outputPath) {
+  return resolve2(dirname(outputPath), `.bun-build-worker-${process.pid}-${Date.now()}-${Math.random().toString(36).slice(2)}.json`);
+}
+function resolveRuntimeBinaryBuildWorkerSourcePath(options) {
+  const envRoots = [
+    options.cwd?.trim(),
+    process.env.RIG_HOST_PROJECT_ROOT?.trim(),
+    process.env.PROJECT_RIG_ROOT?.trim()
+  ].filter(Boolean);
+  for (const root of envRoots) {
+    const candidate = resolve2(root, "packages/isolation-plugin/src/isolation/binary-build-worker.ts");
+    if (existsSync(candidate)) {
+      return candidate;
+    }
+  }
+  const localCandidate = resolve2(import.meta.dir, "binary-build-worker.ts");
+  return existsSync(localCandidate) ? localCandidate : null;
+}
+function resolveRuntimeBinaryBuildWorkerInvocation() {
+  const bunPath = Bun.which("bun");
+  if (bunPath) {
+    return { command: bunPath, env: {} };
+  }
+  if (process.execPath?.trim()) {
+    return {
+      command: process.execPath,
+      env: { BUN_BE_BUN: "1" }
+    };
+  }
+  throw new Error("bun is required to run the runtime binary build worker.");
+}
+function currentCompileTarget() {
+  if (process.platform === "darwin") {
+    return process.arch === "arm64" ? "bun-darwin-arm64" : "bun-darwin-x64";
+  }
+  if (process.platform === "linux") {
+    return process.arch === "arm64" ? "bun-linux-arm64" : "bun-linux-x64";
+  }
+  return "bun-windows-x64";
+}
+function createRuntimeBinaryBuildKey(input) {
+  return JSON.stringify({
+    version: 1,
+    bunVersion: Bun.version,
+    platform: process.platform,
+    arch: process.arch,
+    entrypoint: input.entrypoint,
+    define: sortRecord(input.define),
+    external: input.external ? [...input.external].sort() : undefined,
+    env: sortRecord(input.env)
+  });
+}
+async function isRuntimeBinaryBuildFresh(input) {
+  if (!existsSync(input.outputPath) || !existsSync(input.manifestPath)) {
+    return false;
+  }
+  let manifest = null;
+  try {
+    manifest = await Bun.file(input.manifestPath).json();
+  } catch {
+    return false;
+  }
+  if (!manifest || manifest.version !== 1 || manifest.buildKey !== input.buildKey) {
+    return false;
+  }
+  for (const [filePath, expectedDigest] of Object.entries(manifest.inputs || {})) {
+    if (!existsSync(filePath)) {
+      return false;
+    }
+    if (await sha256File(filePath) !== expectedDigest) {
+      return false;
+    }
+  }
+  return true;
+}
+async function writeRuntimeBinaryCacheManifest(input) {
+  const inputs = {};
+  for (const inputPath of Object.keys(input.metafile?.inputs || {}).sort()) {
+    const normalized = normalizeBuildInputPath(input.cwd, inputPath);
+    if (!normalized || !existsSync(normalized)) {
+      continue;
+    }
+    inputs[normalized] = await sha256File(normalized);
+  }
+  const manifest = {
+    version: 1,
+    buildKey: input.buildKey,
+    inputs
+  };
+  await Bun.write(input.manifestPath, `${JSON.stringify(manifest, null, 2)}
+`);
+}
+function normalizeBuildInputPath(cwd, inputPath) {
+  if (!inputPath) {
+    return null;
+  }
+  if (inputPath.startsWith("file://")) {
+    return fileURLToPath(inputPath);
+  }
+  if (inputPath.startsWith("<")) {
+    return null;
+  }
+  return resolve2(cwd, inputPath);
+}
+async function sha256File(path) {
+  const hasher = new Bun.CryptoHasher("sha256");
+  hasher.update(await Bun.file(path).arrayBuffer());
+  return hasher.digest("hex");
+}
+function sortRecord(value) {
+  if (!value) {
+    return;
+  }
+  return Object.fromEntries(Object.entries(value).sort(([left], [right]) => left.localeCompare(right)));
+}
+async function runSerializedRuntimeBinaryBuild(action) {
+  const previous = runtimeBinaryBuildQueue;
+  let release;
+  runtimeBinaryBuildQueue = new Promise((resolve3) => {
+    release = resolve3;
+  });
+  await previous;
+  try {
+    return await action();
+  } finally {
+    release();
+  }
+}
+async function withTemporaryEnv(env, action) {
+  if (!env) {
+    return action();
+  }
+  const previousValues = new Map;
+  for (const [key, value] of Object.entries(env)) {
+    previousValues.set(key, process.env[key]);
+    if (value === undefined) {
+      delete process.env[key];
+    } else {
+      process.env[key] = value;
+    }
+  }
+  try {
+    return await action();
+  } finally {
+    for (const [key, value] of previousValues.entries()) {
+      if (value === undefined) {
+        delete process.env[key];
+      } else {
+        process.env[key] = value;
+      }
+    }
+  }
+}
+async function withTemporaryCwd(cwd, action) {
+  const previousCwd = process.cwd();
+  process.chdir(cwd);
+  try {
+    return await action();
+  } finally {
+    process.chdir(previousCwd);
+  }
+}
+function copyRuntimeBinaryAssets(options) {
+  const definitionRoot = options.rigDir ?? resolveRigLayout(options.projectRoot).definitionRoot;
+  const runtimeDir = resolve2(options.outputDir, "runtime", "rig");
+  mkdirSync(runtimeDir, { recursive: true });
+  const copiedEntries = [];
+  for (const entry of options.entries ?? runtimeBinaryAssetEntries) {
+    const source = resolve2(definitionRoot, entry);
+    if (!existsSync(source)) {
+      continue;
+    }
+    cpSync(source, resolve2(runtimeDir, entry), { recursive: true });
+    copiedEntries.push(entry);
+  }
+  return { copiedEntries, runtimeDir };
+}
+async function launchRuntimeBinary(request) {
+  const options = {
+    cwd: request.cwd,
+    env: request.env ? { ...process.env, ...request.env } : process.env
+  };
+  if (request.timeoutMs !== undefined) {
+    options.timeoutMs = request.timeoutMs;
+  }
+  return spawnProcess(request.binaryPath, request.args, options);
+}
+async function spawnProcess(command, args, options) {
+  const child = nodeSpawn(command, args, {
+    cwd: options.cwd,
+    env: options.env,
+    stdio: ["ignore", "pipe", "pipe"]
+  });
+  let stdout = "";
+  let stderr = "";
+  child.stdout?.setEncoding("utf8");
+  child.stderr?.setEncoding("utf8");
+  child.stdout?.on("data", (chunk) => {
+    stdout += chunk;
+  });
+  child.stderr?.on("data", (chunk) => {
+    stderr += chunk;
+  });
+  let timedOut = false;
+  let timer;
+  const exitCode = await new Promise((resolveExit, rejectExit) => {
+    if (options.timeoutMs && options.timeoutMs > 0) {
+      timer = setTimeout(() => {
+        timedOut = true;
+        child.kill();
+      }, options.timeoutMs);
+    }
+    child.once("error", rejectExit);
+    child.once("close", (code) => resolveExit(code ?? (timedOut ? 1 : 0)));
+  }).finally(() => {
+    if (timer) {
+      clearTimeout(timer);
+    }
+  });
+  return { exitCode, stdout, stderr, timedOut };
+}
+export {
+  runtimeRigCliBinaryExternals,
+  runtimeBinaryAssetEntries,
+  materializeSelfExecRole,
+  launchRuntimeBinary,
+  isRuntimeBinaryAssetEntry,
+  createRuntimeBinaryBuildManifest,
+  copyRuntimeBinaryAssets,
+  buildRuntimeBinarySync,
+  buildRuntimeBinaryInProcess,
+  buildRuntimeBinary,
+  buildBinary
+};

package/dist/src/isolation/shared.d.ts

@@ -0,0 +1,29 @@
+import { agentId, taskRuntimeId } from "@rig/core/safe-identifiers";
+export { agentId, taskRuntimeId };
+export declare function isRuntimeGatewayGitPath(candidate: string): boolean;
+export declare function isRuntimeGatewayGhPath(candidate: string): boolean;
+export declare function resolveHostGitBinary(): string;
+export declare function resolveGithubCliBinary(options?: {
+    scanPath?: boolean;
+}): string;
+export declare function resolveMonorepoRoot(projectRoot: string): string;
+export declare function runGitCommand(repoRoot: string, args: string[]): Promise<Awaited<ReturnType<typeof Bun.$>>>;
+export declare function readGitConfigValue(repoRoot: string, key: string, global?: boolean): Promise<string>;
+export declare function readGitStdout(repoRoot: string, args: string[]): Promise<string>;
+export declare function hasGitRemote(repoRoot: string, remote: string): Promise<boolean>;
+export declare function ensureFullGitHistory(repoRoot: string): Promise<void>;
+export declare function refreshRemoteBranch(repoRoot: string, remote: string, branch: string): Promise<void>;
+export declare function tryReadGitHead(repoRoot: string): Promise<string | undefined>;
+export declare function captureRepoDirtyFiles(repoRoot: string): Promise<string[]>;
+export declare function sha256Hex(input: string | Buffer | Uint8Array): string;
+export declare function registerCredentialCleanup(path: string): void;
+export declare function captureStdout(fn: () => Promise<void> | void): Promise<string>;
+export declare function sanitizeRuntimeRefSegment(value: string): string;
+export declare function runtimeBranchBackupName(branch: string): string;
+export declare function hashProjectPath(workspaceDir: string): string;
+export declare function resolveGithubCliAuthToken(ghBinary?: string): Promise<string>;
+export declare function resolveSystemCertBundlePath(): string;
+export declare const __testOnly: {
+    cleanupGeneratedCredentialFiles(): void;
+};
+export declare function readKnownHosts(path: string): Set<string>;