@h-rig/isolation-plugin 0.0.6-alpha.156 → 0.0.6-alpha.158

package/dist/src/runtime-native.js

@@ -0,0 +1,485 @@
+// @bun
+// packages/isolation-plugin/src/runtime-native.ts
+import { dlopen, ptr, suffix, toBuffer } from "bun:ffi";
+import { copyFileSync, existsSync as existsSync2, mkdirSync as mkdirSync2, renameSync as renameSync2, rmSync, statSync as statSync2 } from "fs";
+import { tmpdir as tmpdir2 } from "os";
+import { dirname, resolve as resolve2 } from "path";
+
+// packages/isolation-plugin/src/native-extract.ts
+import { existsSync, mkdirSync, readFileSync, renameSync, statSync, writeFileSync } from "fs";
+import { tmpdir } from "os";
+import { resolve } from "path";
+
+// packages/isolation-plugin/src/embedded-native-assets.ts
+var embeddedNatives = null;
+
+// packages/isolation-plugin/src/native-extract.ts
+var sharedNativeOutputDir = resolve(tmpdir(), "rig-native");
+var extractionCache = {};
+function hasEmbeddedNatives() {
+  return embeddedNatives != null;
+}
+function extractEmbeddedNative(name) {
+  if (name in extractionCache) {
+    return extractionCache[name] ?? null;
+  }
+  const entry = embeddedNatives?.[name];
+  if (!entry) {
+    extractionCache[name] = null;
+    return null;
+  }
+  try {
+    const targetPath = resolve(sharedNativeOutputDir, entry.fileName);
+    mkdirSync(sharedNativeOutputDir, { recursive: true });
+    const upToDate = existsSync(targetPath) && statSync(targetPath).size === entry.size;
+    if (!upToDate) {
+      const bytes = readFileSync(entry.filePath);
+      const tempPath = `${targetPath}.${process.pid}.${Date.now()}.tmp`;
+      writeFileSync(tempPath, bytes, { mode: 493 });
+      renameSync(tempPath, targetPath);
+    }
+    extractionCache[name] = targetPath;
+  } catch {
+    extractionCache[name] = null;
+  }
+  return extractionCache[name] ?? null;
+}
+
+// packages/isolation-plugin/src/sidecar-arg.ts
+var RIG_NATIVE_RUNTIME_SIDECAR_ARG = "__rig_native_runtime_sidecar";
+
+// packages/isolation-plugin/src/runtime-native.ts
+var sharedNativeRuntimeOutputDir = resolve2(tmpdir2(), "rig-native");
+var sharedNativeRuntimeOutputPath = resolve2(sharedNativeRuntimeOutputDir, `runtime-native-${process.platform}-${process.arch}.${suffix}`);
+var colocatedNativeRuntimeFileName = `runtime-native.${suffix}`;
+var OPERATION_RESULT_SIZE = 24;
+var RUNTIME_SCAN_ENTRY_SIZE = 64;
+var RUNTIME_SCAN_RESULT_SIZE = 40;
+var nativeRuntimeLibrary = await loadNativeRuntimeLibrary();
+function requireNativeRuntimeLibrary(feature) {
+  if (!nativeRuntimeLibrary) {
+    throw new Error(`Native Zig runtime is required for ${feature}`);
+  }
+  return nativeRuntimeLibrary;
+}
+function runtimeNativeLibraryFileName() {
+  return colocatedNativeRuntimeFileName;
+}
+function runtimePrepareTrackedPathsNative(input) {
+  const response = runNativeRuntimeSidecar({
+    op: "prepare-paths",
+    input
+  });
+  if (!response.ok) {
+    throw new Error(response.error);
+  }
+}
+function runtimeLinkDependencyLayerNative(sourceDir, targetDir) {
+  const response = runNativeRuntimeSidecar({
+    op: "link-dependency-layer",
+    input: { sourceDir, targetDir }
+  });
+  if (!response.ok) {
+    throw new Error(response.error);
+  }
+}
+function runtimeScanWorktreesNative(worktreesRoot) {
+  const response = runNativeRuntimeSidecar({
+    op: "scan-worktrees",
+    input: { worktreesRoot }
+  });
+  if (!response.ok) {
+    throw new Error(response.error);
+  }
+  return response.entries ?? [];
+}
+function runtimePrepareTrackedPathsInProcess(input) {
+  const runtimeLibrary = requireNativeRuntimeLibrary("runtime dependency layer linking");
+  const logsDir = Buffer.from(input.logsDir, "utf8");
+  const stateDir = Buffer.from(input.stateDir, "utf8");
+  const sessionDir = Buffer.from(input.sessionDir, "utf8");
+  const eventsFile = Buffer.from(input.eventsFile, "utf8");
+  const controlledBashLogFile = Buffer.from(input.controlledBashLogFile, "utf8");
+  const resultPtr = runtimeLibrary.symbols.runtime_prepare_paths(Number(ptr(logsDir)), logsDir.byteLength, Number(ptr(stateDir)), stateDir.byteLength, Number(ptr(sessionDir)), sessionDir.byteLength, Number(ptr(eventsFile)), eventsFile.byteLength, Number(ptr(controlledBashLogFile)), controlledBashLogFile.byteLength);
+  if (!resultPtr) {
+    throw new Error("runtime_prepare_paths returned null");
+  }
+  try {
+    const view = viewAt(resultPtr, OPERATION_RESULT_SIZE);
+    throwIfOperationError(view, "runtime_prepare_paths");
+  } finally {
+    runtimeLibrary.symbols.snapshot_release(resultPtr);
+  }
+}
+function runtimeLinkDependencyLayerInProcess(sourceDir, targetDir) {
+  const runtimeLibrary = requireNativeRuntimeLibrary("runtime worktree discovery");
+  const sourceBuffer = Buffer.from(sourceDir, "utf8");
+  const targetBuffer = Buffer.from(targetDir, "utf8");
+  const resultPtr = runtimeLibrary.symbols.runtime_link_dependency_layer(Number(ptr(sourceBuffer)), sourceBuffer.byteLength, Number(ptr(targetBuffer)), targetBuffer.byteLength);
+  if (!resultPtr) {
+    throw new Error("runtime_link_dependency_layer returned null");
+  }
+  try {
+    const view = viewAt(resultPtr, OPERATION_RESULT_SIZE);
+    throwIfOperationError(view, "runtime_link_dependency_layer");
+  } finally {
+    runtimeLibrary.symbols.snapshot_release(resultPtr);
+  }
+}
+function runtimeScanWorktreesInProcess(worktreesRoot) {
+  const runtimeLibrary = requireNativeRuntimeLibrary("runtime worktree discovery");
+  const rootBuffer = Buffer.from(worktreesRoot, "utf8");
+  const resultPtr = runtimeLibrary.symbols.runtime_scan_worktrees(Number(ptr(rootBuffer)), rootBuffer.byteLength);
+  if (!resultPtr) {
+    throw new Error(`runtime_scan_worktrees returned null for ${worktreesRoot}`);
+  }
+  try {
+    const view = viewAt(resultPtr, RUNTIME_SCAN_RESULT_SIZE);
+    throwIfScanError(view, "runtime_scan_worktrees");
+    const entriesPtr = readU64(view, 8);
+    const entriesLen = readU64(view, 16);
+    const entries = [];
+    for (let index = 0;index < entriesLen; index += 1) {
+      const entryView = viewAt(entriesPtr + index * RUNTIME_SCAN_ENTRY_SIZE, RUNTIME_SCAN_ENTRY_SIZE);
+      entries.push({
+        workspaceDir: readString(readU64(entryView, 0), readU64(entryView, 8)),
+        runtimeDir: readString(readU64(entryView, 16), readU64(entryView, 24)),
+        contextPath: readString(readU64(entryView, 32), readU64(entryView, 40)),
+        metadataPath: readString(readU64(entryView, 48), readU64(entryView, 56))
+      });
+    }
+    return entries;
+  } finally {
+    runtimeLibrary.symbols.snapshot_release(resultPtr);
+  }
+}
+function defaultNativeRuntimeLibraryPath() {
+  return sharedNativeRuntimeOutputPath;
+}
+async function ensureNativeRuntimeLibraryPath(outputPath = sharedNativeRuntimeOutputPath, options = {}) {
+  const explicitLib = process.env.RIG_NATIVE_RUNTIME_LIB?.trim();
+  if (explicitLib && existsSync2(explicitLib)) {
+    return explicitLib;
+  }
+  const embeddedPath = extractEmbeddedNative("snapshot");
+  if (embeddedPath) {
+    return embeddedPath;
+  }
+  if (await buildNativeRuntimeLibrary(outputPath, options)) {
+    return outputPath;
+  }
+  return !options.force && existsSync2(outputPath) ? outputPath : null;
+}
+async function materializeNativeRuntimeLibrary(targetDir) {
+  const sourcePath = await ensureNativeRuntimeLibraryPath();
+  if (!sourcePath) {
+    return null;
+  }
+  const targetPath = resolve2(targetDir, colocatedNativeRuntimeFileName);
+  mkdirSync2(targetDir, { recursive: true });
+  const needsCopy = !existsSync2(targetPath) || statSync2(sourcePath).mtimeMs > statSync2(targetPath).mtimeMs;
+  if (needsCopy) {
+    copyFileSync(sourcePath, targetPath);
+  }
+  return targetPath;
+}
+async function loadNativeRuntimeLibrary() {
+  if (process.env.RIG_DISABLE_ZIG_NATIVE === "1") {
+    return null;
+  }
+  const explicitLib = process.env.RIG_NATIVE_RUNTIME_LIB?.trim();
+  if (explicitLib && existsSync2(explicitLib)) {
+    const loaded = tryDlopenNativeRuntimeLibrary(explicitLib);
+    if (loaded) {
+      return loaded;
+    }
+  }
+  const embeddedPath = extractEmbeddedNative("snapshot");
+  if (embeddedPath) {
+    const loaded = tryDlopenNativeRuntimeLibrary(embeddedPath);
+    if (loaded) {
+      return loaded;
+    }
+  }
+  for (const candidate of nativeRuntimeLibraryCandidates()) {
+    if (!candidate || !existsSync2(candidate)) {
+      continue;
+    }
+    const loaded = tryDlopenNativeRuntimeLibrary(candidate);
+    if (loaded) {
+      return loaded;
+    }
+  }
+  const builtLibraryPath = await ensureNativeRuntimeLibraryPath(sharedNativeRuntimeOutputPath, { force: true });
+  if (!builtLibraryPath) {
+    return null;
+  }
+  return tryDlopenNativeRuntimeLibrary(builtLibraryPath);
+}
+function nativePackageLibraryCandidates(fromDir, names) {
+  const candidates = [];
+  let cursor = resolve2(fromDir);
+  for (let index = 0;index < 8; index += 1) {
+    for (const name of names) {
+      candidates.push(resolve2(cursor, "native", `${process.platform}-${process.arch}`, name), resolve2(cursor, "native", `${process.platform}-${process.arch}`, "lib", name), resolve2(cursor, "native", name), resolve2(cursor, "native", "lib", name));
+    }
+    const parent = dirname(cursor);
+    if (parent === cursor)
+      break;
+    cursor = parent;
+  }
+  return candidates;
+}
+function nativeRuntimeLibraryCandidates() {
+  const explicit = process.env.RIG_NATIVE_RUNTIME_LIB?.trim() || "";
+  const execDir = process.execPath?.trim() ? dirname(process.execPath.trim()) : "";
+  const platformSpecific = `runtime-native-${process.platform}-${process.arch}.${suffix}`;
+  return [...new Set([
+    explicit,
+    ...nativePackageLibraryCandidates(import.meta.dir, [colocatedNativeRuntimeFileName, platformSpecific]),
+    execDir ? resolve2(execDir, colocatedNativeRuntimeFileName) : "",
+    execDir ? resolve2(execDir, platformSpecific) : "",
+    execDir ? resolve2(execDir, "..", colocatedNativeRuntimeFileName) : "",
+    execDir ? resolve2(execDir, "..", platformSpecific) : "",
+    execDir ? resolve2(execDir, "lib", colocatedNativeRuntimeFileName) : "",
+    execDir ? resolve2(execDir, "..", "lib", colocatedNativeRuntimeFileName) : "",
+    sharedNativeRuntimeOutputPath
+  ].filter(Boolean))];
+}
+function resolveNativeRuntimeSourcePath() {
+  const explicit = process.env.RIG_NATIVE_RUNTIME_SOURCE?.trim();
+  if (explicit && existsSync2(explicit)) {
+    return explicit;
+  }
+  const bundled = resolve2(import.meta.dir, "../native/snapshot.zig");
+  return existsSync2(bundled) ? bundled : null;
+}
+function resolveNativeRuntimeSidecarSourcePath() {
+  const envRoots = [
+    process.cwd()?.trim(),
+    process.env.RIG_HOST_PROJECT_ROOT?.trim(),
+    process.env.PROJECT_RIG_ROOT?.trim()
+  ].filter(Boolean);
+  for (const root of envRoots) {
+    for (const relative of [
+      "packages/isolation-plugin/src/runtime-native-sidecar.ts",
+      "packages/isolation-plugin/dist/src/runtime-native-sidecar.js"
+    ]) {
+      const candidate = resolve2(root, relative);
+      if (existsSync2(candidate)) {
+        return candidate;
+      }
+    }
+  }
+  for (const localCandidate of [
+    resolve2(import.meta.dir, "runtime-native-sidecar.js"),
+    resolve2(import.meta.dir, "runtime-native-sidecar.ts")
+  ]) {
+    if (existsSync2(localCandidate))
+      return localCandidate;
+  }
+  return null;
+}
+async function buildNativeRuntimeLibrary(outputPath, options = {}) {
+  if (process.env.RIG_DISABLE_ZIG_NATIVE === "1") {
+    return false;
+  }
+  const zigBinary = Bun.which("zig");
+  const sourcePath = resolveNativeRuntimeSourcePath();
+  if (!zigBinary || !sourcePath) {
+    return false;
+  }
+  const tempOutputPath = `${outputPath}.${process.pid}.${Date.now()}.${Math.random().toString(36).slice(2)}.tmp`;
+  try {
+    mkdirSync2(dirname(outputPath), { recursive: true });
+    const needsBuild = options.force === true || !existsSync2(outputPath) || statSync2(sourcePath).mtimeMs > statSync2(outputPath).mtimeMs;
+    if (!needsBuild) {
+      return true;
+    }
+    const build = Bun.spawn([
+      zigBinary,
+      "build-lib",
+      sourcePath,
+      "-dynamic",
+      "-O",
+      "ReleaseFast",
+      `-femit-bin=${tempOutputPath}`
+    ], {
+      cwd: import.meta.dir,
+      stdout: "pipe",
+      stderr: "pipe"
+    });
+    const exitCode = await build.exited;
+    if (exitCode !== 0 || !existsSync2(tempOutputPath)) {
+      rmSync(tempOutputPath, { force: true });
+      return false;
+    }
+    renameSync2(tempOutputPath, outputPath);
+    return true;
+  } catch {
+    rmSync(tempOutputPath, { force: true });
+    return false;
+  }
+}
+function tryDlopenNativeRuntimeLibrary(outputPath) {
+  try {
+    return dlopen(outputPath, {
+      rig_scope_match: {
+        args: ["ptr", "ptr"],
+        returns: "u8"
+      },
+      snapshot_capture: {
+        args: ["ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      snapshot_delta: {
+        args: ["ptr", "ptr"],
+        returns: "ptr"
+      },
+      snapshot_store_delta: {
+        args: ["ptr", "ptr", "ptr", "u64", "ptr", "u64", "ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      snapshot_inspect_delta: {
+        args: ["ptr", "u64"],
+        returns: "ptr"
+      },
+      snapshot_apply_delta: {
+        args: ["ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      snapshot_release: {
+        args: ["ptr"],
+        returns: "void"
+      },
+      runtime_hash_file: {
+        args: ["ptr", "u64"],
+        returns: "ptr"
+      },
+      runtime_hash_tree: {
+        args: ["ptr", "u64"],
+        returns: "ptr"
+      },
+      runtime_prepare_paths: {
+        args: ["ptr", "u64", "ptr", "u64", "ptr", "u64", "ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      runtime_link_dependency_layer: {
+        args: ["ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      runtime_scan_worktrees: {
+        args: ["ptr", "u64"],
+        returns: "ptr"
+      }
+    });
+  } catch {
+    return null;
+  }
+}
+function resolveNativeRuntimeSidecarCommand(request) {
+  if (hasEmbeddedNatives()) {
+    return {
+      argv: [process.execPath, RIG_NATIVE_RUNTIME_SIDECAR_ARG, JSON.stringify(request)],
+      env: {}
+    };
+  }
+  const hostBinary = process.env.RIG_NATIVE_HOST_BINARY?.trim();
+  if (hostBinary) {
+    return {
+      argv: [hostBinary, RIG_NATIVE_RUNTIME_SIDECAR_ARG, JSON.stringify(request)],
+      env: {}
+    };
+  }
+  const sidecarSourcePath = resolveNativeRuntimeSidecarSourcePath();
+  if (!sidecarSourcePath) {
+    throw new Error("runtime-native-sidecar.ts source file not found.");
+  }
+  const bunCli = resolveNativeRuntimeSidecarInvocation();
+  return {
+    argv: [bunCli.command, sidecarSourcePath, JSON.stringify(request)],
+    env: bunCli.env
+  };
+}
+function runNativeRuntimeSidecar(request) {
+  const { argv, env } = resolveNativeRuntimeSidecarCommand(request);
+  const proc = Bun.spawnSync(argv, {
+    cwd: process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.cwd(),
+    stdout: "pipe",
+    stderr: "pipe",
+    env: {
+      ...process.env,
+      ...env,
+      RIG_NATIVE_RUNTIME_SIDECAR: "1"
+    }
+  });
+  if (proc.exitCode !== 0) {
+    throw new Error(proc.stderr.toString() || proc.stdout.toString() || `runtime native sidecar exited ${proc.exitCode}`);
+  }
+  const stdout = proc.stdout.toString().trim();
+  if (!stdout) {
+    throw new Error("runtime native sidecar returned empty output.");
+  }
+  const responseLine = stdout.split(`
+`).map((line) => line.trim()).filter((line) => line.startsWith("{")).at(-1);
+  if (!responseLine) {
+    throw new Error(`runtime native sidecar returned no JSON response: ${stdout}`);
+  }
+  return JSON.parse(responseLine);
+}
+function resolveNativeRuntimeSidecarInvocation() {
+  const bunPath = Bun.which("bun");
+  if (bunPath) {
+    return { command: bunPath, env: {} };
+  }
+  if (process.execPath?.trim()) {
+    return {
+      command: process.execPath,
+      env: { BUN_BE_BUN: "1" }
+    };
+  }
+  throw new Error("bun is required to run the runtime native sidecar.");
+}
+function viewAt(address, size) {
+  return Buffer.from(toBuffer(address, 0, size));
+}
+function readU64(view, offset) {
+  return Number(view.readBigUInt64LE(offset));
+}
+function readString(address, length) {
+  if (!address || !length) {
+    return "";
+  }
+  return Buffer.from(toBuffer(address, 0, length)).toString("utf8");
+}
+function throwIfOperationError(view, opName) {
+  const errorPtr = readU64(view, 8);
+  const errorLen = readU64(view, 16);
+  if (!errorPtr || errorLen === 0) {
+    return;
+  }
+  throw new Error(`${opName} failed: ${readString(errorPtr, errorLen)}`);
+}
+function throwIfScanError(view, opName) {
+  const errorPtr = readU64(view, 24);
+  const errorLen = readU64(view, 32);
+  if (!errorPtr || errorLen === 0) {
+    return;
+  }
+  throw new Error(`${opName} failed: ${readString(errorPtr, errorLen)}`);
+}
+export {
+  runtimeScanWorktreesNative,
+  runtimeScanWorktreesInProcess,
+  runtimePrepareTrackedPathsNative,
+  runtimePrepareTrackedPathsInProcess,
+  runtimeNativeLibraryFileName,
+  runtimeLinkDependencyLayerNative,
+  runtimeLinkDependencyLayerInProcess,
+  requireNativeRuntimeLibrary,
+  nativeRuntimeLibrary,
+  materializeNativeRuntimeLibrary,
+  ensureNativeRuntimeLibraryPath,
+  defaultNativeRuntimeLibraryPath,
+  RIG_NATIVE_RUNTIME_SIDECAR_ARG
+};

package/dist/src/sandbox/backend-bwrap.d.ts

@@ -0,0 +1,20 @@
+import type { SandboxConfig } from "@rig/contracts";
+import type { FilesystemContext, ResolvedPaths, RuntimeSandboxPlan, SandboxBackendKind, SandboxWrapOptions, SandboxWrapper } from "./backend";
+export declare class BwrapBackend implements SandboxWrapper {
+    readonly kind: SandboxBackendKind;
+    private readonly binaryPath;
+    private readonly config;
+    private readonly ctx;
+    private readonly resolvedPaths;
+    private readonly which;
+    constructor(binaryPath: string, config: SandboxConfig, ctx: FilesystemContext, resolvedPaths: ResolvedPaths, which?: (bin: string) => string | null);
+    wrap(options: SandboxWrapOptions): RuntimeSandboxPlan;
+    private buildCommand;
+    /**
+     * Resolve the first element of a command array to its real absolute path.
+     * Required for bwrap: the sandbox has no PATH pointing to ~/.local/bin,
+     * so "claude" would fail. We resolve via the injected which function,
+     * then follow symlinks with realpathSync.
+     */
+    private resolveCommandBinary;
+}