@h-rig/isolation-plugin 0.0.6-alpha.157 → 0.0.6-alpha.158

package/dist/src/isolation/runner.js

@@ -0,0 +1,1881 @@
+// @bun
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+function __accessProp(key) {
+  return this[key];
+}
+var __toCommonJS = (from) => {
+  var entry = (__moduleCache ??= new WeakMap).get(from), desc;
+  if (entry)
+    return entry;
+  entry = __defProp({}, "__esModule", { value: true });
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (var key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(entry, key))
+        __defProp(entry, key, {
+          get: __accessProp.bind(from, key),
+          enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+        });
+  }
+  __moduleCache.set(from, entry);
+  return entry;
+};
+var __moduleCache;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+var __require = import.meta.require;
+
+// packages/isolation-plugin/src/sandbox/utils.ts
+import { existsSync as existsSync2, readdirSync, realpathSync } from "fs";
+import { resolve as resolve2 } from "path";
+import { resolveMonorepoRoot } from "@rig/core/layout";
+function toRealPath(path) {
+  if (!existsSync2(path)) {
+    return resolve2(path);
+  }
+  try {
+    return realpathSync.native(path);
+  } catch {
+    return resolve2(path);
+  }
+}
+function resolveHostGitMetadataPaths(projectRoot, workspaceDir) {
+  const candidates = new Set;
+  const addPath = (candidate) => {
+    if (existsSync2(candidate)) {
+      candidates.add(toRealPath(candidate));
+    }
+  };
+  addPath(resolve2(projectRoot, ".git"));
+  addPath(resolve2(workspaceDir, "..", "..", ".git"));
+  for (const repoRoot of resolveHostRepoRootPaths(projectRoot)) {
+    addPath(resolve2(repoRoot, ".git"));
+  }
+  const workspaceGit = resolve2(workspaceDir, ".git");
+  if (existsSync2(workspaceGit)) {
+    addPath(workspaceGit);
+  }
+  return [...candidates];
+}
+function resolveHostRepoRootPaths(projectRoot) {
+  const candidates = new Set;
+  const addPath = (candidate) => {
+    if (existsSync2(candidate)) {
+      candidates.add(toRealPath(candidate));
+    }
+  };
+  try {
+    const monorepoRoot = resolveMonorepoRoot(projectRoot);
+    if (toRealPath(monorepoRoot) !== toRealPath(projectRoot)) {
+      addPath(monorepoRoot);
+    }
+  } catch {}
+  const reposDir = resolve2(projectRoot, "repos");
+  if (existsSync2(reposDir)) {
+    for (const entry of readdirSync(reposDir, { withFileTypes: true })) {
+      if (entry.isDirectory() || entry.isSymbolicLink()) {
+        addPath(resolve2(reposDir, entry.name));
+      }
+    }
+  }
+  return [...candidates];
+}
+function resolveNetworkWithPolicy(sandboxConfig, envOverride) {
+  if (envOverride) {
+    const envValue = parseBooleanEnv(envOverride, sandboxConfig.network);
+    if (envValue !== sandboxConfig.network) {
+      console.warn(`[sandbox] RIG_RUNTIME_SANDBOX_NETWORK=${envOverride} overrides policy sandbox.network=${sandboxConfig.network}`);
+    }
+    return envValue;
+  }
+  return sandboxConfig.network;
+}
+function parseBooleanEnv(raw, fallback) {
+  if (!raw) {
+    return fallback;
+  }
+  const normalized = raw.trim().toLowerCase();
+  if (normalized === "1" || normalized === "true" || normalized === "yes" || normalized === "on") {
+    return true;
+  }
+  if (normalized === "0" || normalized === "false" || normalized === "no" || normalized === "off") {
+    return false;
+  }
+  return fallback;
+}
+function uniq(values) {
+  return [...new Set(values)];
+}
+function seatbeltString(value) {
+  return `"${value.replace(/\\/g, "\\\\").replace(/"/g, "\\\"")}"`;
+}
+var init_utils = () => {};
+
+// packages/isolation-plugin/src/sandbox/backend-seatbelt.ts
+var exports_backend_seatbelt = {};
+__export(exports_backend_seatbelt, {
+  SeatbeltBackend: () => SeatbeltBackend
+});
+import { mkdirSync, writeFileSync } from "fs";
+import { resolve as resolve3 } from "path";
+
+class SeatbeltBackend {
+  kind = "macos-seatbelt";
+  binaryPath;
+  config;
+  ctx;
+  resolvedPaths;
+  constructor(binaryPath, config, ctx, resolvedPaths) {
+    this.binaryPath = binaryPath;
+    this.config = config;
+    this.ctx = ctx;
+    this.resolvedPaths = resolvedPaths;
+  }
+  wrap(options) {
+    const profilePath = this.writeSeatbeltProfile(options);
+    return {
+      command: [this.binaryPath, "-f", profilePath, ...options.command],
+      enabled: true,
+      backend: "macos-seatbelt",
+      profilePath
+    };
+  }
+  writeSeatbeltProfile(options) {
+    const sandboxDir = resolve3(options.runtime.rootDir, "sandbox");
+    mkdirSync(sandboxDir, { recursive: true });
+    const profilePath = resolve3(sandboxDir, "seatbelt.sb");
+    const profile = this.renderProfile(options);
+    writeFileSync(profilePath, `${profile}
+`, "utf-8");
+    return profilePath;
+  }
+  renderProfile(options) {
+    const { runtime, projectRoot } = options;
+    const { ctx, resolvedPaths, config } = this;
+    const workspaceReal = ctx.realPath(runtime.workspaceDir);
+    const runtimeRootReal = ctx.realPath(runtime.rootDir);
+    const homeReal = ctx.realPath(runtime.homeDir);
+    const tmpReal = ctx.realPath(runtime.tmpDir);
+    const cacheReal = ctx.realPath(runtime.cacheDir);
+    const hostGitDirs = resolveHostGitMetadataPaths(projectRoot, runtime.workspaceDir);
+    const hostRepoRoots = resolveHostRepoRootPaths(projectRoot).map((repoRoot) => ctx.realPath(repoRoot));
+    const bunDir = ctx.realPath(resolvedPaths.bunDir);
+    const claudeDir = resolvedPaths.claudeDir ? ctx.realPath(resolvedPaths.claudeDir) : null;
+    const allowNetwork = resolveNetworkWithPolicy(config, process.env.RIG_RUNTIME_SANDBOX_NETWORK);
+    const lines = [
+      "(version 1)",
+      "(deny default)",
+      '(import "system.sb")',
+      "(allow process*)",
+      "(allow process-info*)",
+      "(allow signal)",
+      "(allow sysctl-read)",
+      "(allow file-read-metadata)"
+    ];
+    if (allowNetwork) {
+      lines.push("(allow network*)");
+    }
+    for (const sysPath of [
+      "/usr/lib",
+      "/usr/bin",
+      "/usr/sbin",
+      "/usr/share",
+      "/bin",
+      "/sbin",
+      "/System",
+      "/Library",
+      "/Library/Frameworks",
+      "/Library/Developer",
+      "/Library/Apple",
+      "/Applications",
+      "/private/var/db",
+      "/opt/homebrew"
+    ]) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(sysPath)}))`);
+    }
+    lines.push(`(allow file-read* (subpath ${seatbeltString(bunDir)}))`);
+    if (claudeDir) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(claudeDir)}))`);
+    }
+    if (resolvedPaths.nodeDir) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(resolvedPaths.nodeDir)}))`);
+    }
+    for (const depPath of resolvedPaths.depRoots) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(depPath)}))`);
+    }
+    for (const rwPath of uniq([
+      workspaceReal,
+      runtimeRootReal,
+      homeReal,
+      tmpReal,
+      cacheReal
+    ])) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(rwPath)}))`);
+      lines.push(`(allow file-write* (subpath ${seatbeltString(rwPath)}))`);
+    }
+    for (const gitPath of hostGitDirs) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(gitPath)}))`);
+      lines.push(`(allow file-write* (subpath ${seatbeltString(gitPath)}))`);
+    }
+    const projectRootReal = ctx.realPath(projectRoot);
+    if (projectRootReal !== workspaceReal && !projectRootReal.startsWith(workspaceReal + "/")) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(projectRootReal)}))`);
+    }
+    for (const repoRoot of hostRepoRoots) {
+      if (!ctx.pathExists(repoRoot) || repoRoot === workspaceReal || repoRoot.startsWith(workspaceReal + "/") || repoRoot === projectRootReal || repoRoot.startsWith(projectRootReal + "/")) {
+        continue;
+      }
+      lines.push(`(allow file-read* (subpath ${seatbeltString(repoRoot)}))`);
+    }
+    const realHome = process.env.HOME?.trim();
+    if (realHome) {
+      for (const binSubdir of [".local/bin", ".cargo/bin"]) {
+        const binPath = resolve3(realHome, binSubdir);
+        if (ctx.pathExists(binPath)) {
+          lines.push(`(allow file-read* (subpath ${seatbeltString(ctx.realPath(binPath))}))`);
+        }
+      }
+    }
+    for (const tempPath of [
+      "/dev",
+      "/tmp",
+      "/private/tmp",
+      "/var/folders",
+      "/private/var/folders"
+    ]) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(tempPath)}))`);
+      lines.push(`(allow file-write* (subpath ${seatbeltString(tempPath)}))`);
+    }
+    return lines.join(`
+`);
+  }
+}
+var init_backend_seatbelt = __esm(() => {
+  init_utils();
+});
+
+// packages/isolation-plugin/src/sandbox/backend-bwrap.ts
+var exports_backend_bwrap = {};
+__export(exports_backend_bwrap, {
+  BwrapBackend: () => BwrapBackend
+});
+import { mkdirSync as mkdirSync2 } from "fs";
+import { resolve as resolve4 } from "path";
+
+class BwrapBackend {
+  kind = "linux-bwrap";
+  binaryPath;
+  config;
+  ctx;
+  resolvedPaths;
+  which;
+  constructor(binaryPath, config, ctx, resolvedPaths, which) {
+    this.binaryPath = binaryPath;
+    this.config = config;
+    this.ctx = ctx;
+    this.resolvedPaths = resolvedPaths;
+    this.which = which ?? ((bin) => Bun.which(bin));
+  }
+  wrap(options) {
+    const command = this.buildCommand(options);
+    return {
+      command,
+      enabled: true,
+      backend: "linux-bwrap"
+    };
+  }
+  buildCommand(options) {
+    const { runtime, projectRoot, command } = options;
+    const { ctx, resolvedPaths, config } = this;
+    const workspaceReal = ctx.realPath(runtime.workspaceDir);
+    const runtimeRootReal = ctx.realPath(runtime.rootDir);
+    const homeReal = ctx.realPath(runtime.homeDir);
+    const tmpReal = ctx.realPath(runtime.tmpDir);
+    const cacheReal = ctx.realPath(runtime.cacheDir);
+    const hostGitDirs = resolveHostGitMetadataPaths(projectRoot, runtime.workspaceDir);
+    const hostRepoRoots = resolveHostRepoRootPaths(projectRoot).map((repoRoot) => ctx.realPath(repoRoot));
+    const bunDir = ctx.realPath(resolvedPaths.bunDir);
+    const claudeDir = resolvedPaths.claudeDir ? ctx.realPath(resolvedPaths.claudeDir) : null;
+    const allowNetwork = resolveNetworkWithPolicy(config, process.env.RIG_RUNTIME_SANDBOX_NETWORK);
+    const args = [
+      this.binaryPath,
+      "--die-with-parent",
+      "--new-session",
+      "--unshare-pid",
+      "--tmpfs",
+      "/",
+      "--ro-bind",
+      "/usr",
+      "/usr",
+      "--ro-bind",
+      "/bin",
+      "/bin",
+      "--ro-bind",
+      "/sbin",
+      "/sbin"
+    ];
+    for (const libPath of ["/lib", "/lib64"]) {
+      if (ctx.pathExists(libPath)) {
+        args.push("--ro-bind", libPath, libPath);
+      }
+    }
+    for (const etcEntry of [
+      "/etc/ld.so.cache",
+      "/etc/ld.so.conf",
+      "/etc/ld.so.conf.d",
+      "/etc/resolv.conf",
+      "/etc/hosts",
+      "/etc/nsswitch.conf",
+      "/etc/gai.conf",
+      "/etc/host.conf",
+      "/etc/ssl",
+      "/etc/ca-certificates",
+      "/etc/pki",
+      "/etc/passwd",
+      "/etc/group",
+      "/etc/localtime",
+      "/etc/timezone",
+      "/etc/locale.conf",
+      "/etc/default/locale"
+    ]) {
+      if (ctx.pathExists(etcEntry)) {
+        args.push("--ro-bind", etcEntry, etcEntry);
+      }
+    }
+    if (ctx.pathExists("/run/systemd/resolve")) {
+      args.push("--ro-bind", "/run/systemd/resolve", "/run/systemd/resolve");
+    }
+    if (ctx.pathExists("/run/nscd")) {
+      args.push("--ro-bind", "/run/nscd", "/run/nscd");
+    }
+    args.push("--ro-bind", bunDir, bunDir);
+    if (claudeDir) {
+      args.push("--ro-bind", claudeDir, claudeDir);
+    }
+    if (resolvedPaths.nodeDir && ctx.pathExists(resolvedPaths.nodeDir)) {
+      args.push("--ro-bind", resolvedPaths.nodeDir, resolvedPaths.nodeDir);
+    }
+    for (const depPath of resolvedPaths.depRoots) {
+      if (ctx.pathExists(depPath)) {
+        args.push("--ro-bind", depPath, depPath);
+      }
+    }
+    const projectRootReal = ctx.realPath(projectRoot);
+    if (projectRootReal !== workspaceReal && !projectRootReal.startsWith(workspaceReal + "/") && ctx.pathExists(projectRootReal)) {
+      args.push("--ro-bind", projectRootReal, projectRootReal);
+    }
+    for (const repoRoot of hostRepoRoots) {
+      if (!ctx.pathExists(repoRoot) || repoRoot === workspaceReal || repoRoot.startsWith(workspaceReal + "/") || repoRoot === projectRootReal || repoRoot.startsWith(projectRootReal + "/")) {
+        continue;
+      }
+      args.push("--ro-bind", repoRoot, repoRoot);
+    }
+    args.push("--bind", workspaceReal, workspaceReal);
+    args.push("--bind", runtimeRootReal, runtimeRootReal);
+    for (const rwPath of uniq([homeReal, tmpReal, cacheReal])) {
+      if (rwPath !== runtimeRootReal && !rwPath.startsWith(runtimeRootReal + "/")) {
+        args.push("--bind", rwPath, rwPath);
+      }
+    }
+    for (const gitPath of hostGitDirs) {
+      if (!ctx.pathExists(gitPath))
+        continue;
+      if (gitPath === runtimeRootReal || gitPath.startsWith(runtimeRootReal + "/"))
+        continue;
+      if (gitPath === workspaceReal || gitPath.startsWith(workspaceReal + "/"))
+        continue;
+      args.push("--bind", gitPath, gitPath);
+    }
+    const realHome = process.env.HOME?.trim();
+    if (realHome) {
+      for (const binSubdir of [".local/bin", ".local/lib", ".cargo/bin"]) {
+        const binPath = ctx.realPath(resolve4(realHome, binSubdir));
+        if (ctx.pathExists(binPath)) {
+          args.push("--ro-bind", binPath, binPath);
+        }
+      }
+      const agentSshDir = resolve4(homeReal, ".ssh");
+      if (ctx.pathExists(agentSshDir)) {
+        args.push("--ro-bind", agentSshDir, agentSshDir);
+      } else {
+        const hostSshDir = resolve4(realHome, ".ssh");
+        if (ctx.pathExists(hostSshDir)) {
+          mkdirSync2(agentSshDir, { recursive: true });
+          args.push("--ro-bind", hostSshDir, agentSshDir);
+          args.push("--ro-bind", hostSshDir, hostSshDir);
+        }
+      }
+    }
+    args.push("--proc", "/proc");
+    args.push("--dev", "/dev");
+    args.push("--tmpfs", "/tmp");
+    args.push("--unsetenv", "CLAUDECODE");
+    args.push("--setenv", "HOME", homeReal);
+    args.push("--setenv", "TMPDIR", "/tmp");
+    args.push("--chdir", workspaceReal);
+    if (!allowNetwork) {
+      args.push("--unshare-net");
+    }
+    args.push("--", ...this.resolveCommandBinary(command));
+    return args;
+  }
+  resolveCommandBinary(command) {
+    if (command.length === 0)
+      return command;
+    const [bin, ...rest] = command;
+    if (!bin)
+      return command;
+    const resolved = this.which(bin);
+    if (!resolved)
+      return command;
+    try {
+      const { realpathSync: realpathSync2 } = __require("fs");
+      const resolvedBinary = realpathSync2(resolved);
+      return [resolvedBinary, ...rest];
+    } catch {
+      return [resolved, ...rest];
+    }
+  }
+}
+var init_backend_bwrap = __esm(() => {
+  init_utils();
+});
+
+// packages/isolation-plugin/src/isolation/runner.ts
+import { existsSync as existsSync8, rmSync as rmSync3, writeFileSync as writeFileSync4 } from "fs";
+import { basename as basename2, resolve as resolve12 } from "path";
+
+// packages/isolation-plugin/src/sandbox/backend.ts
+import { existsSync as existsSync3 } from "fs";
+
+// packages/isolation-plugin/src/runtime-config.ts
+import { existsSync, readFileSync, statSync } from "fs";
+import { resolve } from "path";
+import {
+  POLICY_VERSION
+} from "@rig/contracts";
+var DEFAULT_SCOPE = {
+  fail_closed: true,
+  harness_paths_exempt: true,
+  runtime_paths_exempt: true
+};
+var DEFAULT_SANDBOX = {
+  mode: "enforce",
+  network: true,
+  read_deny: [],
+  write_allow_from_runtime: true
+};
+var DEFAULT_ISOLATION = {
+  default_mode: "worktree",
+  repo_symlink_fallback: false,
+  strict_provisioning: true,
+  fail_closed_on_provision_error: true
+};
+var DEFAULT_COMPLETION = {
+  derive_checks_from_scope: true,
+  checks: [],
+  typescript_config_probe: ["tsconfig.json"],
+  eslint_config_probe: [".eslintrc.js", ".eslintrc.json", "eslint.config.js"]
+};
+var DEFAULT_RUNTIME_IMAGE = {
+  deps: { monorepo_install: false, hp_next_install: false },
+  plugins_require_binaries: true
+};
+var DEFAULT_RUNTIME_SNAPSHOT = { enabled: true };
+var policyCache = null;
+var policyCachePath = null;
+function loadSandboxConfig(projectRoot) {
+  return loadPolicy(projectRoot).sandbox;
+}
+function defaultPolicy() {
+  return {
+    version: POLICY_VERSION,
+    mode: "enforce",
+    scope: { ...DEFAULT_SCOPE },
+    rules: [],
+    sandbox: { ...DEFAULT_SANDBOX },
+    isolation: { ...DEFAULT_ISOLATION },
+    completion: { ...DEFAULT_COMPLETION },
+    runtime_image: {
+      deps: { ...DEFAULT_RUNTIME_IMAGE.deps },
+      plugins_require_binaries: DEFAULT_RUNTIME_IMAGE.plugins_require_binaries
+    },
+    runtime_snapshot: { ...DEFAULT_RUNTIME_SNAPSHOT }
+  };
+}
+function loadPolicy(projectRoot) {
+  const configPath = resolve(projectRoot, "rig/policy/policy.json");
+  if (!existsSync(configPath))
+    return defaultPolicy();
+  let mtimeMs;
+  try {
+    mtimeMs = statSync(configPath).mtimeMs;
+  } catch {
+    return defaultPolicy();
+  }
+  if (policyCache && policyCachePath === configPath && policyCache.mtimeMs === mtimeMs) {
+    return policyCache.config;
+  }
+  try {
+    const config = mergeWithDefaults(JSON.parse(readFileSync(configPath, "utf-8")));
+    policyCache = { mtimeMs, config };
+    policyCachePath = configPath;
+    return config;
+  } catch {
+    return defaultPolicy();
+  }
+}
+function mergeWithDefaults(parsed) {
+  const base = defaultPolicy();
+  if (typeof parsed.mode === "string" && isValidMode(parsed.mode))
+    base.mode = parsed.mode;
+  if (parsed.scope && typeof parsed.scope === "object" && !Array.isArray(parsed.scope)) {
+    const scope = parsed.scope;
+    if (typeof scope.fail_closed === "boolean")
+      base.scope.fail_closed = scope.fail_closed;
+    if (typeof scope.harness_paths_exempt === "boolean")
+      base.scope.harness_paths_exempt = scope.harness_paths_exempt;
+    if (typeof scope.runtime_paths_exempt === "boolean")
+      base.scope.runtime_paths_exempt = scope.runtime_paths_exempt;
+  }
+  if (Array.isArray(parsed.rules))
+    base.rules = precompilePolicyRuleRegexes(parsed.rules.filter(isValidRule));
+  if (Array.isArray(parsed.deny) && base.rules.length === 0) {
+    base.rules = precompilePolicyRuleRegexes(migrateLegacyDeny(parsed.deny));
+  }
+  if (parsed.sandbox && typeof parsed.sandbox === "object" && !Array.isArray(parsed.sandbox)) {
+    const sandbox = parsed.sandbox;
+    if (typeof sandbox.mode === "string" && isValidMode(sandbox.mode))
+      base.sandbox.mode = sandbox.mode;
+    if (typeof sandbox.network === "boolean")
+      base.sandbox.network = sandbox.network;
+    if (Array.isArray(sandbox.read_deny))
+      base.sandbox.read_deny = sandbox.read_deny.filter((value) => typeof value === "string");
+    if (typeof sandbox.write_allow_from_runtime === "boolean")
+      base.sandbox.write_allow_from_runtime = sandbox.write_allow_from_runtime;
+  }
+  if (parsed.isolation && typeof parsed.isolation === "object" && !Array.isArray(parsed.isolation)) {
+    const isolation = parsed.isolation;
+    if (isolation.default_mode === "worktree")
+      base.isolation.default_mode = isolation.default_mode;
+    if (typeof isolation.repo_symlink_fallback === "boolean")
+      base.isolation.repo_symlink_fallback = isolation.repo_symlink_fallback;
+    if (typeof isolation.strict_provisioning === "boolean")
+      base.isolation.strict_provisioning = isolation.strict_provisioning;
+    if (typeof isolation.fail_closed_on_provision_error === "boolean")
+      base.isolation.fail_closed_on_provision_error = isolation.fail_closed_on_provision_error;
+  }
+  if (parsed.completion && typeof parsed.completion === "object" && !Array.isArray(parsed.completion)) {
+    const completion = parsed.completion;
+    if (typeof completion.derive_checks_from_scope === "boolean")
+      base.completion.derive_checks_from_scope = completion.derive_checks_from_scope;
+    if (Array.isArray(completion.checks))
+      base.completion.checks = completion.checks.filter((value) => typeof value === "string");
+    if (Array.isArray(completion.typescript_config_probe))
+      base.completion.typescript_config_probe = completion.typescript_config_probe.filter((value) => typeof value === "string");
+    if (Array.isArray(completion.eslint_config_probe))
+      base.completion.eslint_config_probe = completion.eslint_config_probe.filter((value) => typeof value === "string");
+  }
+  if (parsed.runtime_image && typeof parsed.runtime_image === "object" && !Array.isArray(parsed.runtime_image)) {
+    const runtimeImage = parsed.runtime_image;
+    if (runtimeImage.deps && typeof runtimeImage.deps === "object" && !Array.isArray(runtimeImage.deps)) {
+      const deps = runtimeImage.deps;
+      if (typeof deps.monorepo_install === "boolean")
+        base.runtime_image.deps.monorepo_install = deps.monorepo_install;
+      if (typeof deps.hp_next_install === "boolean")
+        base.runtime_image.deps.hp_next_install = deps.hp_next_install;
+    }
+    if (typeof runtimeImage.plugins_require_binaries === "boolean")
+      base.runtime_image.plugins_require_binaries = runtimeImage.plugins_require_binaries;
+  }
+  if (parsed.runtime_snapshot && typeof parsed.runtime_snapshot === "object" && !Array.isArray(parsed.runtime_snapshot)) {
+    const runtimeSnapshot = parsed.runtime_snapshot;
+    if (typeof runtimeSnapshot.enabled === "boolean")
+      base.runtime_snapshot.enabled = runtimeSnapshot.enabled;
+  }
+  return base;
+}
+function isValidMode(value) {
+  return value === "off" || value === "observe" || value === "enforce";
+}
+function isValidRule(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value))
+    return false;
+  const rule = value;
+  return typeof rule.id === "string" && typeof rule.category === "string" && !!rule.match && typeof rule.match === "object";
+}
+function migrateLegacyDeny(deny) {
+  const rules = [];
+  for (const entry of deny) {
+    if (typeof entry.id !== "string")
+      continue;
+    const match = {};
+    if (typeof entry.pattern === "string")
+      match.pattern = entry.pattern;
+    if (typeof entry.regex === "string")
+      match.regex = entry.regex;
+    if (!match.pattern && !match.regex)
+      continue;
+    const rule = {
+      id: entry.id,
+      category: "command",
+      match,
+      action: entry.action === "warn" ? "warn" : "block"
+    };
+    if (typeof entry.reason === "string") {
+      rule.description = entry.reason;
+    }
+    rules.push(rule);
+  }
+  return rules;
+}
+function precompilePolicyRuleRegexes(rules) {
+  return rules.map((rule) => {
+    const compiled = { ...rule };
+    const matchRegex = compileRegex(rule.match?.regex);
+    const unlessRegex = compileRegex(rule.unless?.regex);
+    if (matchRegex) {
+      compiled.compiledRegex = matchRegex;
+    }
+    if (unlessRegex) {
+      compiled.compiledUnlessRegex = unlessRegex;
+    }
+    return compiled;
+  });
+}
+function compileRegex(pattern) {
+  if (!pattern)
+    return;
+  try {
+    return new RegExp(pattern);
+  } catch {
+    return;
+  }
+}
+
+// packages/isolation-plugin/src/sandbox/backend.ts
+init_utils();
+import {
+  resolveBunInstallDir,
+  resolveClaudeInstallDir,
+  resolveNodeInstallDir,
+  resolveRuntimeDependencyRoots
+} from "@rig/core/runtime-paths";
+
+// packages/isolation-plugin/src/sandbox/backend-none.ts
+class NoSandboxBackend {
+  kind = "none";
+  reason;
+  constructor(reason) {
+    this.reason = reason;
+  }
+  wrap(options) {
+    return {
+      command: options.command,
+      enabled: false,
+      backend: "none",
+      ...this.reason !== undefined ? { reason: this.reason } : {}
+    };
+  }
+}
+
+// packages/isolation-plugin/src/sandbox/backend.ts
+class SandboxError extends Error {
+  code;
+  constructor(code, message) {
+    super(message);
+    this.code = code;
+    this.name = "SandboxError";
+  }
+}
+function resolveRuntimeSandboxModeWithPolicy(sandboxConfig, envOverride) {
+  if (envOverride) {
+    const normalized = envOverride.trim().toLowerCase();
+    if (normalized === "off" || normalized === "auto" || normalized === "enforce") {
+      if (normalized !== sandboxConfig.mode) {
+        console.warn(`[sandbox] RIG_RUNTIME_SANDBOX=${normalized} overrides policy sandbox.mode=${sandboxConfig.mode}`);
+      }
+      return normalized;
+    }
+  }
+  const policyMode = sandboxConfig.mode;
+  if (policyMode === "off")
+    return "off";
+  if (policyMode === "observe")
+    return "auto";
+  return "enforce";
+}
+var bwrapProbeCache = null;
+async function probeBubblewrap(binary) {
+  if (bwrapProbeCache !== null) {
+    return bwrapProbeCache;
+  }
+  const probe = await Bun.$`${binary} ${["--ro-bind", "/", "/", "--proc", "/proc", "--dev", "/dev", "--", "true"]}`.quiet().nothrow();
+  bwrapProbeCache = probe.exitCode === 0;
+  return bwrapProbeCache;
+}
+async function resolveBackend(projectRoot, options) {
+  const config = loadSandboxConfig(projectRoot);
+  const mode = resolveRuntimeSandboxModeWithPolicy(config, options?.envOverride);
+  const probed = [];
+  if (mode === "off") {
+    return {
+      backend: new NoSandboxBackend,
+      selectedKind: "none",
+      probed,
+      reason: "disabled-by-config"
+    };
+  }
+  const explicitBackend = options?.backendOverride ?? process.env.RIG_SANDBOX_BACKEND?.trim().toLowerCase();
+  const requestedBackend = resolveExplicitBackend(explicitBackend);
+  if (requestedBackend) {
+    if (requestedBackend === "docker") {
+      throw new SandboxError("backend-unavailable", `Backend "docker" is not yet implemented.`);
+    }
+    if (requestedBackend === "none") {
+      return {
+        backend: new NoSandboxBackend("explicit-none"),
+        selectedKind: "none",
+        probed,
+        reason: "explicit-none"
+      };
+    }
+  }
+  const bunDir = resolveBunInstallDir();
+  const claudeDir = (() => {
+    try {
+      return resolveClaudeInstallDir();
+    } catch {
+      return null;
+    }
+  })();
+  const nodeDir = resolveNodeInstallDir();
+  const depRoots = resolveRuntimeDependencyRoots([bunDir, claudeDir, nodeDir].filter(Boolean));
+  const resolvedPaths = {
+    bunDir,
+    claudeDir,
+    nodeDir,
+    depRoots
+  };
+  const fsContext = {
+    pathExists: (p) => existsSync3(p),
+    realPath: toRealPath
+  };
+  if (process.platform === "darwin" && (!requestedBackend || requestedBackend === "macos-seatbelt")) {
+    const seatbelt = Bun.which("sandbox-exec");
+    probed.push("sandbox-exec");
+    if (seatbelt && existsSync3(seatbelt)) {
+      const SeatbeltBackendClass = loadSeatbeltBackend();
+      if (SeatbeltBackendClass) {
+        return {
+          backend: new SeatbeltBackendClass(seatbelt, config, fsContext, resolvedPaths),
+          selectedKind: "macos-seatbelt",
+          probed,
+          reason: "detected-seatbelt"
+        };
+      }
+      return handleUnavailableBackend(mode, probed, "macos-seatbelt", "Seatbelt sandbox backend module failed to load.", "seatbelt-backend-module-unavailable", { explicit: requestedBackend === "macos-seatbelt" });
+    }
+  }
+  if (process.platform === "linux" && (!requestedBackend || requestedBackend === "linux-bwrap")) {
+    const bwrap = Bun.which("bwrap");
+    probed.push("bwrap");
+    if (bwrap && await probeBubblewrap(bwrap)) {
+      const BwrapBackendClass = loadBwrapBackend();
+      if (BwrapBackendClass) {
+        return {
+          backend: new BwrapBackendClass(bwrap, config, fsContext, resolvedPaths),
+          selectedKind: "linux-bwrap",
+          probed,
+          reason: "detected-bwrap"
+        };
+      }
+      return handleUnavailableBackend(mode, probed, "linux-bwrap", "Bubblewrap sandbox backend module failed to load.", "bwrap-backend-module-unavailable", { explicit: requestedBackend === "linux-bwrap" });
+    }
+  }
+  if (requestedBackend) {
+    return handleUnavailableBackend(mode, probed, requestedBackend, `Explicit sandbox backend "${requestedBackend}" is unavailable on ${process.platform}.`, "explicit-backend-unavailable", { explicit: true });
+  }
+  if (mode === "enforce") {
+    throw new SandboxError("backend-unavailable", `Runtime sandbox required (mode=enforce) but no backend available. Probed: ${probed.join(", ")}`);
+  }
+  return {
+    backend: new NoSandboxBackend("sandbox-backend-unavailable"),
+    selectedKind: "none",
+    probed,
+    reason: "sandbox-backend-unavailable"
+  };
+}
+function resolveExplicitBackend(explicitBackend) {
+  if (!explicitBackend) {
+    return null;
+  }
+  switch (explicitBackend) {
+    case "none":
+    case "macos-seatbelt":
+    case "linux-bwrap":
+    case "docker":
+      return explicitBackend;
+    default:
+      throw new SandboxError("backend-unavailable", `Unknown sandbox backend "${explicitBackend}".`);
+  }
+}
+function loadSeatbeltBackend() {
+  try {
+    const mod = (init_backend_seatbelt(), __toCommonJS(exports_backend_seatbelt));
+    return mod.SeatbeltBackend ?? null;
+  } catch {
+    return null;
+  }
+}
+function loadBwrapBackend() {
+  try {
+    const mod = (init_backend_bwrap(), __toCommonJS(exports_backend_bwrap));
+    return mod.BwrapBackend ?? null;
+  } catch {
+    return null;
+  }
+}
+function handleUnavailableBackend(mode, probed, detectedKind, message, reason, options) {
+  if (mode === "enforce" || options?.explicit) {
+    throw new SandboxError("backend-unavailable", `${message} Probed: ${probed.join(", ")}`);
+  }
+  return {
+    backend: new NoSandboxBackend(reason),
+    selectedKind: "none",
+    probed,
+    reason: `${reason}:${detectedKind}`
+  };
+}
+
+// packages/isolation-plugin/src/sandbox/orchestrator.ts
+function shouldSandboxRuntime(_runtime) {
+  return true;
+}
+async function wrapWithRuntimeSandbox(options) {
+  const envOverride = process.env.RIG_RUNTIME_SANDBOX;
+  const resolution = await resolveBackend(options.projectRoot, { ...envOverride !== undefined ? { envOverride } : {} });
+  if (resolution.backend.kind === "none") {
+    const plan = resolution.backend.wrap({
+      projectRoot: options.projectRoot,
+      runtime: options.runtime,
+      command: options.command
+    });
+    return {
+      ...plan,
+      reason: plan.reason ?? resolution.reason
+    };
+  }
+  if (!shouldSandboxRuntime(options.runtime)) {
+    return {
+      command: options.command,
+      enabled: false,
+      backend: "none",
+      reason: "runtime-mode-not-sandboxed"
+    };
+  }
+  return resolution.backend.wrap({
+    projectRoot: options.projectRoot,
+    runtime: options.runtime,
+    command: options.command
+  });
+}
+
+// packages/isolation-plugin/src/isolation/home.ts
+import {
+  chmodSync,
+  copyFileSync as copyFileSync2,
+  cpSync,
+  existsSync as existsSync7,
+  mkdirSync as mkdirSync5,
+  readFileSync as readFileSync4,
+  statSync as statSync4,
+  writeFileSync as writeFileSync3
+} from "fs";
+import { mkdir } from "fs/promises";
+import { basename, delimiter, resolve as resolve9 } from "path";
+import { resolveBunBinaryPath, resolveBunInstallDir as resolveBunInstallDir2, resolveClaudeBinaryPath, resolveClaudeInstallDir as resolveClaudeInstallDir2, resolveNodeInstallDir as resolveNodeInstallDir2 } from "@rig/core/runtime-paths";
+import { resolveRuntimeSecrets } from "@rig/core/baked-secrets";
+
+// packages/isolation-plugin/src/runtime-native.ts
+import { dlopen, ptr, suffix, toBuffer } from "bun:ffi";
+import { copyFileSync, existsSync as existsSync5, mkdirSync as mkdirSync4, renameSync as renameSync2, rmSync, statSync as statSync3 } from "fs";
+import { tmpdir as tmpdir2 } from "os";
+import { dirname, resolve as resolve6 } from "path";
+
+// packages/isolation-plugin/src/native-extract.ts
+import { existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync2, renameSync, statSync as statSync2, writeFileSync as writeFileSync2 } from "fs";
+import { tmpdir } from "os";
+import { resolve as resolve5 } from "path";
+
+// packages/isolation-plugin/src/embedded-native-assets.ts
+var embeddedNatives = null;
+
+// packages/isolation-plugin/src/native-extract.ts
+var sharedNativeOutputDir = resolve5(tmpdir(), "rig-native");
+var extractionCache = {};
+function extractEmbeddedNative(name) {
+  if (name in extractionCache) {
+    return extractionCache[name] ?? null;
+  }
+  const entry = embeddedNatives?.[name];
+  if (!entry) {
+    extractionCache[name] = null;
+    return null;
+  }
+  try {
+    const targetPath = resolve5(sharedNativeOutputDir, entry.fileName);
+    mkdirSync3(sharedNativeOutputDir, { recursive: true });
+    const upToDate = existsSync4(targetPath) && statSync2(targetPath).size === entry.size;
+    if (!upToDate) {
+      const bytes = readFileSync2(entry.filePath);
+      const tempPath = `${targetPath}.${process.pid}.${Date.now()}.tmp`;
+      writeFileSync2(tempPath, bytes, { mode: 493 });
+      renameSync(tempPath, targetPath);
+    }
+    extractionCache[name] = targetPath;
+  } catch {
+    extractionCache[name] = null;
+  }
+  return extractionCache[name] ?? null;
+}
+
+// packages/isolation-plugin/src/runtime-native.ts
+var sharedNativeRuntimeOutputDir = resolve6(tmpdir2(), "rig-native");
+var sharedNativeRuntimeOutputPath = resolve6(sharedNativeRuntimeOutputDir, `runtime-native-${process.platform}-${process.arch}.${suffix}`);
+var colocatedNativeRuntimeFileName = `runtime-native.${suffix}`;
+var nativeRuntimeLibrary = await loadNativeRuntimeLibrary();
+async function ensureNativeRuntimeLibraryPath(outputPath = sharedNativeRuntimeOutputPath, options = {}) {
+  const explicitLib = process.env.RIG_NATIVE_RUNTIME_LIB?.trim();
+  if (explicitLib && existsSync5(explicitLib)) {
+    return explicitLib;
+  }
+  const embeddedPath = extractEmbeddedNative("snapshot");
+  if (embeddedPath) {
+    return embeddedPath;
+  }
+  if (await buildNativeRuntimeLibrary(outputPath, options)) {
+    return outputPath;
+  }
+  return !options.force && existsSync5(outputPath) ? outputPath : null;
+}
+async function materializeNativeRuntimeLibrary(targetDir) {
+  const sourcePath = await ensureNativeRuntimeLibraryPath();
+  if (!sourcePath) {
+    return null;
+  }
+  const targetPath = resolve6(targetDir, colocatedNativeRuntimeFileName);
+  mkdirSync4(targetDir, { recursive: true });
+  const needsCopy = !existsSync5(targetPath) || statSync3(sourcePath).mtimeMs > statSync3(targetPath).mtimeMs;
+  if (needsCopy) {
+    copyFileSync(sourcePath, targetPath);
+  }
+  return targetPath;
+}
+async function loadNativeRuntimeLibrary() {
+  if (process.env.RIG_DISABLE_ZIG_NATIVE === "1") {
+    return null;
+  }
+  const explicitLib = process.env.RIG_NATIVE_RUNTIME_LIB?.trim();
+  if (explicitLib && existsSync5(explicitLib)) {
+    const loaded = tryDlopenNativeRuntimeLibrary(explicitLib);
+    if (loaded) {
+      return loaded;
+    }
+  }
+  const embeddedPath = extractEmbeddedNative("snapshot");
+  if (embeddedPath) {
+    const loaded = tryDlopenNativeRuntimeLibrary(embeddedPath);
+    if (loaded) {
+      return loaded;
+    }
+  }
+  for (const candidate of nativeRuntimeLibraryCandidates()) {
+    if (!candidate || !existsSync5(candidate)) {
+      continue;
+    }
+    const loaded = tryDlopenNativeRuntimeLibrary(candidate);
+    if (loaded) {
+      return loaded;
+    }
+  }
+  const builtLibraryPath = await ensureNativeRuntimeLibraryPath(sharedNativeRuntimeOutputPath, { force: true });
+  if (!builtLibraryPath) {
+    return null;
+  }
+  return tryDlopenNativeRuntimeLibrary(builtLibraryPath);
+}
+function nativePackageLibraryCandidates(fromDir, names) {
+  const candidates = [];
+  let cursor = resolve6(fromDir);
+  for (let index = 0;index < 8; index += 1) {
+    for (const name of names) {
+      candidates.push(resolve6(cursor, "native", `${process.platform}-${process.arch}`, name), resolve6(cursor, "native", `${process.platform}-${process.arch}`, "lib", name), resolve6(cursor, "native", name), resolve6(cursor, "native", "lib", name));
+    }
+    const parent = dirname(cursor);
+    if (parent === cursor)
+      break;
+    cursor = parent;
+  }
+  return candidates;
+}
+function nativeRuntimeLibraryCandidates() {
+  const explicit = process.env.RIG_NATIVE_RUNTIME_LIB?.trim() || "";
+  const execDir = process.execPath?.trim() ? dirname(process.execPath.trim()) : "";
+  const platformSpecific = `runtime-native-${process.platform}-${process.arch}.${suffix}`;
+  return [...new Set([
+    explicit,
+    ...nativePackageLibraryCandidates(import.meta.dir, [colocatedNativeRuntimeFileName, platformSpecific]),
+    execDir ? resolve6(execDir, colocatedNativeRuntimeFileName) : "",
+    execDir ? resolve6(execDir, platformSpecific) : "",
+    execDir ? resolve6(execDir, "..", colocatedNativeRuntimeFileName) : "",
+    execDir ? resolve6(execDir, "..", platformSpecific) : "",
+    execDir ? resolve6(execDir, "lib", colocatedNativeRuntimeFileName) : "",
+    execDir ? resolve6(execDir, "..", "lib", colocatedNativeRuntimeFileName) : "",
+    sharedNativeRuntimeOutputPath
+  ].filter(Boolean))];
+}
+function resolveNativeRuntimeSourcePath() {
+  const explicit = process.env.RIG_NATIVE_RUNTIME_SOURCE?.trim();
+  if (explicit && existsSync5(explicit)) {
+    return explicit;
+  }
+  const bundled = resolve6(import.meta.dir, "../native/snapshot.zig");
+  return existsSync5(bundled) ? bundled : null;
+}
+async function buildNativeRuntimeLibrary(outputPath, options = {}) {
+  if (process.env.RIG_DISABLE_ZIG_NATIVE === "1") {
+    return false;
+  }
+  const zigBinary = Bun.which("zig");
+  const sourcePath = resolveNativeRuntimeSourcePath();
+  if (!zigBinary || !sourcePath) {
+    return false;
+  }
+  const tempOutputPath = `${outputPath}.${process.pid}.${Date.now()}.${Math.random().toString(36).slice(2)}.tmp`;
+  try {
+    mkdirSync4(dirname(outputPath), { recursive: true });
+    const needsBuild = options.force === true || !existsSync5(outputPath) || statSync3(sourcePath).mtimeMs > statSync3(outputPath).mtimeMs;
+    if (!needsBuild) {
+      return true;
+    }
+    const build = Bun.spawn([
+      zigBinary,
+      "build-lib",
+      sourcePath,
+      "-dynamic",
+      "-O",
+      "ReleaseFast",
+      `-femit-bin=${tempOutputPath}`
+    ], {
+      cwd: import.meta.dir,
+      stdout: "pipe",
+      stderr: "pipe"
+    });
+    const exitCode = await build.exited;
+    if (exitCode !== 0 || !existsSync5(tempOutputPath)) {
+      rmSync(tempOutputPath, { force: true });
+      return false;
+    }
+    renameSync2(tempOutputPath, outputPath);
+    return true;
+  } catch {
+    rmSync(tempOutputPath, { force: true });
+    return false;
+  }
+}
+function tryDlopenNativeRuntimeLibrary(outputPath) {
+  try {
+    return dlopen(outputPath, {
+      rig_scope_match: {
+        args: ["ptr", "ptr"],
+        returns: "u8"
+      },
+      snapshot_capture: {
+        args: ["ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      snapshot_delta: {
+        args: ["ptr", "ptr"],
+        returns: "ptr"
+      },
+      snapshot_store_delta: {
+        args: ["ptr", "ptr", "ptr", "u64", "ptr", "u64", "ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      snapshot_inspect_delta: {
+        args: ["ptr", "u64"],
+        returns: "ptr"
+      },
+      snapshot_apply_delta: {
+        args: ["ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      snapshot_release: {
+        args: ["ptr"],
+        returns: "void"
+      },
+      runtime_hash_file: {
+        args: ["ptr", "u64"],
+        returns: "ptr"
+      },
+      runtime_hash_tree: {
+        args: ["ptr", "u64"],
+        returns: "ptr"
+      },
+      runtime_prepare_paths: {
+        args: ["ptr", "u64", "ptr", "u64", "ptr", "u64", "ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      runtime_link_dependency_layer: {
+        args: ["ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      runtime_scan_worktrees: {
+        args: ["ptr", "u64"],
+        returns: "ptr"
+      }
+    });
+  } catch {
+    return null;
+  }
+}
+
+// packages/isolation-plugin/src/isolation/home.ts
+import { browserEnvFromContext, loadRuntimeContext, runtimeMemoryEnvFromContext, RUNTIME_CONTEXT_ENV } from "@rig/core/runtime-context";
+
+// packages/isolation-plugin/src/isolation/shared.ts
+import { existsSync as existsSync6, readFileSync as readFileSync3, rmSync as rmSync2 } from "fs";
+import { resolve as resolve7 } from "path";
+import { agentId, safeGitRefComponent, taskRuntimeId } from "@rig/core/safe-identifiers";
+import { resolveCheckoutRoot } from "@rig/core/checkout-root";
+function isRuntimeGatewayGitPath(candidate) {
+  return /\/\.rig\/bin\/git$/.test(candidate.replace(/\\/g, "/"));
+}
+function isRuntimeGatewayGhPath(candidate) {
+  return /\/\.rig\/bin\/gh$/.test(candidate.replace(/\\/g, "/"));
+}
+function resolveHostGitBinary() {
+  const candidates = [
+    process.env.RIG_GIT_BIN?.trim() || "",
+    "/usr/bin/git",
+    "/opt/homebrew/bin/git",
+    "/usr/local/bin/git"
+  ];
+  const bunResolved = Bun.which("git");
+  if (bunResolved && !isRuntimeGatewayGitPath(bunResolved)) {
+    candidates.push(bunResolved);
+  }
+  for (const candidate of candidates) {
+    if (candidate && !isRuntimeGatewayGitPath(candidate) && existsSync6(candidate)) {
+      return candidate;
+    }
+  }
+  return "git";
+}
+function resolveGithubCliBinary(options = {}) {
+  const candidates = new Set;
+  const explicit = process.env.RIG_GH_BIN?.trim();
+  if (explicit) {
+    candidates.add(explicit);
+  }
+  for (const candidate of ["/usr/bin/gh", "/opt/homebrew/bin/gh", "/usr/local/bin/gh"]) {
+    candidates.add(candidate);
+  }
+  if (options.scanPath) {
+    for (const entry of (process.env.PATH || "").split(":").map((value) => value.trim()).filter(Boolean)) {
+      candidates.add(resolve7(entry, "gh"));
+    }
+  }
+  const bunResolved = Bun.which("gh");
+  if (bunResolved) {
+    candidates.add(bunResolved);
+  }
+  for (const candidate of candidates) {
+    if (candidate && existsSync6(candidate) && !isRuntimeGatewayGhPath(candidate)) {
+      return candidate;
+    }
+  }
+  return "";
+}
+var generatedCredentialFiles = new Set;
+function resolveMonorepoRoot2(projectRoot) {
+  return resolveCheckoutRoot(projectRoot);
+}
+async function runGitCommand(repoRoot, args) {
+  const gitBinary = resolveHostGitBinary();
+  return Bun.$`${gitBinary} -C ${repoRoot} ${args}`.quiet().nothrow();
+}
+function sanitizeRuntimeRefSegment(value) {
+  return safeGitRefComponent(value, { fallback: "runtime", maxLength: 64 });
+}
+async function resolveGithubCliAuthToken(ghBinary = "") {
+  const gh = ghBinary || resolveGithubCliBinary();
+  if (!gh) {
+    return "";
+  }
+  const auth = Bun.spawn([gh, "auth", "token"], {
+    stdout: "pipe",
+    stderr: "pipe"
+  });
+  const [exitCode, stdout] = await Promise.all([
+    auth.exited,
+    new Response(auth.stdout).text()
+  ]);
+  if (exitCode !== 0) {
+    return "";
+  }
+  return stdout.trim();
+}
+function resolveSystemCertBundlePath() {
+  const candidates = [
+    process.env.SSL_CERT_FILE?.trim(),
+    "/etc/ssl/cert.pem",
+    "/private/etc/ssl/cert.pem",
+    "/opt/homebrew/etc/openssl@3/cert.pem"
+  ];
+  for (const candidate of candidates) {
+    if (candidate && existsSync6(candidate)) {
+      return resolve7(candidate);
+    }
+  }
+  return "";
+}
+
+// packages/isolation-plugin/src/isolation/git-native.ts
+import { tmpdir as tmpdir3 } from "os";
+import { dirname as dirname2, isAbsolute, resolve as resolve8 } from "path";
+var sharedGitNativeOutputDir = resolve8(tmpdir3(), "rig-native");
+var sharedGitNativeOutputPath = resolve8(sharedGitNativeOutputDir, `rig-git-${process.platform}-${process.arch}${process.platform === "win32" ? ".exe" : ""}`);
+function runtimeRigGitFileName() {
+  return `rig-git${process.platform === "win32" ? ".exe" : ""}`;
+}
+
+// packages/isolation-plugin/src/isolation/home.ts
+var GITHUB_KNOWN_HOSTS = [
+  "github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl",
+  "github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=",
+  "github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk="
+].join(`
+`);
+function authStateToken(env = process.env) {
+  const file = env.RIG_GITHUB_AUTH_STATE_FILE?.trim();
+  if (!file || !existsSync7(file))
+    return null;
+  try {
+    const parsed = JSON.parse(readFileSync4(file, "utf8"));
+    const token = typeof parsed.token === "string" ? parsed.token.trim() : "";
+    return token.length > 0 ? token : null;
+  } catch {
+    return null;
+  }
+}
+function resolveControlPlaneSourceRoot(projectRoot) {
+  const candidates = [
+    process.env.RIG_CONTROL_PLANE_SOURCE_ROOT?.trim(),
+    process.env.RIG_HOST_PROJECT_ROOT?.trim(),
+    resolve9(import.meta.dir, "../../../../.."),
+    projectRoot
+  ].filter((value) => Boolean(value));
+  for (const candidate of candidates) {
+    const root = resolve9(candidate);
+    if (existsSync7(resolve9(root, "packages/cli/bin/rig.ts"))) {
+      return root;
+    }
+  }
+  return "";
+}
+async function runtimeEnv(projectRoot, runtime) {
+  const bunBinaryPath = resolveBunBinaryPath();
+  const bunDir = resolveBunInstallDir2(bunBinaryPath);
+  const claudeBinaryPath = process.env.RIG_CLAUDE_PATH?.trim() || (() => {
+    try {
+      return resolveClaudeBinaryPath();
+    } catch {
+      return "";
+    }
+  })();
+  const claudeDir = claudeBinaryPath ? (() => {
+    try {
+      return resolveClaudeInstallDir2();
+    } catch {
+      return resolve9(claudeBinaryPath, "..");
+    }
+  })() : "";
+  const nodeDir = resolveNodeInstallDir2();
+  const hostGhBinary = resolveGithubCliBinary();
+  const runtimeCertBundlePath = await materializeRuntimeCertBundle(runtime);
+  const monorepoMainRoot = resolveMonorepoRoot2(projectRoot);
+  const realHome = process.env.HOME?.trim();
+  const inheritedPath = (process.env.PATH ?? "").split(delimiter).map((entry) => entry.trim()).filter(Boolean).filter((entry) => !entry.endsWith("/.rig/bin") && !entry.endsWith("/rig/tools"));
+  const pathEntries = [
+    runtime.binDir,
+    `${projectRoot}/rig/tools`,
+    `${bunDir}/bin`,
+    claudeDir,
+    nodeDir ? `${nodeDir}/bin` : "",
+    realHome ? resolve9(realHome, ".local/bin") : "",
+    realHome ? resolve9(realHome, ".cargo/bin") : "",
+    ...inheritedPath,
+    "/usr/local/bin",
+    "/usr/local/sbin",
+    "/opt/homebrew/bin",
+    "/opt/homebrew/sbin",
+    "/usr/bin",
+    "/bin",
+    "/usr/sbin",
+    "/sbin"
+  ].filter(Boolean);
+  const runtimeBash = resolve9(runtime.binDir, "bash");
+  const runtimeRigGit = resolve9(runtime.binDir, runtimeRigGitFileName());
+  const preferredShell = existsSync7(runtimeBash) ? runtimeBash : "/bin/bash";
+  const nativeRuntimeLibraryPath = await materializeNativeRuntimeLibrary(runtime.binDir);
+  const controlPlaneSourceRoot = resolveControlPlaneSourceRoot(projectRoot);
+  const env = {
+    PROJECT_RIG_ROOT: projectRoot,
+    RIG_HOST_PROJECT_ROOT: projectRoot,
+    ...controlPlaneSourceRoot ? { RIG_CONTROL_PLANE_SOURCE_ROOT: controlPlaneSourceRoot } : {},
+    HOME: runtime.homeDir,
+    TMPDIR: runtime.tmpDir,
+    XDG_CACHE_HOME: runtime.cacheDir,
+    XDG_STATE_HOME: runtime.stateDir,
+    RIG_AGENT_ID: runtime.id,
+    ...process.env.RIG_RUN_ID?.trim() ? { RIG_RUN_ID: process.env.RIG_RUN_ID.trim() } : {},
+    ...process.env.RIG_SERVER_RUN_ID?.trim() ? { RIG_SERVER_RUN_ID: process.env.RIG_SERVER_RUN_ID.trim() } : {},
+    ...process.env.RIG_SERVER_URL?.trim() ? { RIG_SERVER_URL: process.env.RIG_SERVER_URL.trim() } : {},
+    ...process.env.RIG_AUTH_TOKEN?.trim() ? { RIG_AUTH_TOKEN: process.env.RIG_AUTH_TOKEN.trim() } : {},
+    RIG_TASK_ID: runtime.taskId,
+    RIG_TASK_RUNTIME_ID: runtime.id,
+    RIG_TASK_WORKSPACE: runtime.workspaceDir,
+    RIG_TASK_RUNTIME_MODE: runtime.mode,
+    RIG_RUNTIME_MODE: runtime.mode,
+    RIG_RUNTIME_ADAPTER: "pi",
+    RIG_RUNTIME_HOME: runtime.rootDir,
+    RIG_RUNTIME_BIN_DIR: runtime.binDir,
+    ...existsSync7(runtimeRigGit) ? { RIG_NATIVE_GIT_BIN: runtimeRigGit } : {},
+    RIG_BUN_PATH: bunBinaryPath,
+    ...claudeBinaryPath ? { RIG_CLAUDE_PATH: claudeBinaryPath } : {},
+    RIG_AGENT_BIN: resolve9(runtime.binDir, "rig-agent"),
+    RIG_HOOKS_ACTIVE: "1",
+    RIG_AUTO_PR_ON_COMPLETE: "1",
+    RIG_POLICY_FILE: resolve9(projectRoot, "rig/policy/policy.json"),
+    RIG_STATE_DIR: runtime.stateDir,
+    RIG_LOGS_DIR: runtime.logsDir,
+    RIG_SESSION_FILE: resolve9(runtime.sessionDir, "session.json"),
+    MONOREPO_ROOT: runtime.workspaceDir,
+    MONOREPO_MAIN_ROOT: monorepoMainRoot,
+    TS_API_TESTS_DIR: resolve9(runtime.workspaceDir, "TSAPITests"),
+    BASH: preferredShell,
+    SHELL: preferredShell,
+    PATH: [...new Set(pathEntries)].join(delimiter),
+    LANG: process.env.LANG ?? "en_US.UTF-8",
+    TERM: process.env.TERM ?? "xterm-256color",
+    PYTHONDONTWRITEBYTECODE: "1",
+    PYTHONPYCACHEPREFIX: resolve9(runtime.cacheDir, "python"),
+    ...process.env.RIG_PR_BASE_PROJECT && { RIG_PR_BASE_PROJECT: process.env.RIG_PR_BASE_PROJECT },
+    ...process.env.RIG_PR_BASE_MONOREPO && { RIG_PR_BASE_MONOREPO: process.env.RIG_PR_BASE_MONOREPO },
+    CLAUDE_HOME: runtime.claudeHomeDir,
+    PI_CODING_AGENT_DIR: resolve9(runtime.homeDir, ".pi", "agent"),
+    OMP_SKIP_SETUP: "1",
+    [RUNTIME_CONTEXT_ENV]: runtime.contextFile,
+    ...nativeRuntimeLibraryPath ? { RIG_NATIVE_RUNTIME_LIB: nativeRuntimeLibraryPath } : {},
+    ...hostGhBinary ? { RIG_GH_BIN: hostGhBinary } : {},
+    ...runtimeCertBundlePath ? {
+      SSL_CERT_FILE: runtimeCertBundlePath,
+      CURL_CA_BUNDLE: runtimeCertBundlePath,
+      REQUESTS_CA_BUNDLE: runtimeCertBundlePath,
+      NODE_EXTRA_CA_CERTS: runtimeCertBundlePath
+    } : {}
+  };
+  const knownHostsPath = resolve9(runtime.homeDir, ".ssh", "known_hosts");
+  if (existsSync7(knownHostsPath)) {
+    const agentSshKey = resolve9(runtime.homeDir, ".ssh", "rig-agent-key");
+    const sshParts = [
+      "ssh",
+      `-o UserKnownHostsFile="${knownHostsPath}"`,
+      "-o StrictHostKeyChecking=yes",
+      "-F /dev/null"
+    ];
+    if (existsSync7(agentSshKey)) {
+      sshParts.splice(1, 0, `-i "${agentSshKey}"`, "-o IdentitiesOnly=yes");
+    }
+    env.GIT_SSH_COMMAND = sshParts.join(" ");
+  }
+  const persistedSecretsPath = resolve9(runtime.rootDir, "runtime-secrets.json");
+  if (existsSync7(persistedSecretsPath)) {
+    try {
+      const persisted = JSON.parse(readFileSync4(persistedSecretsPath, "utf8"));
+      if (persisted && typeof persisted === "object") {
+        for (const [key, value] of Object.entries(persisted)) {
+          if (key === "GITHUB_SSH_KEY")
+            continue;
+          if (typeof value === "string" && value && !env[key])
+            env[key] = value;
+        }
+      }
+    } catch {}
+  }
+  for (const [key, value] of Object.entries(resolveRuntimeSecrets(process.env))) {
+    if (key === "GITHUB_SSH_KEY") {
+      continue;
+    }
+    if (value) {
+      env[key] = value;
+    }
+  }
+  const authStateGithubToken = authStateToken(process.env) || "";
+  const explicitRigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  const rigGithubToken = explicitRigGithubToken || authStateGithubToken;
+  if (rigGithubToken) {
+    env.RIG_GITHUB_TOKEN = rigGithubToken;
+    env.GITHUB_TOKEN = rigGithubToken;
+    env.GH_TOKEN = rigGithubToken;
+  }
+  const fallbackGithubToken = !env.GITHUB_TOKEN && !env.GH_TOKEN ? await resolveGithubCliAuthToken(hostGhBinary) : "";
+  if (fallbackGithubToken) {
+    env.GITHUB_TOKEN = fallbackGithubToken;
+  }
+  if (!env.GITHUB_TOKEN && env.GH_TOKEN) {
+    env.GITHUB_TOKEN = env.GH_TOKEN;
+  }
+  if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
+    env.GH_TOKEN = env.GITHUB_TOKEN;
+  }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
+  if (!env.GREPTILE_GITHUB_TOKEN && env.GITHUB_TOKEN) {
+    env.GREPTILE_GITHUB_TOKEN = env.GITHUB_TOKEN;
+  }
+  if (existsSync7(runtime.contextFile)) {
+    const runtimeContext = loadRuntimeContext(runtime.contextFile);
+    Object.assign(env, runtimeMemoryEnvFromContext(runtimeContext));
+    Object.assign(env, browserEnvFromContext(runtimeContext.browser));
+  }
+  persistRuntimeSecrets(runtime.rootDir, env);
+  return env;
+}
+function runtimeCommandEnv(baseEnv, command) {
+  const env = { ...baseEnv };
+  delete env.ENV;
+  delete env.BASH_ENV;
+  const executable = command[0]?.trim() ?? "";
+  const shellName = basename(executable);
+  const isPosixSh = executable === "/bin/sh" || shellName === "sh" || shellName === "dash";
+  if (isPosixSh) {
+    delete env.BASH;
+    if (executable) {
+      env.SHELL = executable;
+    }
+  }
+  return env;
+}
+async function materializeRuntimeCertBundle(runtime) {
+  const sourcePath = resolveSystemCertBundlePath();
+  if (!sourcePath) {
+    return "";
+  }
+  const certsDir = resolve9(runtime.rootDir, "certs");
+  const targetPath = resolve9(certsDir, "ca-certificates.pem");
+  await mkdir(certsDir, { recursive: true });
+  let shouldCopy = !existsSync7(targetPath);
+  if (!shouldCopy) {
+    try {
+      shouldCopy = statSync4(sourcePath).mtimeMs > statSync4(targetPath).mtimeMs;
+    } catch {
+      shouldCopy = true;
+    }
+  }
+  if (shouldCopy) {
+    copyFileSync2(sourcePath, targetPath);
+  }
+  return targetPath;
+}
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
+var PERSISTED_RUNTIME_SECRET_KEYS = [
+  "ANTHROPIC_API_KEY",
+  "OPENAI_API_KEY",
+  "OPENROUTER_API_KEY",
+  "AI_REVIEW_MODE",
+  "AI_REVIEW_PROVIDER",
+  "GREPTILE_API_BASE",
+  "GREPTILE_REMOTE",
+  "GREPTILE_REPOSITORY",
+  "GREPTILE_CONTEXT_BRANCH",
+  "GREPTILE_DEFAULT_BRANCH",
+  "GREPTILE_API_KEY",
+  "GREPTILE_GITHUB_TOKEN",
+  "GREPTILE_POLL_ATTEMPTS",
+  "GREPTILE_POLL_INTERVAL_MS",
+  "GH_TOKEN",
+  "GITHUB_TOKEN",
+  "AWS_ACCESS_KEY_ID",
+  "AWS_SECRET_ACCESS_KEY",
+  "AWS_REGION",
+  "LINEAR_API_KEY",
+  "LINEAR_WEBHOOK_SECRET",
+  "RIG_GITHUB_TOKEN"
+];
+function persistRuntimeSecrets(runtimeRoot, env) {
+  const secretsPath = resolve9(runtimeRoot, "runtime-secrets.json");
+  const resolvedSecrets = resolveRuntimeSecrets(env);
+  const persisted = {};
+  const secretSource = {
+    ...resolvedSecrets,
+    RIG_GITHUB_TOKEN: env.RIG_GITHUB_TOKEN
+  };
+  for (const key of PERSISTED_RUNTIME_SECRET_KEYS) {
+    const value = secretSource[key]?.trim();
+    if (value) {
+      persisted[key] = value;
+    }
+  }
+  if (Object.keys(persisted).length === 0) {
+    return;
+  }
+  writeFileSync3(secretsPath, `${JSON.stringify(persisted, null, 2)}
+`, { encoding: "utf-8", mode: 384 });
+  chmodSync(secretsPath, 384);
+}
+
+// packages/isolation-plugin/src/isolation/worktree.ts
+import { dirname as dirname3, resolve as resolve10 } from "path";
+import { assertPathInsideRoot, safeGitRefComponent as safeGitRefComponent2, safePathSegment } from "@rig/core/safe-identifiers";
+async function cleanupRuntimeWorktree(monorepoRoot, workspaceDir) {
+  assertPathInsideRoot(resolve10(monorepoRoot, ".worktrees"), workspaceDir, "runtime worktree path");
+  await runGitCommand(monorepoRoot, ["worktree", "remove", "--force", workspaceDir]);
+}
+function runtimeWorktreeNameFromRuntimeId(runtimeId) {
+  return safePathSegment(runtimeId.replace(/^task-/, ""), { fallback: "runtime", maxLength: 72 });
+}
+
+// packages/isolation-plugin/src/isolation/discovery.ts
+import { resolve as resolve11 } from "path";
+import { resolveRuntimeWorkspaceLayout } from "@rig/core/layout";
+import { loadRuntimeContext as loadRuntimeContext2 } from "@rig/core/runtime-context";
+
+// packages/isolation-plugin/src/isolation/toolchain.ts
+import { assertPathInsideRoot as assertPathInsideRoot2, safePathSegment as safePathSegment2 } from "@rig/core/safe-identifiers";
+
+// packages/isolation-plugin/src/isolation/runtime-binary-build.ts
+import { resolveRigLayout } from "@rig/core/layout";
+import { runtimeProvisioningEnv } from "@rig/core/runtime-provisioning-env";
+var runtimeBinaryBuildQueue = Promise.resolve();
+
+// packages/isolation-plugin/src/isolation/toolchain.ts
+import {
+  GUARD_TOOLCHAIN_SOURCES,
+  LIFECYCLE_TOOLCHAIN_SOURCES,
+  TOOL_MATERIALIZER
+} from "@rig/contracts";
+import { defineCapability } from "@rig/core/capability";
+import { buildProjectPluginHost, requireInstalledCapability } from "@rig/core/capability-loaders";
+import { resolveBunBinaryPath as resolveBunBinaryPath2 } from "@rig/core/runtime-paths";
+var ToolMaterializerCap = defineCapability(TOOL_MATERIALIZER);
+var GuardToolchainSourcesCap = defineCapability(GUARD_TOOLCHAIN_SOURCES);
+var LifecycleToolchainSourcesCap = defineCapability(LIFECYCLE_TOOLCHAIN_SOURCES);
+var SNAPSHOT_SIDECAR_SOURCE = ["packages", "isolation-plugin", "src", "snapshot-sidecar.ts"].join("/");
+
+// packages/isolation-plugin/src/isolation/discovery.ts
+function runtimeRootForCleanup(projectRoot, runtimeId) {
+  let monorepoRoot = null;
+  try {
+    monorepoRoot = resolveMonorepoRoot2(projectRoot);
+  } catch {}
+  const workspaceRootCandidate = monorepoRoot ?? projectRoot;
+  const initialWorkspaceDir = resolve11(workspaceRootCandidate, ".worktrees", runtimeWorktreeNameFromRuntimeId(runtimeId));
+  const runtimeRoot = resolveRuntimeWorkspaceLayout(initialWorkspaceDir).runtimeDir;
+  return { monorepoRoot, initialWorkspaceDir, runtimeRoot };
+}
+
+// packages/isolation-plugin/src/isolation/runner.ts
+import { resolveRuntimeWorkspaceLayout as resolveRuntimeWorkspaceLayout2 } from "@rig/core/layout";
+import { resolveBunBinaryPath as resolveBunBinaryPath3 } from "@rig/core/runtime-paths";
+var SNAPSHOT_SIDECAR_READY_TIMEOUT_MS = 1e4;
+async function startRuntimeSnapshotSidecar(runtime, options = {}) {
+  const instanceId = sanitizeRuntimeRefSegment(options.instanceId?.trim() || runtime.id);
+  const readyFile = resolve12(runtime.stateDir, `runtime-snapshot-sidecar-${instanceId}.ready`);
+  const requestFile = resolve12(runtime.stateDir, `runtime-snapshot-sidecar-${instanceId}.request.json`);
+  rmSync3(readyFile, { force: true });
+  rmSync3(requestFile, { force: true });
+  const sidecarBinary = resolveSnapshotSidecarBinaryPath(runtime.binDir);
+  const useCompiledSidecar = shouldUseCompiledSnapshotSidecar(sidecarBinary);
+  const bunCli = useCompiledSidecar ? null : resolveBunCliInvocation();
+  const command = useCompiledSidecar ? [sidecarBinary] : [bunCli.command, resolveSnapshotSidecarScriptPath()];
+  const proc = Bun.spawn([
+    ...command,
+    "--workspace",
+    runtime.workspaceDir,
+    "--task",
+    runtime.taskId,
+    "--runtime-id",
+    runtime.id,
+    "--instance-id",
+    instanceId,
+    "--ready-file",
+    readyFile,
+    "--request-file",
+    requestFile
+  ], {
+    cwd: runtime.workspaceDir,
+    stdin: "ignore",
+    stdout: "pipe",
+    stderr: "pipe",
+    env: {
+      ...process.env,
+      ...bunCli?.env ?? {}
+    }
+  });
+  const stdoutTextPromise = drainStream(proc.stdout);
+  const stderrTextPromise = drainStream(proc.stderr);
+  await waitForSnapshotSidecarReady(readyFile, proc, stdoutTextPromise, stderrTextPromise);
+  return {
+    cancel: async () => {
+      try {
+        proc.kill("SIGTERM");
+      } catch {}
+      await proc.exited;
+      rmSync3(readyFile, { force: true });
+      rmSync3(requestFile, { force: true });
+    },
+    finalize: async (commandParts, exitCode) => {
+      writeFileSync4(requestFile, `${JSON.stringify({ command: commandParts, exitCode })}
+`, "utf-8");
+      const [sidecarExitCode, stdout, stderr] = await Promise.all([
+        proc.exited,
+        stdoutTextPromise,
+        stderrTextPromise
+      ]);
+      rmSync3(readyFile, { force: true });
+      rmSync3(requestFile, { force: true });
+      if (sidecarExitCode !== 0) {
+        throw new Error(`snapshot sidecar failed (${sidecarExitCode}): ${stderr || stdout}`);
+      }
+    }
+  };
+}
+async function drainStream(stream) {
+  if (!stream)
+    return "";
+  try {
+    return await new Response(stream).text();
+  } catch {
+    return "";
+  }
+}
+async function runInAgentRuntime(options) {
+  const snapshotSidecar = await startRuntimeSnapshotSidecar(options.runtime);
+  try {
+    const runtimeCommand = resolveInternalRuntimeCommand(options.command);
+    const sandboxPlan = await wrapWithRuntimeSandbox({
+      projectRoot: options.projectRoot,
+      runtime: {
+        id: options.runtime.id,
+        mode: options.runtime.mode,
+        rootDir: options.runtime.rootDir,
+        workspaceDir: options.runtime.workspaceDir,
+        homeDir: options.runtime.homeDir,
+        tmpDir: options.runtime.tmpDir,
+        cacheDir: options.runtime.cacheDir,
+        stateDir: options.runtime.stateDir,
+        sessionDir: options.runtime.sessionDir,
+        claudeHomeDir: options.runtime.claudeHomeDir,
+        binDir: options.runtime.binDir
+      },
+      command: runtimeCommand
+    });
+    const proc = Bun.spawn(sandboxPlan.command, {
+      cwd: options.runtime.workspaceDir,
+      env: runtimeCommandEnv(await runtimeEnv(options.projectRoot, options.runtime), sandboxPlan.command),
+      stdin: options.inheritStdio ? "inherit" : "pipe",
+      stdout: options.inheritStdio ? "inherit" : "pipe",
+      stderr: options.inheritStdio ? "inherit" : "pipe"
+    });
+    const exitCode = await proc.exited;
+    if (options.inheritStdio) {
+      await snapshotSidecar.finalize(runtimeCommand, exitCode);
+      return {
+        exitCode,
+        sandboxBackend: sandboxPlan.backend,
+        sandboxEnabled: sandboxPlan.enabled
+      };
+    }
+    const stdout = await new Response(proc.stdout).text();
+    const stderr = await new Response(proc.stderr).text();
+    try {
+      await Bun.write(resolve12(options.runtime.logsDir, "agent-stdout.log"), stdout);
+      await Bun.write(resolve12(options.runtime.logsDir, "agent-stderr.log"), stderr);
+    } catch {}
+    await snapshotSidecar.finalize(runtimeCommand, exitCode);
+    return {
+      exitCode,
+      stdout,
+      stderr,
+      sandboxBackend: sandboxPlan.backend,
+      sandboxEnabled: sandboxPlan.enabled
+    };
+  } catch (error) {
+    await snapshotSidecar.cancel();
+    throw error;
+  }
+}
+function resolveInternalRuntimeCommand(command) {
+  if (command.length === 0) {
+    return [];
+  }
+  const executable = command[0]?.trim() ?? "";
+  if (!executable) {
+    return [...command];
+  }
+  if (basename2(executable) === "bun") {
+    return [resolveBunBinaryPath3(), ...command.slice(1)];
+  }
+  return [...command];
+}
+async function cleanupAgentRuntime(options) {
+  const { monorepoRoot, initialWorkspaceDir, runtimeRoot } = runtimeRootForCleanup(options.projectRoot, options.id);
+  const metadataPath = resolve12(runtimeRoot, "runtime.json");
+  if (!existsSync8(runtimeRoot)) {
+    return;
+  }
+  let mode = "worktree";
+  let workspaceDir = "";
+  const metadata = await readRuntimeMetadata(metadataPath);
+  const metadataMatchesRequestedRuntime = metadata !== null && metadata.id === options.id && resolve12(metadata.workspaceDir) === resolve12(initialWorkspaceDir);
+  if (metadata && metadataMatchesRequestedRuntime) {
+    mode = metadata.mode;
+    workspaceDir = metadata.workspaceDir;
+  } else if (existsSync8(initialWorkspaceDir)) {
+    workspaceDir = initialWorkspaceDir;
+  }
+  const preservesTaskWorktree = metadataMatchesRequestedRuntime && metadata ? options.id === taskRuntimeId(metadata.taskId) : false;
+  if (mode === "worktree" && workspaceDir && monorepoRoot && !preservesTaskWorktree) {
+    await cleanupRuntimeWorktree(monorepoRoot, workspaceDir);
+  } else if (mode === "worktree" && workspaceDir && preservesTaskWorktree) {
+    cleanupTaskRuntimeOverlay(workspaceDir);
+  }
+  rmSync3(runtimeRoot, { recursive: true, force: true });
+}
+function cleanupTaskRuntimeOverlay(workspaceDir) {
+  const layout = resolveRuntimeWorkspaceLayout2(workspaceDir);
+  for (const path of [
+    layout.homeDir,
+    layout.tmpDir,
+    layout.cacheDir,
+    layout.logsDir,
+    layout.stateDir,
+    layout.sessionDir,
+    layout.binDir,
+    layout.distDir,
+    layout.runtimeDir,
+    layout.contextPath
+  ]) {
+    rmSync3(path, { recursive: true, force: true });
+  }
+}
+function resolveSnapshotSidecarScriptPath() {
+  return resolveRuntimeSourceScriptPath("snapshot-sidecar.ts");
+}
+function resolveSnapshotSidecarBinaryPath(binDir) {
+  return resolve12(binDir, "snapshot-sidecar");
+}
+function shouldUseCompiledSnapshotSidecar(binaryPath) {
+  if (!existsSync8(binaryPath)) {
+    return false;
+  }
+  const preference = process.env.RIG_USE_COMPILED_SNAPSHOT_SIDECAR?.trim().toLowerCase();
+  if (!preference) {
+    return false;
+  }
+  return preference === "1" || preference === "true" || preference === "yes";
+}
+function resolveRuntimeSourceScriptPath(fileName) {
+  const hostRoots = [
+    process.env.RIG_HOST_PROJECT_ROOT?.trim(),
+    process.env.PROJECT_RIG_ROOT?.trim()
+  ].filter((value) => Boolean(value));
+  for (const root of hostRoots) {
+    const candidate = resolve12(root, "packages/isolation-plugin/src", fileName);
+    if (existsSync8(candidate)) {
+      return candidate;
+    }
+  }
+  return resolve12(import.meta.dir, "..", fileName);
+}
+function resolveBunCliInvocation() {
+  if (process.env.RIG_BUN_PATH?.trim()) {
+    return {
+      command: process.env.RIG_BUN_PATH.trim(),
+      env: {}
+    };
+  }
+  const systemBun = Bun.which("bun")?.trim();
+  if (systemBun) {
+    return {
+      command: systemBun,
+      env: {}
+    };
+  }
+  if (process.execPath?.trim()) {
+    return {
+      command: process.execPath,
+      env: { BUN_BE_BUN: "1" }
+    };
+  }
+  return { command: "bun", env: {} };
+}
+async function waitForSnapshotSidecarReady(readyFile, proc, stdoutTextPromise, stderrTextPromise) {
+  const deadline = Date.now() + SNAPSHOT_SIDECAR_READY_TIMEOUT_MS;
+  while (Date.now() < deadline) {
+    if (existsSync8(readyFile)) {
+      return;
+    }
+    const exitCode = proc.exitCode;
+    if (exitCode !== null) {
+      const [stderr, stdout] = await Promise.all([stderrTextPromise, stdoutTextPromise]);
+      throw new Error(`snapshot sidecar exited before ready (${exitCode}): ${stderr || stdout}`);
+    }
+    await Bun.sleep(25);
+  }
+  throw new Error(`snapshot sidecar did not become ready within ${SNAPSHOT_SIDECAR_READY_TIMEOUT_MS}ms`);
+}
+async function readRuntimeMetadata(metadataPath) {
+  if (!existsSync8(metadataPath)) {
+    return null;
+  }
+  try {
+    return await Bun.file(metadataPath).json();
+  } catch {
+    return null;
+  }
+}
+export {
+  startRuntimeSnapshotSidecar,
+  runInAgentRuntime,
+  cleanupAgentRuntime
+};