@h-rig/isolation-plugin 0.0.6-alpha.157 → 0.0.6-alpha.158

package/dist/src/sandbox/utils.d.ts

@@ -0,0 +1,43 @@
+import type { SandboxConfig } from "@rig/contracts";
+/**
+ * Resolve a path to its real (symlink-resolved) location.
+ * Falls back to `resolve()` if `realpathSync.native` fails (e.g. path does not exist).
+ */
+export declare function toRealPath(path: string): string;
+/**
+ * Walk up from a directory to find all `.git` directories,
+ * collecting them as a flat, deduplicated string array.
+ *
+ * Checks:
+ * 1. `projectRoot/.git`
+ * 2. `workspaceDir/../../.git` (two levels up — monorepo worktree layout)
+ * 3. `workspaceDir/.git` (if it exists)
+ * 4. `.git` for any additional readable host repo roots exposed via `projectRoot`
+ *
+ * Checks exactly these paths — no ancestor walk.
+ * Matches the original sandbox.ts behavior exactly.
+ */
+export declare function resolveHostGitMetadataPaths(projectRoot: string, workspaceDir: string): string[];
+/**
+ * Resolve additional host repo roots that must be readable inside the sandbox
+ * even when projectRoot exposes them through symlinks.
+ */
+export declare function resolveHostRepoRootPaths(projectRoot: string): string[];
+/**
+ * Resolve network access setting from policy config with optional env var override.
+ * Env var overrides log a warning when they differ from the policy value.
+ */
+export declare function resolveNetworkWithPolicy(sandboxConfig: SandboxConfig, envOverride: string | undefined): boolean;
+/**
+ * Parse a boolean-ish environment variable string.
+ * Recognizes: 1/true/yes/on as true, 0/false/no/off as false (case-insensitive).
+ * Returns `fallback` for undefined or unrecognized values.
+ */
+export declare function parseBooleanEnv(raw: string | undefined, fallback: boolean): boolean;
+/** Deduplicate a string array, preserving insertion order. */
+export declare function uniq(values: string[]): string[];
+/**
+ * Escape a string for use in a macOS seatbelt (.sb) profile literal.
+ * Wraps in double quotes, escaping backslashes and embedded quotes.
+ */
+export declare function seatbeltString(value: string): string;

package/dist/src/sandbox/utils.js

@@ -0,0 +1,94 @@
+// @bun
+// packages/isolation-plugin/src/sandbox/utils.ts
+import { existsSync, readdirSync, realpathSync } from "fs";
+import { resolve } from "path";
+import { resolveMonorepoRoot } from "@rig/core/layout";
+function toRealPath(path) {
+  if (!existsSync(path)) {
+    return resolve(path);
+  }
+  try {
+    return realpathSync.native(path);
+  } catch {
+    return resolve(path);
+  }
+}
+function resolveHostGitMetadataPaths(projectRoot, workspaceDir) {
+  const candidates = new Set;
+  const addPath = (candidate) => {
+    if (existsSync(candidate)) {
+      candidates.add(toRealPath(candidate));
+    }
+  };
+  addPath(resolve(projectRoot, ".git"));
+  addPath(resolve(workspaceDir, "..", "..", ".git"));
+  for (const repoRoot of resolveHostRepoRootPaths(projectRoot)) {
+    addPath(resolve(repoRoot, ".git"));
+  }
+  const workspaceGit = resolve(workspaceDir, ".git");
+  if (existsSync(workspaceGit)) {
+    addPath(workspaceGit);
+  }
+  return [...candidates];
+}
+function resolveHostRepoRootPaths(projectRoot) {
+  const candidates = new Set;
+  const addPath = (candidate) => {
+    if (existsSync(candidate)) {
+      candidates.add(toRealPath(candidate));
+    }
+  };
+  try {
+    const monorepoRoot = resolveMonorepoRoot(projectRoot);
+    if (toRealPath(monorepoRoot) !== toRealPath(projectRoot)) {
+      addPath(monorepoRoot);
+    }
+  } catch {}
+  const reposDir = resolve(projectRoot, "repos");
+  if (existsSync(reposDir)) {
+    for (const entry of readdirSync(reposDir, { withFileTypes: true })) {
+      if (entry.isDirectory() || entry.isSymbolicLink()) {
+        addPath(resolve(reposDir, entry.name));
+      }
+    }
+  }
+  return [...candidates];
+}
+function resolveNetworkWithPolicy(sandboxConfig, envOverride) {
+  if (envOverride) {
+    const envValue = parseBooleanEnv(envOverride, sandboxConfig.network);
+    if (envValue !== sandboxConfig.network) {
+      console.warn(`[sandbox] RIG_RUNTIME_SANDBOX_NETWORK=${envOverride} overrides policy sandbox.network=${sandboxConfig.network}`);
+    }
+    return envValue;
+  }
+  return sandboxConfig.network;
+}
+function parseBooleanEnv(raw, fallback) {
+  if (!raw) {
+    return fallback;
+  }
+  const normalized = raw.trim().toLowerCase();
+  if (normalized === "1" || normalized === "true" || normalized === "yes" || normalized === "on") {
+    return true;
+  }
+  if (normalized === "0" || normalized === "false" || normalized === "no" || normalized === "off") {
+    return false;
+  }
+  return fallback;
+}
+function uniq(values) {
+  return [...new Set(values)];
+}
+function seatbeltString(value) {
+  return `"${value.replace(/\\/g, "\\\\").replace(/"/g, "\\\"")}"`;
+}
+export {
+  uniq,
+  toRealPath,
+  seatbeltString,
+  resolveNetworkWithPolicy,
+  resolveHostRepoRootPaths,
+  resolveHostGitMetadataPaths,
+  parseBooleanEnv
+};

package/dist/src/service.d.ts

@@ -2,12 +2,17 @@
  * service.ts — the concrete worktree isolation backend the runtime port
  * resolves and consumes.
  *
- * CONFIG-LIGHT: this module top-level-imports the in-runtime worktree
- * provisioning primitive. It is loaded LAZILY by the capability `run()` in
- * plugin.ts (`(await import("./service")).svc`), so merely evaluating
- * rig.config.ts never drags the provisioning impl into scope.
+ * CONFIG-LIGHT: this module top-level-imports the now-owned isolation tree (the
+ * worktree provisioning + execution primitives). It is loaded LAZILY by the
+ * capability `run()` in plugin.ts (`(await import("./service")).svc`), so merely
+ * evaluating rig.config.ts never drags the provisioning impl into scope.
+ *
+ * The backend exposes the full `IsolationBackend` seam (provisioning + execution
+ * helpers) so the runtime substrate (queue, agent-wrapper) reaches these
+ * plugin-owned functions through the resolved port — never via a direct import —
+ * keeping the substrate->plugin dependency edge absent.
  */
-import type { IsolationBackend } from "@rig/runtime/control-plane/isolation-backend-port";
+import type { IsolationBackend } from "@rig/contracts";
 /** The concrete worktree isolation backend the runtime port resolves. */
 export declare const svc: IsolationBackend;
 /** Back-compat alias. */