@h-rig/isolation-plugin 0.0.6-alpha.157 → 0.0.6-alpha.159

package/dist/src/embedded-native-assets.d.ts

@@ -0,0 +1,7 @@
+export type EmbeddedNative = {
+    name: string;
+    fileName: string;
+    filePath: string;
+    size: number;
+};
+export declare const embeddedNatives: Record<string, EmbeddedNative> | null;

package/dist/src/embedded-native-assets.js

@@ -0,0 +1,6 @@
+// @bun
+// packages/isolation-plugin/src/embedded-native-assets.ts
+var embeddedNatives = null;
+export {
+  embeddedNatives
+};

package/dist/src/image-fingerprint-sidecar.d.ts

@@ -0,0 +1 @@
+export declare function runRuntimeImageFingerprintSidecar(argv?: string[]): Promise<void>;

package/dist/src/image-fingerprint-sidecar.js

@@ -0,0 +1,515 @@
+// @bun
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+
+// packages/isolation-plugin/src/sandbox/utils.ts
+import { resolveMonorepoRoot as resolveMonorepoRoot2 } from "@rig/core/layout";
+var init_utils = () => {};
+
+// packages/isolation-plugin/src/image.ts
+import { ptr as ptr2, toBuffer as toBuffer2 } from "bun:ffi";
+import {
+  existsSync as existsSync3,
+  readFileSync as readFileSync2,
+  readdirSync,
+  mkdirSync as mkdirSync3,
+  writeFileSync as writeFileSync2,
+  renameSync as renameSync3,
+  rmSync as rmSync2,
+  cpSync,
+  lstatSync,
+  unlinkSync,
+  symlinkSync
+} from "fs";
+import { resolve as resolve4 } from "path";
+import { resolveRigLayout as resolveRigLayout2 } from "@rig/core/layout";
+
+// packages/isolation-plugin/src/runtime-native.ts
+import { dlopen, ptr, suffix, toBuffer } from "bun:ffi";
+import { copyFileSync, existsSync as existsSync2, mkdirSync as mkdirSync2, renameSync as renameSync2, rmSync, statSync as statSync2 } from "fs";
+import { tmpdir as tmpdir2 } from "os";
+import { dirname, resolve as resolve2 } from "path";
+
+// packages/isolation-plugin/src/native-extract.ts
+import { existsSync, mkdirSync, readFileSync, renameSync, statSync, writeFileSync } from "fs";
+import { tmpdir } from "os";
+import { resolve } from "path";
+
+// packages/isolation-plugin/src/embedded-native-assets.ts
+var embeddedNatives = null;
+
+// packages/isolation-plugin/src/native-extract.ts
+var sharedNativeOutputDir = resolve(tmpdir(), "rig-native");
+var extractionCache = {};
+function extractEmbeddedNative(name) {
+  if (name in extractionCache) {
+    return extractionCache[name] ?? null;
+  }
+  const entry = embeddedNatives?.[name];
+  if (!entry) {
+    extractionCache[name] = null;
+    return null;
+  }
+  try {
+    const targetPath = resolve(sharedNativeOutputDir, entry.fileName);
+    mkdirSync(sharedNativeOutputDir, { recursive: true });
+    const upToDate = existsSync(targetPath) && statSync(targetPath).size === entry.size;
+    if (!upToDate) {
+      const bytes = readFileSync(entry.filePath);
+      const tempPath = `${targetPath}.${process.pid}.${Date.now()}.tmp`;
+      writeFileSync(tempPath, bytes, { mode: 493 });
+      renameSync(tempPath, targetPath);
+    }
+    extractionCache[name] = targetPath;
+  } catch {
+    extractionCache[name] = null;
+  }
+  return extractionCache[name] ?? null;
+}
+
+// packages/isolation-plugin/src/runtime-native.ts
+var sharedNativeRuntimeOutputDir = resolve2(tmpdir2(), "rig-native");
+var sharedNativeRuntimeOutputPath = resolve2(sharedNativeRuntimeOutputDir, `runtime-native-${process.platform}-${process.arch}.${suffix}`);
+var colocatedNativeRuntimeFileName = `runtime-native.${suffix}`;
+var nativeRuntimeLibrary = await loadNativeRuntimeLibrary();
+function requireNativeRuntimeLibrary(feature) {
+  if (!nativeRuntimeLibrary) {
+    throw new Error(`Native Zig runtime is required for ${feature}`);
+  }
+  return nativeRuntimeLibrary;
+}
+async function ensureNativeRuntimeLibraryPath(outputPath = sharedNativeRuntimeOutputPath, options = {}) {
+  const explicitLib = process.env.RIG_NATIVE_RUNTIME_LIB?.trim();
+  if (explicitLib && existsSync2(explicitLib)) {
+    return explicitLib;
+  }
+  const embeddedPath = extractEmbeddedNative("snapshot");
+  if (embeddedPath) {
+    return embeddedPath;
+  }
+  if (await buildNativeRuntimeLibrary(outputPath, options)) {
+    return outputPath;
+  }
+  return !options.force && existsSync2(outputPath) ? outputPath : null;
+}
+async function loadNativeRuntimeLibrary() {
+  if (process.env.RIG_DISABLE_ZIG_NATIVE === "1") {
+    return null;
+  }
+  const explicitLib = process.env.RIG_NATIVE_RUNTIME_LIB?.trim();
+  if (explicitLib && existsSync2(explicitLib)) {
+    const loaded = tryDlopenNativeRuntimeLibrary(explicitLib);
+    if (loaded) {
+      return loaded;
+    }
+  }
+  const embeddedPath = extractEmbeddedNative("snapshot");
+  if (embeddedPath) {
+    const loaded = tryDlopenNativeRuntimeLibrary(embeddedPath);
+    if (loaded) {
+      return loaded;
+    }
+  }
+  for (const candidate of nativeRuntimeLibraryCandidates()) {
+    if (!candidate || !existsSync2(candidate)) {
+      continue;
+    }
+    const loaded = tryDlopenNativeRuntimeLibrary(candidate);
+    if (loaded) {
+      return loaded;
+    }
+  }
+  const builtLibraryPath = await ensureNativeRuntimeLibraryPath(sharedNativeRuntimeOutputPath, { force: true });
+  if (!builtLibraryPath) {
+    return null;
+  }
+  return tryDlopenNativeRuntimeLibrary(builtLibraryPath);
+}
+function nativePackageLibraryCandidates(fromDir, names) {
+  const candidates = [];
+  let cursor = resolve2(fromDir);
+  for (let index = 0;index < 8; index += 1) {
+    for (const name of names) {
+      candidates.push(resolve2(cursor, "native", `${process.platform}-${process.arch}`, name), resolve2(cursor, "native", `${process.platform}-${process.arch}`, "lib", name), resolve2(cursor, "native", name), resolve2(cursor, "native", "lib", name));
+    }
+    const parent = dirname(cursor);
+    if (parent === cursor)
+      break;
+    cursor = parent;
+  }
+  return candidates;
+}
+function nativeRuntimeLibraryCandidates() {
+  const explicit = process.env.RIG_NATIVE_RUNTIME_LIB?.trim() || "";
+  const execDir = process.execPath?.trim() ? dirname(process.execPath.trim()) : "";
+  const platformSpecific = `runtime-native-${process.platform}-${process.arch}.${suffix}`;
+  return [...new Set([
+    explicit,
+    ...nativePackageLibraryCandidates(import.meta.dir, [colocatedNativeRuntimeFileName, platformSpecific]),
+    execDir ? resolve2(execDir, colocatedNativeRuntimeFileName) : "",
+    execDir ? resolve2(execDir, platformSpecific) : "",
+    execDir ? resolve2(execDir, "..", colocatedNativeRuntimeFileName) : "",
+    execDir ? resolve2(execDir, "..", platformSpecific) : "",
+    execDir ? resolve2(execDir, "lib", colocatedNativeRuntimeFileName) : "",
+    execDir ? resolve2(execDir, "..", "lib", colocatedNativeRuntimeFileName) : "",
+    sharedNativeRuntimeOutputPath
+  ].filter(Boolean))];
+}
+function resolveNativeRuntimeSourcePath() {
+  const explicit = process.env.RIG_NATIVE_RUNTIME_SOURCE?.trim();
+  if (explicit && existsSync2(explicit)) {
+    return explicit;
+  }
+  const bundled = resolve2(import.meta.dir, "../native/snapshot.zig");
+  return existsSync2(bundled) ? bundled : null;
+}
+async function buildNativeRuntimeLibrary(outputPath, options = {}) {
+  if (process.env.RIG_DISABLE_ZIG_NATIVE === "1") {
+    return false;
+  }
+  const zigBinary = Bun.which("zig");
+  const sourcePath = resolveNativeRuntimeSourcePath();
+  if (!zigBinary || !sourcePath) {
+    return false;
+  }
+  const tempOutputPath = `${outputPath}.${process.pid}.${Date.now()}.${Math.random().toString(36).slice(2)}.tmp`;
+  try {
+    mkdirSync2(dirname(outputPath), { recursive: true });
+    const needsBuild = options.force === true || !existsSync2(outputPath) || statSync2(sourcePath).mtimeMs > statSync2(outputPath).mtimeMs;
+    if (!needsBuild) {
+      return true;
+    }
+    const build = Bun.spawn([
+      zigBinary,
+      "build-lib",
+      sourcePath,
+      "-dynamic",
+      "-O",
+      "ReleaseFast",
+      `-femit-bin=${tempOutputPath}`
+    ], {
+      cwd: import.meta.dir,
+      stdout: "pipe",
+      stderr: "pipe"
+    });
+    const exitCode = await build.exited;
+    if (exitCode !== 0 || !existsSync2(tempOutputPath)) {
+      rmSync(tempOutputPath, { force: true });
+      return false;
+    }
+    renameSync2(tempOutputPath, outputPath);
+    return true;
+  } catch {
+    rmSync(tempOutputPath, { force: true });
+    return false;
+  }
+}
+function tryDlopenNativeRuntimeLibrary(outputPath) {
+  try {
+    return dlopen(outputPath, {
+      rig_scope_match: {
+        args: ["ptr", "ptr"],
+        returns: "u8"
+      },
+      snapshot_capture: {
+        args: ["ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      snapshot_delta: {
+        args: ["ptr", "ptr"],
+        returns: "ptr"
+      },
+      snapshot_store_delta: {
+        args: ["ptr", "ptr", "ptr", "u64", "ptr", "u64", "ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      snapshot_inspect_delta: {
+        args: ["ptr", "u64"],
+        returns: "ptr"
+      },
+      snapshot_apply_delta: {
+        args: ["ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      snapshot_release: {
+        args: ["ptr"],
+        returns: "void"
+      },
+      runtime_hash_file: {
+        args: ["ptr", "u64"],
+        returns: "ptr"
+      },
+      runtime_hash_tree: {
+        args: ["ptr", "u64"],
+        returns: "ptr"
+      },
+      runtime_prepare_paths: {
+        args: ["ptr", "u64", "ptr", "u64", "ptr", "u64", "ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      runtime_link_dependency_layer: {
+        args: ["ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      runtime_scan_worktrees: {
+        args: ["ptr", "u64"],
+        returns: "ptr"
+      }
+    });
+  } catch {
+    return null;
+  }
+}
+
+// packages/isolation-plugin/src/isolation/index.ts
+import { BROWSER_CONTRACT_SERVICE_CAPABILITY, MEMORY } from "@rig/contracts";
+import { safePathSegment as safePathSegment3 } from "@rig/core/safe-identifiers";
+
+// packages/isolation-plugin/src/isolation/git-native.ts
+import { tmpdir as tmpdir3 } from "os";
+import { dirname as dirname2, isAbsolute, resolve as resolve3 } from "path";
+var sharedGitNativeOutputDir = resolve3(tmpdir3(), "rig-native");
+var sharedGitNativeOutputPath = resolve3(sharedGitNativeOutputDir, `rig-git-${process.platform}-${process.arch}${process.platform === "win32" ? ".exe" : ""}`);
+
+// packages/isolation-plugin/src/isolation/index.ts
+import { defineCapability as defineCapability2 } from "@rig/core/capability";
+import { loadCapabilityForRoot, requireCapabilityForRoot, requireInstalledCapability as requireInstalledCapability2 } from "@rig/core/capability-loaders";
+import { buildPluginHostContext } from "@rig/core/plugin-host-context";
+import { TASK_DATA_SERVICE_CAPABILITY } from "@rig/contracts";
+import { resolveRuntimeWorkspaceLayout as resolveRuntimeWorkspaceLayout3 } from "@rig/core/layout";
+import { ensureRuntimeOverlay } from "@rig/core/runtime-overlay";
+import {
+  DEFAULT_RUNTIME_MEMORY_RETRIEVAL,
+  writeRuntimeContext
+} from "@rig/core/runtime-context";
+import { secretDefinesFromEnv } from "@rig/core/baked-secrets";
+
+// packages/isolation-plugin/src/isolation/home.ts
+import { resolveBunBinaryPath, resolveBunInstallDir, resolveClaudeBinaryPath, resolveClaudeInstallDir, resolveNodeInstallDir } from "@rig/core/runtime-paths";
+import { resolveRuntimeSecrets } from "@rig/core/baked-secrets";
+import { browserEnvFromContext, loadRuntimeContext, runtimeMemoryEnvFromContext, RUNTIME_CONTEXT_ENV } from "@rig/core/runtime-context";
+
+// packages/isolation-plugin/src/isolation/shared.ts
+import { agentId, safeGitRefComponent, taskRuntimeId } from "@rig/core/safe-identifiers";
+import { resolveCheckoutRoot } from "@rig/core/checkout-root";
+var generatedCredentialFiles = new Set;
+
+// packages/isolation-plugin/src/isolation/home.ts
+var GITHUB_KNOWN_HOSTS = [
+  "github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl",
+  "github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=",
+  "github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk="
+].join(`
+`);
+
+// packages/isolation-plugin/src/isolation/discovery.ts
+import { resolveRuntimeWorkspaceLayout } from "@rig/core/layout";
+import { loadRuntimeContext as loadRuntimeContext2 } from "@rig/core/runtime-context";
+
+// packages/isolation-plugin/src/isolation/worktree.ts
+import { assertPathInsideRoot, safeGitRefComponent as safeGitRefComponent2, safePathSegment } from "@rig/core/safe-identifiers";
+
+// packages/isolation-plugin/src/isolation/toolchain.ts
+import { assertPathInsideRoot as assertPathInsideRoot2, safePathSegment as safePathSegment2 } from "@rig/core/safe-identifiers";
+
+// packages/isolation-plugin/src/isolation/runtime-binary-build.ts
+import { resolveRigLayout } from "@rig/core/layout";
+import { runtimeProvisioningEnv } from "@rig/core/runtime-provisioning-env";
+var runtimeBinaryBuildQueue = Promise.resolve();
+
+// packages/isolation-plugin/src/isolation/toolchain.ts
+import {
+  GUARD_TOOLCHAIN_SOURCES,
+  LIFECYCLE_TOOLCHAIN_SOURCES,
+  TOOL_MATERIALIZER
+} from "@rig/contracts";
+import { defineCapability } from "@rig/core/capability";
+import { buildProjectPluginHost, requireInstalledCapability } from "@rig/core/capability-loaders";
+import { resolveBunBinaryPath as resolveBunBinaryPath2 } from "@rig/core/runtime-paths";
+var ToolMaterializerCap = defineCapability(TOOL_MATERIALIZER);
+var GuardToolchainSourcesCap = defineCapability(GUARD_TOOLCHAIN_SOURCES);
+var LifecycleToolchainSourcesCap = defineCapability(LIFECYCLE_TOOLCHAIN_SOURCES);
+var SNAPSHOT_SIDECAR_SOURCE = ["packages", "isolation-plugin", "src", "snapshot-sidecar.ts"].join("/");
+
+// packages/isolation-plugin/src/runtime-config.ts
+import {
+  POLICY_VERSION
+} from "@rig/contracts";
+
+// packages/isolation-plugin/src/sandbox/backend.ts
+init_utils();
+import {
+  resolveBunInstallDir as resolveBunInstallDir2,
+  resolveClaudeInstallDir as resolveClaudeInstallDir2,
+  resolveNodeInstallDir as resolveNodeInstallDir2,
+  resolveRuntimeDependencyRoots
+} from "@rig/core/runtime-paths";
+
+// packages/isolation-plugin/src/isolation/runner.ts
+import { resolveRuntimeWorkspaceLayout as resolveRuntimeWorkspaceLayout2 } from "@rig/core/layout";
+import { resolveBunBinaryPath as resolveBunBinaryPath3 } from "@rig/core/runtime-paths";
+
+// packages/isolation-plugin/src/isolation/index.ts
+var TaskDataCap = defineCapability2(TASK_DATA_SERVICE_CAPABILITY);
+
+// packages/isolation-plugin/src/isolation/provisioning-env.ts
+import { runtimeProvisioningEnv as runtimeProvisioningEnv2 } from "@rig/core/runtime-provisioning-env";
+
+// packages/isolation-plugin/src/image.ts
+import { resolveBunBinaryPath as resolveBunBinaryPath4 } from "@rig/core/runtime-paths";
+var HASH_RESULT_SIZE = 40;
+var nativeRuntimeLibrary2 = null;
+function sha256Hex2(input) {
+  const hasher = new Bun.CryptoHasher("sha256");
+  hasher.update(input);
+  return hasher.digest("hex");
+}
+function hashFile(filePath) {
+  if (!existsSync3(filePath)) {
+    return "";
+  }
+  return hashPathWithNative("runtime_hash_file", filePath);
+}
+function hashDirectory(dir) {
+  if (!existsSync3(dir)) {
+    return sha256Hex2("(empty)");
+  }
+  return hashPathWithNative("runtime_hash_tree", dir);
+}
+function hashDirectories(dirs) {
+  const combined = new Bun.CryptoHasher("sha256");
+  for (const { label, path } of dirs) {
+    const dirHash = hashDirectory(path);
+    combined.update(`${label}:${dirHash}
+`);
+  }
+  return combined.digest("hex");
+}
+async function probeVersion(args) {
+  try {
+    const proc = Bun.spawn(args, { stdout: "pipe", stderr: "pipe" });
+    const [exitCode, stdout] = await Promise.all([
+      proc.exited,
+      new Response(proc.stdout).text()
+    ]);
+    if (exitCode === 0) {
+      return stdout.trim().split(`
+`)[0] ?? "";
+    }
+    return "";
+  } catch {
+    return "";
+  }
+}
+async function computeRuntimeImageFingerprintNative(projectRoot) {
+  const [nodeVersion, claudeVersion] = await Promise.all([
+    probeVersion(["node", "--version"]),
+    probeVersion(["claude", "--version"])
+  ]);
+  const runtimeDir = resolve4(projectRoot, "packages", "runtime");
+  const cliDir = resolve4(projectRoot, "packages", "cli");
+  const runtimeCodeHash = hashDirectories([
+    { label: "packages/runtime", path: runtimeDir },
+    { label: "packages/cli", path: cliDir }
+  ]);
+  const policyPath = resolve4(projectRoot, "rig/policy/policy.json");
+  const policyHash = hashFile(policyPath);
+  const pluginsDir = resolve4(projectRoot, "rig/plugins");
+  const pluginsHash = hashDirectory(pluginsDir);
+  const baseLockfiles = [
+    "bun.lock",
+    "bun.lockb",
+    "package-lock.json",
+    "package.json",
+    "tsconfig.json"
+  ];
+  const extra = process.env.RIG_RUNTIME_IMAGE_EXTRA_LOCKFILES?.trim();
+  const lockfileCandidates = extra ? [...baseLockfiles, ...extra.split(",").map((p) => p.trim()).filter(Boolean)] : baseLockfiles;
+  const lockfileHashes = {};
+  for (const relPath of lockfileCandidates) {
+    const fullPath = resolve4(projectRoot, relPath);
+    if (existsSync3(fullPath)) {
+      lockfileHashes[relPath] = hashFile(fullPath);
+    }
+  }
+  return {
+    platform: process.platform,
+    bunVersion: Bun.version,
+    nodeVersion,
+    claudeVersion,
+    runtimeCodeHash,
+    policyHash,
+    pluginsHash,
+    lockfileHashes
+  };
+}
+function hashPathWithNative(symbol, path) {
+  const pathBuffer = Buffer.from(path, "utf8");
+  const runtimeLibrary = getNativeRuntimeLibrary();
+  const resultPtr = runtimeLibrary.symbols[symbol](Number(ptr2(pathBuffer)), pathBuffer.byteLength);
+  if (!resultPtr) {
+    throw new Error(`${symbol} returned null for ${path}`);
+  }
+  try {
+    const view = viewAt(resultPtr, HASH_RESULT_SIZE);
+    const error = readError(view, 24, 32);
+    if (error) {
+      throw new Error(`${symbol} failed: ${error}`);
+    }
+    return readString(readU64(view, 8), readU64(view, 16));
+  } finally {
+    runtimeLibrary.symbols.snapshot_release(resultPtr);
+  }
+}
+function getNativeRuntimeLibrary() {
+  if (nativeRuntimeLibrary2) {
+    return nativeRuntimeLibrary2;
+  }
+  nativeRuntimeLibrary2 = requireNativeRuntimeLibrary("runtime image hashing");
+  return nativeRuntimeLibrary2;
+}
+function viewAt(pointer, size) {
+  const buffer = toBuffer2(pointer, 0, size);
+  return new DataView(buffer.buffer, buffer.byteOffset, buffer.byteLength);
+}
+function readString(pointer, length) {
+  if (!pointer || length === 0) {
+    return "";
+  }
+  return Buffer.from(toBuffer2(pointer, 0, length)).toString("utf8");
+}
+function readU64(view, offset) {
+  return Number(view.getBigUint64(offset, true));
+}
+function readError(view, pointerOffset, lengthOffset) {
+  const errorPointer = readU64(view, pointerOffset);
+  const errorLength = readU64(view, lengthOffset);
+  if (!errorPointer || !errorLength) {
+    return null;
+  }
+  return readString(errorPointer, errorLength);
+}
+var LOCK_STALE_MS = 10 * 60 * 1000;
+
+// packages/isolation-plugin/src/image-fingerprint-sidecar.ts
+function parseProjectRoot(argv) {
+  for (let index = 0;index < argv.length; index += 1) {
+    if (argv[index] === "--project-root") {
+      return argv[index + 1] ?? "";
+    }
+  }
+  throw new Error("Usage: image-fingerprint-sidecar.ts --project-root <dir>");
+}
+async function runRuntimeImageFingerprintSidecar(argv = process.argv.slice(2)) {
+  const projectRoot = parseProjectRoot(argv);
+  const fingerprint = await computeRuntimeImageFingerprintNative(projectRoot);
+  process.stdout.write(JSON.stringify(fingerprint));
+}
+if (import.meta.main) {
+  runRuntimeImageFingerprintSidecar().catch((error) => {
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exit(1);
+  });
+}
+export {
+  runRuntimeImageFingerprintSidecar
+};

package/dist/src/image.d.ts

@@ -0,0 +1,40 @@
+export type RuntimeImageFingerprint = {
+    platform: string;
+    bunVersion: string;
+    nodeVersion: string;
+    claudeVersion: string;
+    runtimeCodeHash: string;
+    policyHash: string;
+    pluginsHash: string;
+    lockfileHashes: Record<string, string>;
+};
+export type RuntimeImage = {
+    id: string;
+    rootDir: string;
+    binDir: string;
+    hooksDir: string;
+    pluginsDir: string;
+    validatorsDir: string;
+    depsDir: string;
+    manifestPath: string;
+    fingerprint: RuntimeImageFingerprint;
+};
+export declare function computeRuntimeImageFingerprint(projectRoot: string): Promise<RuntimeImageFingerprint>;
+export declare function computeRuntimeImageFingerprintNative(projectRoot: string): Promise<RuntimeImageFingerprint>;
+export declare function computeRuntimeImageId(fp: RuntimeImageFingerprint): string;
+export declare function acquireRuntimeImageLock(lockPath: string): boolean;
+export declare function releaseRuntimeImageLock(lockPath: string): void;
+export declare function waitForRuntimeImageManifest(manifestPath: string, timeoutMs: number, pollMs?: number): Promise<boolean>;
+/**
+ * Compute a deterministic 16-character hex ID from a fingerprint.
+ * Same inputs always produce the same ID.
+ */
+export declare function computeRuntimeImageIdFromFingerprint(fp: RuntimeImageFingerprint): string;
+/**
+ * Ensure the shared runtime image for this project exists and is up-to-date.
+ *
+ * - Cache hit: manifest exists → returns immediately without recompiling.
+ * - Cache miss or fingerprint mismatch: acquires a file lock, builds binaries
+ *   in a temp dir, atomically renames to the final image dir, releases lock.
+ */
+export declare function ensureRuntimeImage(projectRoot: string): Promise<RuntimeImage>;