@h-rig/isolation-plugin 0.0.6-alpha.157 → 0.0.6-alpha.159

package/dist/src/isolation/shared.js

@@ -0,0 +1,283 @@
+// @bun
+// packages/isolation-plugin/src/isolation/shared.ts
+import { existsSync, readFileSync, rmSync } from "fs";
+import { resolve } from "path";
+import { agentId, safeGitRefComponent, taskRuntimeId } from "@rig/core/safe-identifiers";
+import { resolveCheckoutRoot } from "@rig/core/checkout-root";
+function isRuntimeGatewayGitPath(candidate) {
+  return /\/\.rig\/bin\/git$/.test(candidate.replace(/\\/g, "/"));
+}
+function isRuntimeGatewayGhPath(candidate) {
+  return /\/\.rig\/bin\/gh$/.test(candidate.replace(/\\/g, "/"));
+}
+function resolveHostGitBinary() {
+  const candidates = [
+    process.env.RIG_GIT_BIN?.trim() || "",
+    "/usr/bin/git",
+    "/opt/homebrew/bin/git",
+    "/usr/local/bin/git"
+  ];
+  const bunResolved = Bun.which("git");
+  if (bunResolved && !isRuntimeGatewayGitPath(bunResolved)) {
+    candidates.push(bunResolved);
+  }
+  for (const candidate of candidates) {
+    if (candidate && !isRuntimeGatewayGitPath(candidate) && existsSync(candidate)) {
+      return candidate;
+    }
+  }
+  return "git";
+}
+function resolveGithubCliBinary(options = {}) {
+  const candidates = new Set;
+  const explicit = process.env.RIG_GH_BIN?.trim();
+  if (explicit) {
+    candidates.add(explicit);
+  }
+  for (const candidate of ["/usr/bin/gh", "/opt/homebrew/bin/gh", "/usr/local/bin/gh"]) {
+    candidates.add(candidate);
+  }
+  if (options.scanPath) {
+    for (const entry of (process.env.PATH || "").split(":").map((value) => value.trim()).filter(Boolean)) {
+      candidates.add(resolve(entry, "gh"));
+    }
+  }
+  const bunResolved = Bun.which("gh");
+  if (bunResolved) {
+    candidates.add(bunResolved);
+  }
+  for (const candidate of candidates) {
+    if (candidate && existsSync(candidate) && !isRuntimeGatewayGhPath(candidate)) {
+      return candidate;
+    }
+  }
+  return "";
+}
+var generatedCredentialFiles = new Set;
+var credentialCleanupRegistered = false;
+function resolveMonorepoRoot(projectRoot) {
+  return resolveCheckoutRoot(projectRoot);
+}
+async function runGitCommand(repoRoot, args) {
+  const gitBinary = resolveHostGitBinary();
+  return Bun.$`${gitBinary} -C ${repoRoot} ${args}`.quiet().nothrow();
+}
+async function readGitConfigValue(repoRoot, key, global = false) {
+  const args = ["config", ...global ? ["--global"] : [], "--get", key];
+  const result = await runGitCommand(repoRoot, args);
+  if (result.exitCode !== 0) {
+    return "";
+  }
+  return String(result.stdout).trim();
+}
+async function readGitStdout(repoRoot, args) {
+  const result = await runGitCommand(repoRoot, args);
+  if (result.exitCode !== 0) {
+    throw new Error(`git -C ${repoRoot} ${args.join(" ")} failed: ${result.stderr || result.stdout}`);
+  }
+  return String(result.stdout).trim();
+}
+async function hasGitRemote(repoRoot, remote) {
+  const result = await runGitCommand(repoRoot, ["remote", "get-url", remote]);
+  return result.exitCode === 0;
+}
+async function ensureFullGitHistory(repoRoot) {
+  const shallow = await runGitCommand(repoRoot, ["rev-parse", "--is-shallow-repository"]);
+  if (shallow.exitCode !== 0 || String(shallow.stdout).trim() !== "true") {
+    return;
+  }
+  const unshallow = await runGitCommand(repoRoot, ["fetch", "--unshallow", "--tags", "origin"]);
+  if (unshallow.exitCode === 0) {
+    return;
+  }
+  const output = `${unshallow.stderr}
+${unshallow.stdout}`.trim();
+  if (/--unshallow on a complete repository|does not make sense/i.test(output)) {
+    return;
+  }
+  throw new Error(`Failed to expand git history for ${repoRoot}: ${output}`);
+}
+async function refreshRemoteBranch(repoRoot, remote, branch) {
+  if (!await hasGitRemote(repoRoot, remote)) {
+    return;
+  }
+  try {
+    await ensureFullGitHistory(repoRoot);
+    const fetch = await runGitCommand(repoRoot, [
+      "fetch",
+      "--prune",
+      "--tags",
+      remote,
+      `+refs/heads/${branch}:refs/remotes/${remote}/${branch}`
+    ]);
+    if (fetch.exitCode !== 0) {
+      return;
+    }
+  } catch {
+    return;
+  }
+}
+async function tryReadGitHead(repoRoot) {
+  if (!existsSync(resolve(repoRoot, ".git"))) {
+    return;
+  }
+  const result = await runGitCommand(repoRoot, ["rev-parse", "HEAD"]);
+  if (result.exitCode !== 0) {
+    return;
+  }
+  const value = String(result.stdout).trim();
+  return value || undefined;
+}
+async function captureRepoDirtyFiles(repoRoot) {
+  if (!existsSync(resolve(repoRoot, ".git"))) {
+    return [];
+  }
+  const files = new Set;
+  for (const args of [
+    ["diff", "--name-only"],
+    ["diff", "--cached", "--name-only"],
+    ["ls-files", "--others", "--exclude-standard"]
+  ]) {
+    const result = await runGitCommand(repoRoot, args);
+    if (result.exitCode !== 0) {
+      continue;
+    }
+    for (const line of String(result.stdout).split(/\r?\n/)) {
+      const trimmed = line.trim();
+      if (trimmed) {
+        files.add(trimmed);
+      }
+    }
+  }
+  return [...files].sort();
+}
+function sha256Hex(input) {
+  const hasher = new Bun.CryptoHasher("sha256");
+  hasher.update(input);
+  return hasher.digest("hex");
+}
+function registerCredentialCleanup(path) {
+  generatedCredentialFiles.add(path);
+  if (credentialCleanupRegistered) {
+    return;
+  }
+  credentialCleanupRegistered = true;
+  const cleanup = () => {
+    for (const filePath of generatedCredentialFiles) {
+      try {
+        rmSync(filePath, { force: true });
+      } catch {}
+    }
+    generatedCredentialFiles.clear();
+  };
+  process.on("exit", cleanup);
+  process.on("beforeExit", cleanup);
+}
+async function captureStdout(fn) {
+  const chunks = [];
+  const originalWrite = process.stdout.write.bind(process.stdout);
+  const originalLog = console.log;
+  const originalError = console.error;
+  process.stdout.write = (chunk, encoding, cb) => {
+    chunks.push(typeof chunk === "string" ? chunk : Buffer.from(chunk).toString(typeof encoding === "string" ? encoding : undefined));
+    const callback = typeof encoding === "function" ? encoding : cb;
+    callback?.(null);
+    return true;
+  };
+  console.log = (...args) => {
+    chunks.push(`${args.map((value) => String(value)).join(" ")}
+`);
+  };
+  console.error = (...args) => {
+    chunks.push(`${args.map((value) => String(value)).join(" ")}
+`);
+  };
+  try {
+    await fn();
+    return chunks.join("");
+  } finally {
+    process.stdout.write = originalWrite;
+    console.log = originalLog;
+    console.error = originalError;
+  }
+}
+function sanitizeRuntimeRefSegment(value) {
+  return safeGitRefComponent(value, { fallback: "runtime", maxLength: 64 });
+}
+function runtimeBranchBackupName(branch) {
+  const branchId = branch.replace(/^rig\//, "");
+  return `rig-backup/${sanitizeRuntimeRefSegment(branchId)}-${Date.now()}`;
+}
+function hashProjectPath(workspaceDir) {
+  return sha256Hex(workspaceDir).slice(0, 16);
+}
+async function resolveGithubCliAuthToken(ghBinary = "") {
+  const gh = ghBinary || resolveGithubCliBinary();
+  if (!gh) {
+    return "";
+  }
+  const auth = Bun.spawn([gh, "auth", "token"], {
+    stdout: "pipe",
+    stderr: "pipe"
+  });
+  const [exitCode, stdout] = await Promise.all([
+    auth.exited,
+    new Response(auth.stdout).text()
+  ]);
+  if (exitCode !== 0) {
+    return "";
+  }
+  return stdout.trim();
+}
+function resolveSystemCertBundlePath() {
+  const candidates = [
+    process.env.SSL_CERT_FILE?.trim(),
+    "/etc/ssl/cert.pem",
+    "/private/etc/ssl/cert.pem",
+    "/opt/homebrew/etc/openssl@3/cert.pem"
+  ];
+  for (const candidate of candidates) {
+    if (candidate && existsSync(candidate)) {
+      return resolve(candidate);
+    }
+  }
+  return "";
+}
+var __testOnly = {
+  cleanupGeneratedCredentialFiles() {
+    generatedCredentialFiles.clear();
+  }
+};
+function readKnownHosts(path) {
+  if (!existsSync(path)) {
+    return new Set;
+  }
+  return new Set(readFileSync(path, "utf-8").split(/\r?\n/).map((line) => line.trim()).filter(Boolean));
+}
+export {
+  tryReadGitHead,
+  taskRuntimeId,
+  sha256Hex,
+  sanitizeRuntimeRefSegment,
+  runtimeBranchBackupName,
+  runGitCommand,
+  resolveSystemCertBundlePath,
+  resolveMonorepoRoot,
+  resolveHostGitBinary,
+  resolveGithubCliBinary,
+  resolveGithubCliAuthToken,
+  registerCredentialCleanup,
+  refreshRemoteBranch,
+  readKnownHosts,
+  readGitStdout,
+  readGitConfigValue,
+  isRuntimeGatewayGitPath,
+  isRuntimeGatewayGhPath,
+  hashProjectPath,
+  hasGitRemote,
+  ensureFullGitHistory,
+  captureStdout,
+  captureRepoDirtyFiles,
+  agentId,
+  __testOnly
+};

package/dist/src/isolation/toolchain.d.ts

@@ -0,0 +1,71 @@
+import { buildBinary } from "./runtime-binary-build";
+/**
+ * Resolve the per-run hook binary specs + the controlled-bash source path from
+ * the toolchain-source contributions of the loaded plugins. Returns the merged
+ * hook list (guard + lifecycle) and the named standalone sources.
+ */
+export declare function resolveContributedToolchainSources(projectRoot: string): Promise<{
+    hookSources: ReadonlyArray<readonly [name: string, source: string]>;
+    namedSources: Record<string, string>;
+}>;
+import type { RuntimeTaskEntry } from "./types";
+export type RuntimeToolchainConfig = {
+    projectRoot: string;
+    workspaceDir: string;
+    binDir: string;
+    distDir: string;
+    taskId: string;
+    runtimeId: string;
+    manifestPath: string;
+    taskEntry: RuntimeTaskEntry;
+    bakedScopeHash: string;
+    bakedInfoOutput: string;
+    bakedDepsOutput: string;
+    bakedStatusOutput: string;
+    runtimeSecretDefines: Record<string, string>;
+    logsDir: string;
+};
+export declare function prepareTrackedRuntimePaths(logsDir: string, stateDir: string, sessionDir: string): void;
+export declare function initializeRuntimeStateFiles(stateDir: string, sessionDir: string, taskId: string): Promise<void>;
+export declare function resetEphemeralTaskArtifacts(workspaceDir: string, taskId: string): Promise<void>;
+export declare function prepareRuntimeWorkspace(projectRoot: string, workspaceDir: string): void;
+export declare function materializeRuntimeHostToolWrappers(binDir: string): Promise<void>;
+export declare function buildRuntimeToolchain(options: RuntimeToolchainConfig): Promise<void>;
+export declare function writeRuntimeManifest(config: {
+    runtimeRoot: string;
+    workspaceDir: string;
+    runtimeId: string;
+    taskId: string;
+    scopes: string[];
+    binaryPath: string;
+    binDir: string;
+}): Promise<void>;
+export { buildBinary };
+export declare function syncRuntimeWorkspaceSources(projectRoot: string, workspaceDir: string): void;
+declare function restoreTrackedArtifactPathWithRetry(workspaceDir: string, relativePath: string, restorePath: () => Promise<{
+    exitCode: number;
+    output: string;
+}>, options?: {
+    sleep?: (ms: number) => Promise<unknown>;
+    maxRetries?: number;
+    retryDelayMs?: number;
+    now?: () => number;
+    statMtimeMs?: (path: string) => number | null;
+    removeFile?: (path: string) => void;
+    log?: (message: string) => void;
+}): Promise<void>;
+declare function isGitIndexLockError(output: string): boolean;
+declare function parseGitIndexLockPath(output: string): string | null;
+declare function tryClearStaleGitIndexLock(lockPath: string, options: {
+    now: () => number;
+    statMtimeMs: (path: string) => number | null;
+    removeFile: (path: string) => void;
+    log: (message: string) => void;
+}): boolean;
+export declare function runtimeWorktreeId(workspaceDir: string): string;
+export declare const __testOnly: {
+    isGitIndexLockError: typeof isGitIndexLockError;
+    parseGitIndexLockPath: typeof parseGitIndexLockPath;
+    restoreTrackedArtifactPathWithRetry: typeof restoreTrackedArtifactPathWithRetry;
+    tryClearStaleGitIndexLock: typeof tryClearStaleGitIndexLock;
+};