@h-rig/isolation-plugin 0.0.6-alpha.157 → 0.0.6-alpha.159

package/dist/src/sandbox/backend.js

@@ -0,0 +1,864 @@
+// @bun
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+function __accessProp(key) {
+  return this[key];
+}
+var __toCommonJS = (from) => {
+  var entry = (__moduleCache ??= new WeakMap).get(from), desc;
+  if (entry)
+    return entry;
+  entry = __defProp({}, "__esModule", { value: true });
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (var key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(entry, key))
+        __defProp(entry, key, {
+          get: __accessProp.bind(from, key),
+          enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+        });
+  }
+  __moduleCache.set(from, entry);
+  return entry;
+};
+var __moduleCache;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+var __require = import.meta.require;
+
+// packages/isolation-plugin/src/sandbox/utils.ts
+import { existsSync as existsSync2, readdirSync, realpathSync } from "fs";
+import { resolve as resolve2 } from "path";
+import { resolveMonorepoRoot } from "@rig/core/layout";
+function toRealPath(path) {
+  if (!existsSync2(path)) {
+    return resolve2(path);
+  }
+  try {
+    return realpathSync.native(path);
+  } catch {
+    return resolve2(path);
+  }
+}
+function resolveHostGitMetadataPaths(projectRoot, workspaceDir) {
+  const candidates = new Set;
+  const addPath = (candidate) => {
+    if (existsSync2(candidate)) {
+      candidates.add(toRealPath(candidate));
+    }
+  };
+  addPath(resolve2(projectRoot, ".git"));
+  addPath(resolve2(workspaceDir, "..", "..", ".git"));
+  for (const repoRoot of resolveHostRepoRootPaths(projectRoot)) {
+    addPath(resolve2(repoRoot, ".git"));
+  }
+  const workspaceGit = resolve2(workspaceDir, ".git");
+  if (existsSync2(workspaceGit)) {
+    addPath(workspaceGit);
+  }
+  return [...candidates];
+}
+function resolveHostRepoRootPaths(projectRoot) {
+  const candidates = new Set;
+  const addPath = (candidate) => {
+    if (existsSync2(candidate)) {
+      candidates.add(toRealPath(candidate));
+    }
+  };
+  try {
+    const monorepoRoot = resolveMonorepoRoot(projectRoot);
+    if (toRealPath(monorepoRoot) !== toRealPath(projectRoot)) {
+      addPath(monorepoRoot);
+    }
+  } catch {}
+  const reposDir = resolve2(projectRoot, "repos");
+  if (existsSync2(reposDir)) {
+    for (const entry of readdirSync(reposDir, { withFileTypes: true })) {
+      if (entry.isDirectory() || entry.isSymbolicLink()) {
+        addPath(resolve2(reposDir, entry.name));
+      }
+    }
+  }
+  return [...candidates];
+}
+function resolveNetworkWithPolicy(sandboxConfig, envOverride) {
+  if (envOverride) {
+    const envValue = parseBooleanEnv(envOverride, sandboxConfig.network);
+    if (envValue !== sandboxConfig.network) {
+      console.warn(`[sandbox] RIG_RUNTIME_SANDBOX_NETWORK=${envOverride} overrides policy sandbox.network=${sandboxConfig.network}`);
+    }
+    return envValue;
+  }
+  return sandboxConfig.network;
+}
+function parseBooleanEnv(raw, fallback) {
+  if (!raw) {
+    return fallback;
+  }
+  const normalized = raw.trim().toLowerCase();
+  if (normalized === "1" || normalized === "true" || normalized === "yes" || normalized === "on") {
+    return true;
+  }
+  if (normalized === "0" || normalized === "false" || normalized === "no" || normalized === "off") {
+    return false;
+  }
+  return fallback;
+}
+function uniq(values) {
+  return [...new Set(values)];
+}
+function seatbeltString(value) {
+  return `"${value.replace(/\\/g, "\\\\").replace(/"/g, "\\\"")}"`;
+}
+var init_utils = () => {};
+
+// packages/isolation-plugin/src/sandbox/backend-seatbelt.ts
+var exports_backend_seatbelt = {};
+__export(exports_backend_seatbelt, {
+  SeatbeltBackend: () => SeatbeltBackend
+});
+import { mkdirSync, writeFileSync } from "fs";
+import { resolve as resolve3 } from "path";
+
+class SeatbeltBackend {
+  kind = "macos-seatbelt";
+  binaryPath;
+  config;
+  ctx;
+  resolvedPaths;
+  constructor(binaryPath, config, ctx, resolvedPaths) {
+    this.binaryPath = binaryPath;
+    this.config = config;
+    this.ctx = ctx;
+    this.resolvedPaths = resolvedPaths;
+  }
+  wrap(options) {
+    const profilePath = this.writeSeatbeltProfile(options);
+    return {
+      command: [this.binaryPath, "-f", profilePath, ...options.command],
+      enabled: true,
+      backend: "macos-seatbelt",
+      profilePath
+    };
+  }
+  writeSeatbeltProfile(options) {
+    const sandboxDir = resolve3(options.runtime.rootDir, "sandbox");
+    mkdirSync(sandboxDir, { recursive: true });
+    const profilePath = resolve3(sandboxDir, "seatbelt.sb");
+    const profile = this.renderProfile(options);
+    writeFileSync(profilePath, `${profile}
+`, "utf-8");
+    return profilePath;
+  }
+  renderProfile(options) {
+    const { runtime, projectRoot } = options;
+    const { ctx, resolvedPaths, config } = this;
+    const workspaceReal = ctx.realPath(runtime.workspaceDir);
+    const runtimeRootReal = ctx.realPath(runtime.rootDir);
+    const homeReal = ctx.realPath(runtime.homeDir);
+    const tmpReal = ctx.realPath(runtime.tmpDir);
+    const cacheReal = ctx.realPath(runtime.cacheDir);
+    const hostGitDirs = resolveHostGitMetadataPaths(projectRoot, runtime.workspaceDir);
+    const hostRepoRoots = resolveHostRepoRootPaths(projectRoot).map((repoRoot) => ctx.realPath(repoRoot));
+    const bunDir = ctx.realPath(resolvedPaths.bunDir);
+    const claudeDir = resolvedPaths.claudeDir ? ctx.realPath(resolvedPaths.claudeDir) : null;
+    const allowNetwork = resolveNetworkWithPolicy(config, process.env.RIG_RUNTIME_SANDBOX_NETWORK);
+    const lines = [
+      "(version 1)",
+      "(deny default)",
+      '(import "system.sb")',
+      "(allow process*)",
+      "(allow process-info*)",
+      "(allow signal)",
+      "(allow sysctl-read)",
+      "(allow file-read-metadata)"
+    ];
+    if (allowNetwork) {
+      lines.push("(allow network*)");
+    }
+    for (const sysPath of [
+      "/usr/lib",
+      "/usr/bin",
+      "/usr/sbin",
+      "/usr/share",
+      "/bin",
+      "/sbin",
+      "/System",
+      "/Library",
+      "/Library/Frameworks",
+      "/Library/Developer",
+      "/Library/Apple",
+      "/Applications",
+      "/private/var/db",
+      "/opt/homebrew"
+    ]) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(sysPath)}))`);
+    }
+    lines.push(`(allow file-read* (subpath ${seatbeltString(bunDir)}))`);
+    if (claudeDir) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(claudeDir)}))`);
+    }
+    if (resolvedPaths.nodeDir) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(resolvedPaths.nodeDir)}))`);
+    }
+    for (const depPath of resolvedPaths.depRoots) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(depPath)}))`);
+    }
+    for (const rwPath of uniq([
+      workspaceReal,
+      runtimeRootReal,
+      homeReal,
+      tmpReal,
+      cacheReal
+    ])) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(rwPath)}))`);
+      lines.push(`(allow file-write* (subpath ${seatbeltString(rwPath)}))`);
+    }
+    for (const gitPath of hostGitDirs) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(gitPath)}))`);
+      lines.push(`(allow file-write* (subpath ${seatbeltString(gitPath)}))`);
+    }
+    const projectRootReal = ctx.realPath(projectRoot);
+    if (projectRootReal !== workspaceReal && !projectRootReal.startsWith(workspaceReal + "/")) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(projectRootReal)}))`);
+    }
+    for (const repoRoot of hostRepoRoots) {
+      if (!ctx.pathExists(repoRoot) || repoRoot === workspaceReal || repoRoot.startsWith(workspaceReal + "/") || repoRoot === projectRootReal || repoRoot.startsWith(projectRootReal + "/")) {
+        continue;
+      }
+      lines.push(`(allow file-read* (subpath ${seatbeltString(repoRoot)}))`);
+    }
+    const realHome = process.env.HOME?.trim();
+    if (realHome) {
+      for (const binSubdir of [".local/bin", ".cargo/bin"]) {
+        const binPath = resolve3(realHome, binSubdir);
+        if (ctx.pathExists(binPath)) {
+          lines.push(`(allow file-read* (subpath ${seatbeltString(ctx.realPath(binPath))}))`);
+        }
+      }
+    }
+    for (const tempPath of [
+      "/dev",
+      "/tmp",
+      "/private/tmp",
+      "/var/folders",
+      "/private/var/folders"
+    ]) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(tempPath)}))`);
+      lines.push(`(allow file-write* (subpath ${seatbeltString(tempPath)}))`);
+    }
+    return lines.join(`
+`);
+  }
+}
+var init_backend_seatbelt = __esm(() => {
+  init_utils();
+});
+
+// packages/isolation-plugin/src/sandbox/backend-bwrap.ts
+var exports_backend_bwrap = {};
+__export(exports_backend_bwrap, {
+  BwrapBackend: () => BwrapBackend
+});
+import { mkdirSync as mkdirSync2 } from "fs";
+import { resolve as resolve4 } from "path";
+
+class BwrapBackend {
+  kind = "linux-bwrap";
+  binaryPath;
+  config;
+  ctx;
+  resolvedPaths;
+  which;
+  constructor(binaryPath, config, ctx, resolvedPaths, which) {
+    this.binaryPath = binaryPath;
+    this.config = config;
+    this.ctx = ctx;
+    this.resolvedPaths = resolvedPaths;
+    this.which = which ?? ((bin) => Bun.which(bin));
+  }
+  wrap(options) {
+    const command = this.buildCommand(options);
+    return {
+      command,
+      enabled: true,
+      backend: "linux-bwrap"
+    };
+  }
+  buildCommand(options) {
+    const { runtime, projectRoot, command } = options;
+    const { ctx, resolvedPaths, config } = this;
+    const workspaceReal = ctx.realPath(runtime.workspaceDir);
+    const runtimeRootReal = ctx.realPath(runtime.rootDir);
+    const homeReal = ctx.realPath(runtime.homeDir);
+    const tmpReal = ctx.realPath(runtime.tmpDir);
+    const cacheReal = ctx.realPath(runtime.cacheDir);
+    const hostGitDirs = resolveHostGitMetadataPaths(projectRoot, runtime.workspaceDir);
+    const hostRepoRoots = resolveHostRepoRootPaths(projectRoot).map((repoRoot) => ctx.realPath(repoRoot));
+    const bunDir = ctx.realPath(resolvedPaths.bunDir);
+    const claudeDir = resolvedPaths.claudeDir ? ctx.realPath(resolvedPaths.claudeDir) : null;
+    const allowNetwork = resolveNetworkWithPolicy(config, process.env.RIG_RUNTIME_SANDBOX_NETWORK);
+    const args = [
+      this.binaryPath,
+      "--die-with-parent",
+      "--new-session",
+      "--unshare-pid",
+      "--tmpfs",
+      "/",
+      "--ro-bind",
+      "/usr",
+      "/usr",
+      "--ro-bind",
+      "/bin",
+      "/bin",
+      "--ro-bind",
+      "/sbin",
+      "/sbin"
+    ];
+    for (const libPath of ["/lib", "/lib64"]) {
+      if (ctx.pathExists(libPath)) {
+        args.push("--ro-bind", libPath, libPath);
+      }
+    }
+    for (const etcEntry of [
+      "/etc/ld.so.cache",
+      "/etc/ld.so.conf",
+      "/etc/ld.so.conf.d",
+      "/etc/resolv.conf",
+      "/etc/hosts",
+      "/etc/nsswitch.conf",
+      "/etc/gai.conf",
+      "/etc/host.conf",
+      "/etc/ssl",
+      "/etc/ca-certificates",
+      "/etc/pki",
+      "/etc/passwd",
+      "/etc/group",
+      "/etc/localtime",
+      "/etc/timezone",
+      "/etc/locale.conf",
+      "/etc/default/locale"
+    ]) {
+      if (ctx.pathExists(etcEntry)) {
+        args.push("--ro-bind", etcEntry, etcEntry);
+      }
+    }
+    if (ctx.pathExists("/run/systemd/resolve")) {
+      args.push("--ro-bind", "/run/systemd/resolve", "/run/systemd/resolve");
+    }
+    if (ctx.pathExists("/run/nscd")) {
+      args.push("--ro-bind", "/run/nscd", "/run/nscd");
+    }
+    args.push("--ro-bind", bunDir, bunDir);
+    if (claudeDir) {
+      args.push("--ro-bind", claudeDir, claudeDir);
+    }
+    if (resolvedPaths.nodeDir && ctx.pathExists(resolvedPaths.nodeDir)) {
+      args.push("--ro-bind", resolvedPaths.nodeDir, resolvedPaths.nodeDir);
+    }
+    for (const depPath of resolvedPaths.depRoots) {
+      if (ctx.pathExists(depPath)) {
+        args.push("--ro-bind", depPath, depPath);
+      }
+    }
+    const projectRootReal = ctx.realPath(projectRoot);
+    if (projectRootReal !== workspaceReal && !projectRootReal.startsWith(workspaceReal + "/") && ctx.pathExists(projectRootReal)) {
+      args.push("--ro-bind", projectRootReal, projectRootReal);
+    }
+    for (const repoRoot of hostRepoRoots) {
+      if (!ctx.pathExists(repoRoot) || repoRoot === workspaceReal || repoRoot.startsWith(workspaceReal + "/") || repoRoot === projectRootReal || repoRoot.startsWith(projectRootReal + "/")) {
+        continue;
+      }
+      args.push("--ro-bind", repoRoot, repoRoot);
+    }
+    args.push("--bind", workspaceReal, workspaceReal);
+    args.push("--bind", runtimeRootReal, runtimeRootReal);
+    for (const rwPath of uniq([homeReal, tmpReal, cacheReal])) {
+      if (rwPath !== runtimeRootReal && !rwPath.startsWith(runtimeRootReal + "/")) {
+        args.push("--bind", rwPath, rwPath);
+      }
+    }
+    for (const gitPath of hostGitDirs) {
+      if (!ctx.pathExists(gitPath))
+        continue;
+      if (gitPath === runtimeRootReal || gitPath.startsWith(runtimeRootReal + "/"))
+        continue;
+      if (gitPath === workspaceReal || gitPath.startsWith(workspaceReal + "/"))
+        continue;
+      args.push("--bind", gitPath, gitPath);
+    }
+    const realHome = process.env.HOME?.trim();
+    if (realHome) {
+      for (const binSubdir of [".local/bin", ".local/lib", ".cargo/bin"]) {
+        const binPath = ctx.realPath(resolve4(realHome, binSubdir));
+        if (ctx.pathExists(binPath)) {
+          args.push("--ro-bind", binPath, binPath);
+        }
+      }
+      const agentSshDir = resolve4(homeReal, ".ssh");
+      if (ctx.pathExists(agentSshDir)) {
+        args.push("--ro-bind", agentSshDir, agentSshDir);
+      } else {
+        const hostSshDir = resolve4(realHome, ".ssh");
+        if (ctx.pathExists(hostSshDir)) {
+          mkdirSync2(agentSshDir, { recursive: true });
+          args.push("--ro-bind", hostSshDir, agentSshDir);
+          args.push("--ro-bind", hostSshDir, hostSshDir);
+        }
+      }
+    }
+    args.push("--proc", "/proc");
+    args.push("--dev", "/dev");
+    args.push("--tmpfs", "/tmp");
+    args.push("--unsetenv", "CLAUDECODE");
+    args.push("--setenv", "HOME", homeReal);
+    args.push("--setenv", "TMPDIR", "/tmp");
+    args.push("--chdir", workspaceReal);
+    if (!allowNetwork) {
+      args.push("--unshare-net");
+    }
+    args.push("--", ...this.resolveCommandBinary(command));
+    return args;
+  }
+  resolveCommandBinary(command) {
+    if (command.length === 0)
+      return command;
+    const [bin, ...rest] = command;
+    if (!bin)
+      return command;
+    const resolved = this.which(bin);
+    if (!resolved)
+      return command;
+    try {
+      const { realpathSync: realpathSync2 } = __require("fs");
+      const resolvedBinary = realpathSync2(resolved);
+      return [resolvedBinary, ...rest];
+    } catch {
+      return [resolved, ...rest];
+    }
+  }
+}
+var init_backend_bwrap = __esm(() => {
+  init_utils();
+});
+
+// packages/isolation-plugin/src/sandbox/backend.ts
+import { existsSync as existsSync3 } from "fs";
+
+// packages/isolation-plugin/src/runtime-config.ts
+import { existsSync, readFileSync, statSync } from "fs";
+import { resolve } from "path";
+import {
+  POLICY_VERSION
+} from "@rig/contracts";
+var DEFAULT_SCOPE = {
+  fail_closed: true,
+  harness_paths_exempt: true,
+  runtime_paths_exempt: true
+};
+var DEFAULT_SANDBOX = {
+  mode: "enforce",
+  network: true,
+  read_deny: [],
+  write_allow_from_runtime: true
+};
+var DEFAULT_ISOLATION = {
+  default_mode: "worktree",
+  repo_symlink_fallback: false,
+  strict_provisioning: true,
+  fail_closed_on_provision_error: true
+};
+var DEFAULT_COMPLETION = {
+  derive_checks_from_scope: true,
+  checks: [],
+  typescript_config_probe: ["tsconfig.json"],
+  eslint_config_probe: [".eslintrc.js", ".eslintrc.json", "eslint.config.js"]
+};
+var DEFAULT_RUNTIME_IMAGE = {
+  deps: { monorepo_install: false, hp_next_install: false },
+  plugins_require_binaries: true
+};
+var DEFAULT_RUNTIME_SNAPSHOT = { enabled: true };
+var policyCache = null;
+var policyCachePath = null;
+function loadSandboxConfig(projectRoot) {
+  return loadPolicy(projectRoot).sandbox;
+}
+function defaultPolicy() {
+  return {
+    version: POLICY_VERSION,
+    mode: "enforce",
+    scope: { ...DEFAULT_SCOPE },
+    rules: [],
+    sandbox: { ...DEFAULT_SANDBOX },
+    isolation: { ...DEFAULT_ISOLATION },
+    completion: { ...DEFAULT_COMPLETION },
+    runtime_image: {
+      deps: { ...DEFAULT_RUNTIME_IMAGE.deps },
+      plugins_require_binaries: DEFAULT_RUNTIME_IMAGE.plugins_require_binaries
+    },
+    runtime_snapshot: { ...DEFAULT_RUNTIME_SNAPSHOT }
+  };
+}
+function loadPolicy(projectRoot) {
+  const configPath = resolve(projectRoot, "rig/policy/policy.json");
+  if (!existsSync(configPath))
+    return defaultPolicy();
+  let mtimeMs;
+  try {
+    mtimeMs = statSync(configPath).mtimeMs;
+  } catch {
+    return defaultPolicy();
+  }
+  if (policyCache && policyCachePath === configPath && policyCache.mtimeMs === mtimeMs) {
+    return policyCache.config;
+  }
+  try {
+    const config = mergeWithDefaults(JSON.parse(readFileSync(configPath, "utf-8")));
+    policyCache = { mtimeMs, config };
+    policyCachePath = configPath;
+    return config;
+  } catch {
+    return defaultPolicy();
+  }
+}
+function mergeWithDefaults(parsed) {
+  const base = defaultPolicy();
+  if (typeof parsed.mode === "string" && isValidMode(parsed.mode))
+    base.mode = parsed.mode;
+  if (parsed.scope && typeof parsed.scope === "object" && !Array.isArray(parsed.scope)) {
+    const scope = parsed.scope;
+    if (typeof scope.fail_closed === "boolean")
+      base.scope.fail_closed = scope.fail_closed;
+    if (typeof scope.harness_paths_exempt === "boolean")
+      base.scope.harness_paths_exempt = scope.harness_paths_exempt;
+    if (typeof scope.runtime_paths_exempt === "boolean")
+      base.scope.runtime_paths_exempt = scope.runtime_paths_exempt;
+  }
+  if (Array.isArray(parsed.rules))
+    base.rules = precompilePolicyRuleRegexes(parsed.rules.filter(isValidRule));
+  if (Array.isArray(parsed.deny) && base.rules.length === 0) {
+    base.rules = precompilePolicyRuleRegexes(migrateLegacyDeny(parsed.deny));
+  }
+  if (parsed.sandbox && typeof parsed.sandbox === "object" && !Array.isArray(parsed.sandbox)) {
+    const sandbox = parsed.sandbox;
+    if (typeof sandbox.mode === "string" && isValidMode(sandbox.mode))
+      base.sandbox.mode = sandbox.mode;
+    if (typeof sandbox.network === "boolean")
+      base.sandbox.network = sandbox.network;
+    if (Array.isArray(sandbox.read_deny))
+      base.sandbox.read_deny = sandbox.read_deny.filter((value) => typeof value === "string");
+    if (typeof sandbox.write_allow_from_runtime === "boolean")
+      base.sandbox.write_allow_from_runtime = sandbox.write_allow_from_runtime;
+  }
+  if (parsed.isolation && typeof parsed.isolation === "object" && !Array.isArray(parsed.isolation)) {
+    const isolation = parsed.isolation;
+    if (isolation.default_mode === "worktree")
+      base.isolation.default_mode = isolation.default_mode;
+    if (typeof isolation.repo_symlink_fallback === "boolean")
+      base.isolation.repo_symlink_fallback = isolation.repo_symlink_fallback;
+    if (typeof isolation.strict_provisioning === "boolean")
+      base.isolation.strict_provisioning = isolation.strict_provisioning;
+    if (typeof isolation.fail_closed_on_provision_error === "boolean")
+      base.isolation.fail_closed_on_provision_error = isolation.fail_closed_on_provision_error;
+  }
+  if (parsed.completion && typeof parsed.completion === "object" && !Array.isArray(parsed.completion)) {
+    const completion = parsed.completion;
+    if (typeof completion.derive_checks_from_scope === "boolean")
+      base.completion.derive_checks_from_scope = completion.derive_checks_from_scope;
+    if (Array.isArray(completion.checks))
+      base.completion.checks = completion.checks.filter((value) => typeof value === "string");
+    if (Array.isArray(completion.typescript_config_probe))
+      base.completion.typescript_config_probe = completion.typescript_config_probe.filter((value) => typeof value === "string");
+    if (Array.isArray(completion.eslint_config_probe))
+      base.completion.eslint_config_probe = completion.eslint_config_probe.filter((value) => typeof value === "string");
+  }
+  if (parsed.runtime_image && typeof parsed.runtime_image === "object" && !Array.isArray(parsed.runtime_image)) {
+    const runtimeImage = parsed.runtime_image;
+    if (runtimeImage.deps && typeof runtimeImage.deps === "object" && !Array.isArray(runtimeImage.deps)) {
+      const deps = runtimeImage.deps;
+      if (typeof deps.monorepo_install === "boolean")
+        base.runtime_image.deps.monorepo_install = deps.monorepo_install;
+      if (typeof deps.hp_next_install === "boolean")
+        base.runtime_image.deps.hp_next_install = deps.hp_next_install;
+    }
+    if (typeof runtimeImage.plugins_require_binaries === "boolean")
+      base.runtime_image.plugins_require_binaries = runtimeImage.plugins_require_binaries;
+  }
+  if (parsed.runtime_snapshot && typeof parsed.runtime_snapshot === "object" && !Array.isArray(parsed.runtime_snapshot)) {
+    const runtimeSnapshot = parsed.runtime_snapshot;
+    if (typeof runtimeSnapshot.enabled === "boolean")
+      base.runtime_snapshot.enabled = runtimeSnapshot.enabled;
+  }
+  return base;
+}
+function isValidMode(value) {
+  return value === "off" || value === "observe" || value === "enforce";
+}
+function isValidRule(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value))
+    return false;
+  const rule = value;
+  return typeof rule.id === "string" && typeof rule.category === "string" && !!rule.match && typeof rule.match === "object";
+}
+function migrateLegacyDeny(deny) {
+  const rules = [];
+  for (const entry of deny) {
+    if (typeof entry.id !== "string")
+      continue;
+    const match = {};
+    if (typeof entry.pattern === "string")
+      match.pattern = entry.pattern;
+    if (typeof entry.regex === "string")
+      match.regex = entry.regex;
+    if (!match.pattern && !match.regex)
+      continue;
+    const rule = {
+      id: entry.id,
+      category: "command",
+      match,
+      action: entry.action === "warn" ? "warn" : "block"
+    };
+    if (typeof entry.reason === "string") {
+      rule.description = entry.reason;
+    }
+    rules.push(rule);
+  }
+  return rules;
+}
+function precompilePolicyRuleRegexes(rules) {
+  return rules.map((rule) => {
+    const compiled = { ...rule };
+    const matchRegex = compileRegex(rule.match?.regex);
+    const unlessRegex = compileRegex(rule.unless?.regex);
+    if (matchRegex) {
+      compiled.compiledRegex = matchRegex;
+    }
+    if (unlessRegex) {
+      compiled.compiledUnlessRegex = unlessRegex;
+    }
+    return compiled;
+  });
+}
+function compileRegex(pattern) {
+  if (!pattern)
+    return;
+  try {
+    return new RegExp(pattern);
+  } catch {
+    return;
+  }
+}
+
+// packages/isolation-plugin/src/sandbox/backend.ts
+init_utils();
+import {
+  resolveBunInstallDir,
+  resolveClaudeInstallDir,
+  resolveNodeInstallDir,
+  resolveRuntimeDependencyRoots
+} from "@rig/core/runtime-paths";
+
+// packages/isolation-plugin/src/sandbox/backend-none.ts
+class NoSandboxBackend {
+  kind = "none";
+  reason;
+  constructor(reason) {
+    this.reason = reason;
+  }
+  wrap(options) {
+    return {
+      command: options.command,
+      enabled: false,
+      backend: "none",
+      ...this.reason !== undefined ? { reason: this.reason } : {}
+    };
+  }
+}
+
+// packages/isolation-plugin/src/sandbox/backend.ts
+class SandboxError extends Error {
+  code;
+  constructor(code, message) {
+    super(message);
+    this.code = code;
+    this.name = "SandboxError";
+  }
+}
+function resolveRuntimeSandboxModeWithPolicy(sandboxConfig, envOverride) {
+  if (envOverride) {
+    const normalized = envOverride.trim().toLowerCase();
+    if (normalized === "off" || normalized === "auto" || normalized === "enforce") {
+      if (normalized !== sandboxConfig.mode) {
+        console.warn(`[sandbox] RIG_RUNTIME_SANDBOX=${normalized} overrides policy sandbox.mode=${sandboxConfig.mode}`);
+      }
+      return normalized;
+    }
+  }
+  const policyMode = sandboxConfig.mode;
+  if (policyMode === "off")
+    return "off";
+  if (policyMode === "observe")
+    return "auto";
+  return "enforce";
+}
+var bwrapProbeCache = null;
+async function probeBubblewrap(binary) {
+  if (bwrapProbeCache !== null) {
+    return bwrapProbeCache;
+  }
+  const probe = await Bun.$`${binary} ${["--ro-bind", "/", "/", "--proc", "/proc", "--dev", "/dev", "--", "true"]}`.quiet().nothrow();
+  bwrapProbeCache = probe.exitCode === 0;
+  return bwrapProbeCache;
+}
+async function resolveBackend(projectRoot, options) {
+  const config = loadSandboxConfig(projectRoot);
+  const mode = resolveRuntimeSandboxModeWithPolicy(config, options?.envOverride);
+  const probed = [];
+  if (mode === "off") {
+    return {
+      backend: new NoSandboxBackend,
+      selectedKind: "none",
+      probed,
+      reason: "disabled-by-config"
+    };
+  }
+  const explicitBackend = options?.backendOverride ?? process.env.RIG_SANDBOX_BACKEND?.trim().toLowerCase();
+  const requestedBackend = resolveExplicitBackend(explicitBackend);
+  if (requestedBackend) {
+    if (requestedBackend === "docker") {
+      throw new SandboxError("backend-unavailable", `Backend "docker" is not yet implemented.`);
+    }
+    if (requestedBackend === "none") {
+      return {
+        backend: new NoSandboxBackend("explicit-none"),
+        selectedKind: "none",
+        probed,
+        reason: "explicit-none"
+      };
+    }
+  }
+  const bunDir = resolveBunInstallDir();
+  const claudeDir = (() => {
+    try {
+      return resolveClaudeInstallDir();
+    } catch {
+      return null;
+    }
+  })();
+  const nodeDir = resolveNodeInstallDir();
+  const depRoots = resolveRuntimeDependencyRoots([bunDir, claudeDir, nodeDir].filter(Boolean));
+  const resolvedPaths = {
+    bunDir,
+    claudeDir,
+    nodeDir,
+    depRoots
+  };
+  const fsContext = {
+    pathExists: (p) => existsSync3(p),
+    realPath: toRealPath
+  };
+  if (process.platform === "darwin" && (!requestedBackend || requestedBackend === "macos-seatbelt")) {
+    const seatbelt = Bun.which("sandbox-exec");
+    probed.push("sandbox-exec");
+    if (seatbelt && existsSync3(seatbelt)) {
+      const SeatbeltBackendClass = loadSeatbeltBackend();
+      if (SeatbeltBackendClass) {
+        return {
+          backend: new SeatbeltBackendClass(seatbelt, config, fsContext, resolvedPaths),
+          selectedKind: "macos-seatbelt",
+          probed,
+          reason: "detected-seatbelt"
+        };
+      }
+      return handleUnavailableBackend(mode, probed, "macos-seatbelt", "Seatbelt sandbox backend module failed to load.", "seatbelt-backend-module-unavailable", { explicit: requestedBackend === "macos-seatbelt" });
+    }
+  }
+  if (process.platform === "linux" && (!requestedBackend || requestedBackend === "linux-bwrap")) {
+    const bwrap = Bun.which("bwrap");
+    probed.push("bwrap");
+    if (bwrap && await probeBubblewrap(bwrap)) {
+      const BwrapBackendClass = loadBwrapBackend();
+      if (BwrapBackendClass) {
+        return {
+          backend: new BwrapBackendClass(bwrap, config, fsContext, resolvedPaths),
+          selectedKind: "linux-bwrap",
+          probed,
+          reason: "detected-bwrap"
+        };
+      }
+      return handleUnavailableBackend(mode, probed, "linux-bwrap", "Bubblewrap sandbox backend module failed to load.", "bwrap-backend-module-unavailable", { explicit: requestedBackend === "linux-bwrap" });
+    }
+  }
+  if (requestedBackend) {
+    return handleUnavailableBackend(mode, probed, requestedBackend, `Explicit sandbox backend "${requestedBackend}" is unavailable on ${process.platform}.`, "explicit-backend-unavailable", { explicit: true });
+  }
+  if (mode === "enforce") {
+    throw new SandboxError("backend-unavailable", `Runtime sandbox required (mode=enforce) but no backend available. Probed: ${probed.join(", ")}`);
+  }
+  return {
+    backend: new NoSandboxBackend("sandbox-backend-unavailable"),
+    selectedKind: "none",
+    probed,
+    reason: "sandbox-backend-unavailable"
+  };
+}
+function resolveExplicitBackend(explicitBackend) {
+  if (!explicitBackend) {
+    return null;
+  }
+  switch (explicitBackend) {
+    case "none":
+    case "macos-seatbelt":
+    case "linux-bwrap":
+    case "docker":
+      return explicitBackend;
+    default:
+      throw new SandboxError("backend-unavailable", `Unknown sandbox backend "${explicitBackend}".`);
+  }
+}
+function loadSeatbeltBackend() {
+  try {
+    const mod = (init_backend_seatbelt(), __toCommonJS(exports_backend_seatbelt));
+    return mod.SeatbeltBackend ?? null;
+  } catch {
+    return null;
+  }
+}
+function loadBwrapBackend() {
+  try {
+    const mod = (init_backend_bwrap(), __toCommonJS(exports_backend_bwrap));
+    return mod.BwrapBackend ?? null;
+  } catch {
+    return null;
+  }
+}
+function handleUnavailableBackend(mode, probed, detectedKind, message, reason, options) {
+  if (mode === "enforce" || options?.explicit) {
+    throw new SandboxError("backend-unavailable", `${message} Probed: ${probed.join(", ")}`);
+  }
+  return {
+    backend: new NoSandboxBackend(reason),
+    selectedKind: "none",
+    probed,
+    reason: `${reason}:${detectedKind}`
+  };
+}
+export {
+  resolveRuntimeSandboxModeWithPolicy,
+  resolveBackend,
+  SandboxError
+};