@h-rig/runtime 0.0.6-alpha.0

package/dist/src/control-plane/runtime/isolation/runner.js

@@ -0,0 +1,2651 @@
+// @bun
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+function __accessProp(key) {
+  return this[key];
+}
+var __toCommonJS = (from) => {
+  var entry = (__moduleCache ??= new WeakMap).get(from), desc;
+  if (entry)
+    return entry;
+  entry = __defProp({}, "__esModule", { value: true });
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (var key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(entry, key))
+        __defProp(entry, key, {
+          get: __accessProp.bind(from, key),
+          enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+        });
+  }
+  __moduleCache.set(from, entry);
+  return entry;
+};
+var __moduleCache;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+var __require = import.meta.require;
+
+// packages/runtime/src/layout.ts
+import { existsSync } from "fs";
+import { basename, dirname, resolve } from "path";
+function resolveMonorepoRoot(projectRoot) {
+  const normalizedProjectRoot = resolve(projectRoot);
+  const explicit = process.env.MONOREPO_ROOT?.trim();
+  if (explicit) {
+    const explicitRoot = resolve(explicit);
+    const explicitParent = dirname(explicitRoot);
+    if (basename(explicitParent) === ".worktrees") {
+      const owner = dirname(explicitParent);
+      const ownerHasGit = existsSync(resolve(owner, ".git"));
+      const ownerHasTaskConfig = existsSync(resolve(owner, ".rig", "task-config.json"));
+      const ownerHasRigConfig = existsSync(resolve(owner, "rig.config.ts"));
+      if (ownerHasGit && (ownerHasTaskConfig || ownerHasRigConfig)) {
+        return owner;
+      }
+      throw new Error(`MONOREPO_ROOT points to worktree ${explicitRoot}, but the owner checkout is incomplete at ${owner}.`);
+    }
+    if (!existsSync(resolve(explicitRoot, ".git"))) {
+      throw new Error(`MONOREPO_ROOT points to ${explicitRoot}, but no git checkout was found there.`);
+    }
+    const hasTaskConfig = existsSync(resolve(explicitRoot, ".rig", "task-config.json"));
+    const hasRigConfig = existsSync(resolve(explicitRoot, "rig.config.ts"));
+    if (!hasTaskConfig && !hasRigConfig) {
+      throw new Error(`MONOREPO_ROOT points to ${explicitRoot}, but neither .rig/task-config.json nor rig.config.ts exists there.`);
+    }
+    return explicitRoot;
+  }
+  const projectParent = dirname(normalizedProjectRoot);
+  if (basename(projectParent) === ".worktrees") {
+    const worktreeOwner = dirname(projectParent);
+    const ownerHasGit = existsSync(resolve(worktreeOwner, ".git"));
+    const ownerHasTaskConfig = existsSync(resolve(worktreeOwner, ".rig", "task-config.json"));
+    const ownerHasRigConfig = existsSync(resolve(worktreeOwner, "rig.config.ts"));
+    if (ownerHasGit && (ownerHasTaskConfig || ownerHasRigConfig)) {
+      return worktreeOwner;
+    }
+  }
+  return normalizedProjectRoot;
+}
+function resolveRuntimeWorkspaceLayout(workspaceDir) {
+  const root = resolve(workspaceDir);
+  const rigRoot = resolve(root, ".rig");
+  const logsDir = resolve(rigRoot, "logs");
+  const stateDir = resolve(rigRoot, "state");
+  const runtimeDir = resolve(rigRoot, "runtime");
+  const binDir = resolve(rigRoot, "bin");
+  return {
+    workspaceDir: root,
+    rigRoot,
+    stateDir,
+    logsDir,
+    artifactsRoot: resolve(root, RIG_ARTIFACTS_DIRNAME),
+    runtimeDir,
+    homeDir: resolve(rigRoot, "home"),
+    tmpDir: resolve(rigRoot, "tmp"),
+    cacheDir: resolve(rigRoot, "cache"),
+    sessionDir: resolve(rigRoot, "session"),
+    binDir,
+    distDir: resolve(rigRoot, "dist"),
+    pluginBinDir: resolve(binDir, "plugins"),
+    contextPath: resolve(rigRoot, "runtime-context.json"),
+    controlPlaneEventsFile: resolve(logsDir, "control-plane.events.jsonl")
+  };
+}
+var RIG_ARTIFACTS_DIRNAME = "artifacts";
+var init_layout = () => {};
+
+// packages/runtime/src/control-plane/runtime/sandbox/utils.ts
+import { existsSync as existsSync4, readdirSync, realpathSync } from "fs";
+import { resolve as resolve4 } from "path";
+function toRealPath(path) {
+  if (!existsSync4(path)) {
+    return resolve4(path);
+  }
+  try {
+    return realpathSync.native(path);
+  } catch {
+    return resolve4(path);
+  }
+}
+function resolveHostGitMetadataPaths(projectRoot, workspaceDir) {
+  const candidates = new Set;
+  const addPath = (candidate) => {
+    if (existsSync4(candidate)) {
+      candidates.add(toRealPath(candidate));
+    }
+  };
+  addPath(resolve4(projectRoot, ".git"));
+  addPath(resolve4(workspaceDir, "..", "..", ".git"));
+  for (const repoRoot of resolveHostRepoRootPaths(projectRoot)) {
+    addPath(resolve4(repoRoot, ".git"));
+  }
+  const workspaceGit = resolve4(workspaceDir, ".git");
+  if (existsSync4(workspaceGit)) {
+    addPath(workspaceGit);
+  }
+  return [...candidates];
+}
+function resolveHostRepoRootPaths(projectRoot) {
+  const candidates = new Set;
+  const addPath = (candidate) => {
+    if (existsSync4(candidate)) {
+      candidates.add(toRealPath(candidate));
+    }
+  };
+  try {
+    const monorepoRoot = resolveMonorepoRoot(projectRoot);
+    if (toRealPath(monorepoRoot) !== toRealPath(projectRoot)) {
+      addPath(monorepoRoot);
+    }
+  } catch {}
+  const reposDir = resolve4(projectRoot, "repos");
+  if (existsSync4(reposDir)) {
+    for (const entry of readdirSync(reposDir, { withFileTypes: true })) {
+      if (entry.isDirectory() || entry.isSymbolicLink()) {
+        addPath(resolve4(reposDir, entry.name));
+      }
+    }
+  }
+  return [...candidates];
+}
+function resolveNetworkWithPolicy(sandboxConfig, envOverride) {
+  if (envOverride) {
+    const envValue = parseBooleanEnv(envOverride, sandboxConfig.network);
+    if (envValue !== sandboxConfig.network) {
+      console.warn(`[sandbox] RIG_RUNTIME_SANDBOX_NETWORK=${envOverride} overrides policy sandbox.network=${sandboxConfig.network}`);
+    }
+    return envValue;
+  }
+  return sandboxConfig.network;
+}
+function parseBooleanEnv(raw, fallback) {
+  if (!raw) {
+    return fallback;
+  }
+  const normalized = raw.trim().toLowerCase();
+  if (normalized === "1" || normalized === "true" || normalized === "yes" || normalized === "on") {
+    return true;
+  }
+  if (normalized === "0" || normalized === "false" || normalized === "no" || normalized === "off") {
+    return false;
+  }
+  return fallback;
+}
+function uniq(values) {
+  return [...new Set(values)];
+}
+function seatbeltString(value) {
+  return `"${value.replace(/\\/g, "\\\\").replace(/"/g, "\\\"")}"`;
+}
+var init_utils = __esm(() => {
+  init_layout();
+});
+
+// packages/runtime/src/control-plane/runtime/sandbox/backend-seatbelt.ts
+var exports_backend_seatbelt = {};
+__export(exports_backend_seatbelt, {
+  SeatbeltBackend: () => SeatbeltBackend
+});
+import { mkdirSync as mkdirSync2, writeFileSync } from "fs";
+import { resolve as resolve6 } from "path";
+
+class SeatbeltBackend {
+  kind = "macos-seatbelt";
+  binaryPath;
+  config;
+  ctx;
+  resolvedPaths;
+  constructor(binaryPath, config, ctx, resolvedPaths) {
+    this.binaryPath = binaryPath;
+    this.config = config;
+    this.ctx = ctx;
+    this.resolvedPaths = resolvedPaths;
+  }
+  wrap(options) {
+    const profilePath = this.writeSeatbeltProfile(options);
+    return {
+      command: [this.binaryPath, "-f", profilePath, ...options.command],
+      enabled: true,
+      backend: "macos-seatbelt",
+      profilePath
+    };
+  }
+  writeSeatbeltProfile(options) {
+    const sandboxDir = resolve6(options.runtime.rootDir, "sandbox");
+    mkdirSync2(sandboxDir, { recursive: true });
+    const profilePath = resolve6(sandboxDir, "seatbelt.sb");
+    const profile = this.renderProfile(options);
+    writeFileSync(profilePath, `${profile}
+`, "utf-8");
+    return profilePath;
+  }
+  renderProfile(options) {
+    const { runtime, projectRoot } = options;
+    const { ctx, resolvedPaths, config } = this;
+    const workspaceReal = ctx.realPath(runtime.workspaceDir);
+    const runtimeRootReal = ctx.realPath(runtime.rootDir);
+    const homeReal = ctx.realPath(runtime.homeDir);
+    const tmpReal = ctx.realPath(runtime.tmpDir);
+    const cacheReal = ctx.realPath(runtime.cacheDir);
+    const hostGitDirs = resolveHostGitMetadataPaths(projectRoot, runtime.workspaceDir);
+    const hostRepoRoots = resolveHostRepoRootPaths(projectRoot).map((repoRoot) => ctx.realPath(repoRoot));
+    const bunDir = ctx.realPath(resolvedPaths.bunDir);
+    const claudeDir = resolvedPaths.claudeDir ? ctx.realPath(resolvedPaths.claudeDir) : null;
+    const allowNetwork = resolveNetworkWithPolicy(config, process.env.RIG_RUNTIME_SANDBOX_NETWORK);
+    const lines = [
+      "(version 1)",
+      "(deny default)",
+      '(import "system.sb")',
+      "(allow process*)",
+      "(allow process-info*)",
+      "(allow signal)",
+      "(allow sysctl-read)",
+      "(allow file-read-metadata)"
+    ];
+    if (allowNetwork) {
+      lines.push("(allow network*)");
+    }
+    for (const sysPath of [
+      "/usr/lib",
+      "/usr/bin",
+      "/usr/sbin",
+      "/usr/share",
+      "/bin",
+      "/sbin",
+      "/System",
+      "/Library",
+      "/Library/Frameworks",
+      "/Library/Developer",
+      "/Library/Apple",
+      "/Applications",
+      "/private/var/db",
+      "/opt/homebrew"
+    ]) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(sysPath)}))`);
+    }
+    lines.push(`(allow file-read* (subpath ${seatbeltString(bunDir)}))`);
+    if (claudeDir) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(claudeDir)}))`);
+    }
+    if (resolvedPaths.nodeDir) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(resolvedPaths.nodeDir)}))`);
+    }
+    for (const depPath of resolvedPaths.depRoots) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(depPath)}))`);
+    }
+    for (const rwPath of uniq([
+      workspaceReal,
+      runtimeRootReal,
+      homeReal,
+      tmpReal,
+      cacheReal
+    ])) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(rwPath)}))`);
+      lines.push(`(allow file-write* (subpath ${seatbeltString(rwPath)}))`);
+    }
+    for (const gitPath of hostGitDirs) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(gitPath)}))`);
+      lines.push(`(allow file-write* (subpath ${seatbeltString(gitPath)}))`);
+    }
+    const projectRootReal = ctx.realPath(projectRoot);
+    if (projectRootReal !== workspaceReal && !projectRootReal.startsWith(workspaceReal + "/")) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(projectRootReal)}))`);
+    }
+    for (const repoRoot of hostRepoRoots) {
+      if (!ctx.pathExists(repoRoot) || repoRoot === workspaceReal || repoRoot.startsWith(workspaceReal + "/") || repoRoot === projectRootReal || repoRoot.startsWith(projectRootReal + "/")) {
+        continue;
+      }
+      lines.push(`(allow file-read* (subpath ${seatbeltString(repoRoot)}))`);
+    }
+    const realHome = process.env.HOME?.trim();
+    if (realHome) {
+      for (const binSubdir of [".local/bin", ".cargo/bin"]) {
+        const binPath = resolve6(realHome, binSubdir);
+        if (ctx.pathExists(binPath)) {
+          lines.push(`(allow file-read* (subpath ${seatbeltString(ctx.realPath(binPath))}))`);
+        }
+      }
+    }
+    for (const tempPath of [
+      "/dev",
+      "/tmp",
+      "/private/tmp",
+      "/var/folders",
+      "/private/var/folders"
+    ]) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(tempPath)}))`);
+      lines.push(`(allow file-write* (subpath ${seatbeltString(tempPath)}))`);
+    }
+    return lines.join(`
+`);
+  }
+}
+var init_backend_seatbelt = __esm(() => {
+  init_utils();
+});
+
+// packages/runtime/src/control-plane/runtime/sandbox/backend-bwrap.ts
+var exports_backend_bwrap = {};
+__export(exports_backend_bwrap, {
+  BwrapBackend: () => BwrapBackend
+});
+import { mkdirSync as mkdirSync3 } from "fs";
+import { resolve as resolve7 } from "path";
+
+class BwrapBackend {
+  kind = "linux-bwrap";
+  binaryPath;
+  config;
+  ctx;
+  resolvedPaths;
+  which;
+  constructor(binaryPath, config, ctx, resolvedPaths, which) {
+    this.binaryPath = binaryPath;
+    this.config = config;
+    this.ctx = ctx;
+    this.resolvedPaths = resolvedPaths;
+    this.which = which ?? ((bin) => Bun.which(bin));
+  }
+  wrap(options) {
+    const command = this.buildCommand(options);
+    return {
+      command,
+      enabled: true,
+      backend: "linux-bwrap"
+    };
+  }
+  buildCommand(options) {
+    const { runtime, projectRoot, command } = options;
+    const { ctx, resolvedPaths, config } = this;
+    const workspaceReal = ctx.realPath(runtime.workspaceDir);
+    const runtimeRootReal = ctx.realPath(runtime.rootDir);
+    const homeReal = ctx.realPath(runtime.homeDir);
+    const tmpReal = ctx.realPath(runtime.tmpDir);
+    const cacheReal = ctx.realPath(runtime.cacheDir);
+    const hostGitDirs = resolveHostGitMetadataPaths(projectRoot, runtime.workspaceDir);
+    const hostRepoRoots = resolveHostRepoRootPaths(projectRoot).map((repoRoot) => ctx.realPath(repoRoot));
+    const bunDir = ctx.realPath(resolvedPaths.bunDir);
+    const claudeDir = resolvedPaths.claudeDir ? ctx.realPath(resolvedPaths.claudeDir) : null;
+    const allowNetwork = resolveNetworkWithPolicy(config, process.env.RIG_RUNTIME_SANDBOX_NETWORK);
+    const args = [
+      this.binaryPath,
+      "--die-with-parent",
+      "--new-session",
+      "--unshare-pid",
+      "--tmpfs",
+      "/",
+      "--ro-bind",
+      "/usr",
+      "/usr",
+      "--ro-bind",
+      "/bin",
+      "/bin",
+      "--ro-bind",
+      "/sbin",
+      "/sbin"
+    ];
+    for (const libPath of ["/lib", "/lib64"]) {
+      if (ctx.pathExists(libPath)) {
+        args.push("--ro-bind", libPath, libPath);
+      }
+    }
+    for (const etcEntry of [
+      "/etc/ld.so.cache",
+      "/etc/ld.so.conf",
+      "/etc/ld.so.conf.d",
+      "/etc/resolv.conf",
+      "/etc/hosts",
+      "/etc/nsswitch.conf",
+      "/etc/gai.conf",
+      "/etc/host.conf",
+      "/etc/ssl",
+      "/etc/ca-certificates",
+      "/etc/pki",
+      "/etc/passwd",
+      "/etc/group",
+      "/etc/localtime",
+      "/etc/timezone",
+      "/etc/locale.conf",
+      "/etc/default/locale"
+    ]) {
+      if (ctx.pathExists(etcEntry)) {
+        args.push("--ro-bind", etcEntry, etcEntry);
+      }
+    }
+    if (ctx.pathExists("/run/systemd/resolve")) {
+      args.push("--ro-bind", "/run/systemd/resolve", "/run/systemd/resolve");
+    }
+    if (ctx.pathExists("/run/nscd")) {
+      args.push("--ro-bind", "/run/nscd", "/run/nscd");
+    }
+    args.push("--ro-bind", bunDir, bunDir);
+    if (claudeDir) {
+      args.push("--ro-bind", claudeDir, claudeDir);
+    }
+    if (resolvedPaths.nodeDir && ctx.pathExists(resolvedPaths.nodeDir)) {
+      args.push("--ro-bind", resolvedPaths.nodeDir, resolvedPaths.nodeDir);
+    }
+    for (const depPath of resolvedPaths.depRoots) {
+      if (ctx.pathExists(depPath)) {
+        args.push("--ro-bind", depPath, depPath);
+      }
+    }
+    const projectRootReal = ctx.realPath(projectRoot);
+    if (projectRootReal !== workspaceReal && !projectRootReal.startsWith(workspaceReal + "/") && ctx.pathExists(projectRootReal)) {
+      args.push("--ro-bind", projectRootReal, projectRootReal);
+    }
+    for (const repoRoot of hostRepoRoots) {
+      if (!ctx.pathExists(repoRoot) || repoRoot === workspaceReal || repoRoot.startsWith(workspaceReal + "/") || repoRoot === projectRootReal || repoRoot.startsWith(projectRootReal + "/")) {
+        continue;
+      }
+      args.push("--ro-bind", repoRoot, repoRoot);
+    }
+    args.push("--bind", workspaceReal, workspaceReal);
+    args.push("--bind", runtimeRootReal, runtimeRootReal);
+    for (const rwPath of uniq([homeReal, tmpReal, cacheReal])) {
+      if (rwPath !== runtimeRootReal && !rwPath.startsWith(runtimeRootReal + "/")) {
+        args.push("--bind", rwPath, rwPath);
+      }
+    }
+    for (const gitPath of hostGitDirs) {
+      if (!ctx.pathExists(gitPath))
+        continue;
+      if (gitPath === runtimeRootReal || gitPath.startsWith(runtimeRootReal + "/"))
+        continue;
+      if (gitPath === workspaceReal || gitPath.startsWith(workspaceReal + "/"))
+        continue;
+      args.push("--bind", gitPath, gitPath);
+    }
+    const realHome = process.env.HOME?.trim();
+    if (realHome) {
+      for (const binSubdir of [".local/bin", ".local/lib", ".cargo/bin"]) {
+        const binPath = ctx.realPath(resolve7(realHome, binSubdir));
+        if (ctx.pathExists(binPath)) {
+          args.push("--ro-bind", binPath, binPath);
+        }
+      }
+      const agentSshDir = resolve7(homeReal, ".ssh");
+      if (ctx.pathExists(agentSshDir)) {
+        args.push("--ro-bind", agentSshDir, agentSshDir);
+      } else {
+        const hostSshDir = resolve7(realHome, ".ssh");
+        if (ctx.pathExists(hostSshDir)) {
+          mkdirSync3(agentSshDir, { recursive: true });
+          args.push("--ro-bind", hostSshDir, agentSshDir);
+          args.push("--ro-bind", hostSshDir, hostSshDir);
+        }
+      }
+    }
+    args.push("--proc", "/proc");
+    args.push("--dev", "/dev");
+    args.push("--tmpfs", "/tmp");
+    args.push("--unsetenv", "CLAUDECODE");
+    args.push("--setenv", "HOME", homeReal);
+    args.push("--setenv", "TMPDIR", "/tmp");
+    args.push("--chdir", workspaceReal);
+    if (!allowNetwork) {
+      args.push("--unshare-net");
+    }
+    args.push("--", ...this.resolveCommandBinary(command));
+    return args;
+  }
+  resolveCommandBinary(command) {
+    if (command.length === 0)
+      return command;
+    const [bin, ...rest] = command;
+    if (!bin)
+      return command;
+    const resolved = this.which(bin);
+    if (!resolved)
+      return command;
+    try {
+      const { realpathSync: realpathSync3 } = __require("fs");
+      const resolvedBinary = realpathSync3(resolved);
+      return [resolvedBinary, ...rest];
+    } catch {
+      return [resolved, ...rest];
+    }
+  }
+}
+var init_backend_bwrap = __esm(() => {
+  init_utils();
+});
+
+// packages/runtime/src/control-plane/runtime/isolation/runner.ts
+import { existsSync as existsSync10, rmSync as rmSync3, writeFileSync as writeFileSync4 } from "fs";
+import { basename as basename5, resolve as resolve16 } from "path";
+
+// packages/runtime/src/control-plane/runtime/sandbox/backend.ts
+import { existsSync as existsSync6 } from "fs";
+
+// packages/runtime/src/control-plane/runtime/guard.ts
+import { optimizeNextInvocation } from "bun:jsc";
+import { existsSync as existsSync3, readFileSync, statSync as statSync2 } from "fs";
+import { resolve as resolve3 } from "path";
+
+// packages/runtime/src/control-plane/native/utils.ts
+import { ptr as ptr2 } from "bun:ffi";
+init_layout();
+
+// packages/runtime/src/control-plane/native/runtime-native.ts
+import { dlopen, ptr, suffix, toBuffer } from "bun:ffi";
+import { copyFileSync, existsSync as existsSync2, mkdirSync, renameSync, rmSync, statSync } from "fs";
+import { tmpdir } from "os";
+import { dirname as dirname2, resolve as resolve2 } from "path";
+var sharedNativeRuntimeOutputDir = resolve2(tmpdir(), "rig-native");
+var sharedNativeRuntimeOutputPath = resolve2(sharedNativeRuntimeOutputDir, `runtime-native-${process.platform}-${process.arch}.${suffix}`);
+var colocatedNativeRuntimeFileName = `runtime-native.${suffix}`;
+var nativeRuntimeLibrary = await loadNativeRuntimeLibrary();
+function requireNativeRuntimeLibrary(feature) {
+  if (!nativeRuntimeLibrary) {
+    throw new Error(`Native Zig runtime is required for ${feature}`);
+  }
+  return nativeRuntimeLibrary;
+}
+async function ensureNativeRuntimeLibraryPath(outputPath = sharedNativeRuntimeOutputPath, options = {}) {
+  if (await buildNativeRuntimeLibrary(outputPath, options)) {
+    return outputPath;
+  }
+  return !options.force && existsSync2(outputPath) ? outputPath : null;
+}
+async function materializeNativeRuntimeLibrary(targetDir) {
+  const sourcePath = await ensureNativeRuntimeLibraryPath();
+  if (!sourcePath) {
+    return null;
+  }
+  const targetPath = resolve2(targetDir, colocatedNativeRuntimeFileName);
+  mkdirSync(targetDir, { recursive: true });
+  const needsCopy = !existsSync2(targetPath) || statSync(sourcePath).mtimeMs > statSync(targetPath).mtimeMs;
+  if (needsCopy) {
+    copyFileSync(sourcePath, targetPath);
+  }
+  return targetPath;
+}
+async function loadNativeRuntimeLibrary() {
+  if (process.env.RIG_DISABLE_ZIG_NATIVE === "1") {
+    return null;
+  }
+  for (const candidate of nativeRuntimeLibraryCandidates()) {
+    if (!candidate || !existsSync2(candidate)) {
+      continue;
+    }
+    const loaded = tryDlopenNativeRuntimeLibrary(candidate);
+    if (loaded) {
+      return loaded;
+    }
+  }
+  const builtLibraryPath = await ensureNativeRuntimeLibraryPath(sharedNativeRuntimeOutputPath, { force: true });
+  if (!builtLibraryPath) {
+    return null;
+  }
+  return tryDlopenNativeRuntimeLibrary(builtLibraryPath);
+}
+function nativePackageLibraryCandidates(fromDir, names) {
+  const candidates = [];
+  let cursor = resolve2(fromDir);
+  for (let index = 0;index < 8; index += 1) {
+    for (const name of names) {
+      candidates.push(resolve2(cursor, "native", `${process.platform}-${process.arch}`, name), resolve2(cursor, "native", `${process.platform}-${process.arch}`, "lib", name), resolve2(cursor, "native", name), resolve2(cursor, "native", "lib", name));
+    }
+    const parent = dirname2(cursor);
+    if (parent === cursor)
+      break;
+    cursor = parent;
+  }
+  return candidates;
+}
+function nativeRuntimeLibraryCandidates() {
+  const explicit = process.env.RIG_NATIVE_RUNTIME_LIB?.trim() || "";
+  const execDir = process.execPath?.trim() ? dirname2(process.execPath.trim()) : "";
+  const platformSpecific = `runtime-native-${process.platform}-${process.arch}.${suffix}`;
+  return [...new Set([
+    explicit,
+    ...nativePackageLibraryCandidates(import.meta.dir, [colocatedNativeRuntimeFileName, platformSpecific]),
+    execDir ? resolve2(execDir, colocatedNativeRuntimeFileName) : "",
+    execDir ? resolve2(execDir, platformSpecific) : "",
+    execDir ? resolve2(execDir, "..", colocatedNativeRuntimeFileName) : "",
+    execDir ? resolve2(execDir, "..", platformSpecific) : "",
+    execDir ? resolve2(execDir, "lib", colocatedNativeRuntimeFileName) : "",
+    execDir ? resolve2(execDir, "..", "lib", colocatedNativeRuntimeFileName) : "",
+    sharedNativeRuntimeOutputPath
+  ].filter(Boolean))];
+}
+function resolveNativeRuntimeSourcePath() {
+  const explicit = process.env.RIG_NATIVE_RUNTIME_SOURCE?.trim();
+  if (explicit && existsSync2(explicit)) {
+    return explicit;
+  }
+  const bundled = resolve2(import.meta.dir, "../../../native/snapshot.zig");
+  return existsSync2(bundled) ? bundled : null;
+}
+async function buildNativeRuntimeLibrary(outputPath, options = {}) {
+  if (process.env.RIG_DISABLE_ZIG_NATIVE === "1") {
+    return false;
+  }
+  const zigBinary = Bun.which("zig");
+  const sourcePath = resolveNativeRuntimeSourcePath();
+  if (!zigBinary || !sourcePath) {
+    return false;
+  }
+  const tempOutputPath = `${outputPath}.${process.pid}.${Date.now()}.${Math.random().toString(36).slice(2)}.tmp`;
+  try {
+    mkdirSync(dirname2(outputPath), { recursive: true });
+    const needsBuild = options.force === true || !existsSync2(outputPath) || statSync(sourcePath).mtimeMs > statSync(outputPath).mtimeMs;
+    if (!needsBuild) {
+      return true;
+    }
+    const build = Bun.spawn([
+      zigBinary,
+      "build-lib",
+      sourcePath,
+      "-dynamic",
+      "-O",
+      "ReleaseFast",
+      `-femit-bin=${tempOutputPath}`
+    ], {
+      cwd: import.meta.dir,
+      stdout: "pipe",
+      stderr: "pipe"
+    });
+    const exitCode = await build.exited;
+    if (exitCode !== 0 || !existsSync2(tempOutputPath)) {
+      rmSync(tempOutputPath, { force: true });
+      return false;
+    }
+    renameSync(tempOutputPath, outputPath);
+    return true;
+  } catch {
+    rmSync(tempOutputPath, { force: true });
+    return false;
+  }
+}
+function tryDlopenNativeRuntimeLibrary(outputPath) {
+  try {
+    return dlopen(outputPath, {
+      rig_scope_match: {
+        args: ["ptr", "ptr"],
+        returns: "u8"
+      },
+      snapshot_capture: {
+        args: ["ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      snapshot_delta: {
+        args: ["ptr", "ptr"],
+        returns: "ptr"
+      },
+      snapshot_store_delta: {
+        args: ["ptr", "ptr", "ptr", "u64", "ptr", "u64", "ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      snapshot_inspect_delta: {
+        args: ["ptr", "u64"],
+        returns: "ptr"
+      },
+      snapshot_apply_delta: {
+        args: ["ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      snapshot_release: {
+        args: ["ptr"],
+        returns: "void"
+      },
+      runtime_hash_file: {
+        args: ["ptr", "u64"],
+        returns: "ptr"
+      },
+      runtime_hash_tree: {
+        args: ["ptr", "u64"],
+        returns: "ptr"
+      },
+      runtime_prepare_paths: {
+        args: ["ptr", "u64", "ptr", "u64", "ptr", "u64", "ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      runtime_link_dependency_layer: {
+        args: ["ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      runtime_scan_worktrees: {
+        args: ["ptr", "u64"],
+        returns: "ptr"
+      }
+    });
+  } catch {
+    return null;
+  }
+}
+
+// packages/runtime/src/control-plane/native/scope-rules.ts
+var activeRules = null;
+function getScopeRules() {
+  return activeRules;
+}
+
+// packages/runtime/src/control-plane/native/utils.ts
+function resolveMonorepoRoot2(projectRoot) {
+  return resolveMonorepoRoot(projectRoot);
+}
+var nativeScopeMatcher = null;
+var scopeRegexCache = new Map;
+function unique(values) {
+  return [...new Set(values)];
+}
+function normalizeRelativeScopePath(inputPath) {
+  let normalized = inputPath.replace(/^\.\//, "");
+  const rules = getScopeRules();
+  if (rules?.stripPrefixes) {
+    for (const prefix of rules.stripPrefixes) {
+      if (normalized.startsWith(prefix)) {
+        normalized = normalized.slice(prefix.length);
+      }
+    }
+  }
+  return normalized;
+}
+function normalizePathToScope(projectRoot, monorepoRoot, inputPath) {
+  let normalized = inputPath.replace(/^\.\//, "");
+  if (normalized.startsWith(projectRoot + "/")) {
+    normalized = normalized.slice(projectRoot.length + 1);
+  }
+  if (normalized.startsWith(monorepoRoot + "/")) {
+    normalized = normalized.slice(monorepoRoot.length + 1);
+  }
+  return normalizeRelativeScopePath(normalized);
+}
+function scopeMatches(path, scopes) {
+  const matcher = getNativeScopeMatcher();
+  const pathVariants = unique([path, normalizeRelativeScopePath(path)]);
+  for (const scope of scopes) {
+    const scopeVariants = unique([scope, normalizeRelativeScopePath(scope)]);
+    for (const candidatePath of pathVariants) {
+      for (const candidateScope of scopeVariants) {
+        if (candidatePath === candidateScope) {
+          return true;
+        }
+        if (matcher.match(candidateScope, candidatePath)) {
+          return true;
+        }
+      }
+    }
+  }
+  return false;
+}
+function getNativeScopeMatcher() {
+  if (nativeScopeMatcher) {
+    return nativeScopeMatcher;
+  }
+  nativeScopeMatcher = createNativeScopeMatcher();
+  return nativeScopeMatcher;
+}
+function createNativeScopeMatcher() {
+  const library = requireNativeRuntimeLibrary("scope matching");
+  return {
+    match: (pattern, path) => {
+      const patternBuffer = Buffer.from(`${pattern}\x00`);
+      const pathBuffer = Buffer.from(`${path}\x00`);
+      return library.symbols.rig_scope_match(Number(ptr2(patternBuffer)), Number(ptr2(pathBuffer))) !== 0;
+    }
+  };
+}
+
+// packages/runtime/src/control-plane/runtime/guard-types.ts
+var POLICY_VERSION = 1;
+
+// packages/runtime/src/control-plane/runtime/guard.ts
+var DEFAULT_SCOPE = {
+  fail_closed: true,
+  harness_paths_exempt: true,
+  runtime_paths_exempt: true
+};
+var DEFAULT_SANDBOX = {
+  mode: "enforce",
+  network: true,
+  read_deny: [],
+  write_allow_from_runtime: true
+};
+var DEFAULT_ISOLATION = {
+  default_mode: "worktree",
+  repo_symlink_fallback: false,
+  strict_provisioning: true,
+  fail_closed_on_provision_error: true
+};
+var DEFAULT_COMPLETION = {
+  derive_checks_from_scope: true,
+  checks: [],
+  typescript_config_probe: ["tsconfig.json"],
+  eslint_config_probe: [".eslintrc.js", ".eslintrc.json", "eslint.config.js"]
+};
+var DEFAULT_RUNTIME_IMAGE = {
+  deps: {
+    monorepo_install: false,
+    hp_next_install: false
+  },
+  plugins_require_binaries: true
+};
+var DEFAULT_RUNTIME_SNAPSHOT = {
+  enabled: true
+};
+function defaultPolicy() {
+  return {
+    version: POLICY_VERSION,
+    mode: "enforce",
+    scope: { ...DEFAULT_SCOPE },
+    rules: [],
+    sandbox: { ...DEFAULT_SANDBOX },
+    isolation: { ...DEFAULT_ISOLATION },
+    completion: { ...DEFAULT_COMPLETION },
+    runtime_image: {
+      deps: { ...DEFAULT_RUNTIME_IMAGE.deps },
+      plugins_require_binaries: DEFAULT_RUNTIME_IMAGE.plugins_require_binaries
+    },
+    runtime_snapshot: { ...DEFAULT_RUNTIME_SNAPSHOT }
+  };
+}
+var policyCache = null;
+var policyCachePath = null;
+var seededPolicyConfig = null;
+var compiledRegexCache = new Map;
+function loadPolicy(projectRoot) {
+  if (seededPolicyConfig) {
+    return seededPolicyConfig;
+  }
+  const configPath = resolve3(projectRoot, "rig/policy/policy.json");
+  if (!existsSync3(configPath)) {
+    return defaultPolicy();
+  }
+  let mtimeMs;
+  try {
+    mtimeMs = statSync2(configPath).mtimeMs;
+  } catch {
+    return defaultPolicy();
+  }
+  if (policyCache && policyCachePath === configPath && policyCache.mtimeMs === mtimeMs) {
+    return policyCache.config;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(readFileSync(configPath, "utf-8"));
+  } catch {
+    return defaultPolicy();
+  }
+  const config = mergeWithDefaults(parsed);
+  policyCache = { mtimeMs, config };
+  policyCachePath = configPath;
+  return config;
+}
+function mergeWithDefaults(parsed) {
+  const base = defaultPolicy();
+  if (typeof parsed.mode === "string" && isValidMode(parsed.mode)) {
+    base.mode = parsed.mode;
+  }
+  if (parsed.scope && typeof parsed.scope === "object" && !Array.isArray(parsed.scope)) {
+    const s = parsed.scope;
+    if (typeof s.fail_closed === "boolean")
+      base.scope.fail_closed = s.fail_closed;
+    if (typeof s.harness_paths_exempt === "boolean")
+      base.scope.harness_paths_exempt = s.harness_paths_exempt;
+    if (typeof s.runtime_paths_exempt === "boolean")
+      base.scope.runtime_paths_exempt = s.runtime_paths_exempt;
+  }
+  if (Array.isArray(parsed.rules)) {
+    base.rules = precompilePolicyRuleRegexes(parsed.rules.filter(isValidRule));
+  }
+  if (Array.isArray(parsed.deny) && base.rules.length === 0) {
+    base.rules = precompilePolicyRuleRegexes(migrateLegacyDeny(parsed.deny));
+  }
+  if (parsed.sandbox && typeof parsed.sandbox === "object" && !Array.isArray(parsed.sandbox)) {
+    const sb = parsed.sandbox;
+    if (typeof sb.mode === "string" && isValidMode(sb.mode))
+      base.sandbox.mode = sb.mode;
+    if (typeof sb.network === "boolean")
+      base.sandbox.network = sb.network;
+    if (Array.isArray(sb.read_deny))
+      base.sandbox.read_deny = sb.read_deny.filter((v) => typeof v === "string");
+    if (typeof sb.write_allow_from_runtime === "boolean")
+      base.sandbox.write_allow_from_runtime = sb.write_allow_from_runtime;
+  }
+  if (parsed.isolation && typeof parsed.isolation === "object" && !Array.isArray(parsed.isolation)) {
+    const iso = parsed.isolation;
+    if (iso.default_mode === "worktree")
+      base.isolation.default_mode = iso.default_mode;
+    if (typeof iso.repo_symlink_fallback === "boolean")
+      base.isolation.repo_symlink_fallback = iso.repo_symlink_fallback;
+    if (typeof iso.strict_provisioning === "boolean")
+      base.isolation.strict_provisioning = iso.strict_provisioning;
+    if (typeof iso.fail_closed_on_provision_error === "boolean")
+      base.isolation.fail_closed_on_provision_error = iso.fail_closed_on_provision_error;
+  }
+  if (parsed.completion && typeof parsed.completion === "object" && !Array.isArray(parsed.completion)) {
+    const comp = parsed.completion;
+    if (typeof comp.derive_checks_from_scope === "boolean")
+      base.completion.derive_checks_from_scope = comp.derive_checks_from_scope;
+    if (Array.isArray(comp.checks))
+      base.completion.checks = comp.checks.filter((v) => typeof v === "string");
+    if (Array.isArray(comp.typescript_config_probe))
+      base.completion.typescript_config_probe = comp.typescript_config_probe.filter((v) => typeof v === "string");
+    if (Array.isArray(comp.eslint_config_probe))
+      base.completion.eslint_config_probe = comp.eslint_config_probe.filter((v) => typeof v === "string");
+  }
+  if (parsed.runtime_image && typeof parsed.runtime_image === "object" && !Array.isArray(parsed.runtime_image)) {
+    const runtimeImage = parsed.runtime_image;
+    if (runtimeImage.deps && typeof runtimeImage.deps === "object" && !Array.isArray(runtimeImage.deps)) {
+      const deps = runtimeImage.deps;
+      if (typeof deps.monorepo_install === "boolean") {
+        base.runtime_image.deps.monorepo_install = deps.monorepo_install;
+      }
+      if (typeof deps.hp_next_install === "boolean") {
+        base.runtime_image.deps.hp_next_install = deps.hp_next_install;
+      }
+    }
+    if (typeof runtimeImage.plugins_require_binaries === "boolean") {
+      base.runtime_image.plugins_require_binaries = runtimeImage.plugins_require_binaries;
+    }
+  }
+  if (parsed.runtime_snapshot && typeof parsed.runtime_snapshot === "object" && !Array.isArray(parsed.runtime_snapshot)) {
+    const runtimeSnapshot = parsed.runtime_snapshot;
+    if (typeof runtimeSnapshot.enabled === "boolean") {
+      base.runtime_snapshot.enabled = runtimeSnapshot.enabled;
+    }
+  }
+  return base;
+}
+function isValidMode(value) {
+  return value === "off" || value === "observe" || value === "enforce";
+}
+function isValidRule(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value))
+    return false;
+  const r = value;
+  return typeof r.id === "string" && typeof r.category === "string" && r.match != null && typeof r.match === "object";
+}
+function migrateLegacyDeny(deny) {
+  const rules = [];
+  for (const entry of deny) {
+    if (typeof entry.id !== "string")
+      continue;
+    const match = {};
+    if (typeof entry.pattern === "string")
+      match.pattern = entry.pattern;
+    if (typeof entry.regex === "string")
+      match.regex = entry.regex;
+    if (!match.pattern && !match.regex)
+      continue;
+    rules.push({
+      id: entry.id,
+      category: "command",
+      match,
+      action: "block",
+      ...typeof entry.description === "string" ? { description: entry.description } : {}
+    });
+  }
+  return rules;
+}
+function precompilePolicyRuleRegexes(rules) {
+  return rules.map((rule) => {
+    const compiledRegex = rule.match.regex ? compileSafeRegex(rule.match.regex, `rules.${rule.id}.match.regex`, true) : undefined;
+    const compiledUnlessRegex = rule.unless?.regex ? compileSafeRegex(rule.unless.regex, `rules.${rule.id}.unless.regex`, true) : undefined;
+    return {
+      ...rule,
+      ...compiledRegex ? { compiledRegex } : {},
+      ...compiledUnlessRegex ? { compiledUnlessRegex } : {}
+    };
+  });
+}
+function getRegexUnsafeReason(pattern) {
+  if (pattern.length > 512) {
+    return "pattern exceeds max safe length (512 chars)";
+  }
+  if (/\\[1-9]/.test(pattern)) {
+    return "pattern uses backreferences";
+  }
+  if (/\((?:[^()\\]|\\.)*[+*](?:[^()\\]|\\.)*\)\s*[*+{]/.test(pattern)) {
+    return "pattern contains nested quantifiers";
+  }
+  if (/\((?:[^()\\]|\\.)*\.\\?[+*](?:[^()\\]|\\.)*\)\s*[*+{]/.test(pattern)) {
+    return "pattern contains nested broad quantifiers";
+  }
+  return null;
+}
+function compileSafeRegex(pattern, sourceLabel, logOnFailure) {
+  const cached = compiledRegexCache.get(pattern);
+  if (cached !== undefined) {
+    return cached ?? undefined;
+  }
+  const unsafeReason = getRegexUnsafeReason(pattern);
+  if (unsafeReason) {
+    if (logOnFailure) {
+      console.warn(`[policy] Skipping unsafe regex in ${sourceLabel}: ${unsafeReason}`);
+    }
+    compiledRegexCache.set(pattern, null);
+    return;
+  }
+  try {
+    const compiled = new RegExp(pattern);
+    compiledRegexCache.set(pattern, compiled);
+    return compiled;
+  } catch (error) {
+    if (logOnFailure) {
+      const message = error instanceof Error ? error.message : String(error);
+      console.warn(`[policy] Skipping invalid regex in ${sourceLabel}: ${message}`);
+    }
+    compiledRegexCache.set(pattern, null);
+    return;
+  }
+}
+function matchRule(rule, input) {
+  const { match } = rule;
+  if (match.pattern && input.includes(match.pattern)) {
+    return true;
+  }
+  if (match.regex) {
+    const compiled = rule.compiledRegex || compileSafeRegex(match.regex, `rules.${rule.id}.match.regex`, false);
+    if (!compiled) {
+      return false;
+    }
+    try {
+      return compiled.test(input);
+    } catch {
+      return false;
+    }
+  }
+  return false;
+}
+function matchRuleUnless(rule, command, taskId) {
+  if (!rule.unless)
+    return false;
+  if (rule.unless.regex) {
+    const compiled = rule.compiledUnlessRegex || compileSafeRegex(rule.unless.regex, `rules.${rule.id}.unless.regex`, false);
+    if (!compiled) {
+      return false;
+    }
+    try {
+      if (compiled.test(command))
+        return true;
+    } catch {}
+  }
+  if (rule.unless.task_in && taskId) {
+    if (rule.unless.task_in.includes(taskId))
+      return true;
+  }
+  return false;
+}
+function resolveAction(mode, matched) {
+  if (matched.length === 0)
+    return "allow";
+  if (mode === "off")
+    return "allow";
+  if (mode === "observe")
+    return "warn";
+  return "block";
+}
+function resolveAbsolutePath(projectRoot, rawPath) {
+  if (rawPath.startsWith("/"))
+    return resolve3(rawPath);
+  return resolve3(projectRoot, rawPath);
+}
+function isHarnessPath(projectRoot, rawPath) {
+  const absPath = resolveAbsolutePath(projectRoot, rawPath);
+  const managedRoots = [
+    resolve3(projectRoot, "rig"),
+    resolve3(projectRoot, ".rig"),
+    resolve3(projectRoot, "artifacts")
+  ];
+  return managedRoots.some((root) => absPath === root || absPath.startsWith(root + "/"));
+}
+function isRuntimePath(projectRoot, rawPath, taskWorkspace) {
+  const absPath = resolveAbsolutePath(projectRoot, rawPath);
+  if (taskWorkspace) {
+    const workspaceRigRoot = resolve3(taskWorkspace, ".rig");
+    const workspaceArtifactsRoot = resolve3(taskWorkspace, "artifacts");
+    if (absPath === workspaceRigRoot || absPath.startsWith(workspaceRigRoot + "/") || absPath === workspaceArtifactsRoot || absPath.startsWith(workspaceArtifactsRoot + "/")) {
+      return true;
+    }
+  }
+  const runtimeRoot = resolve3(projectRoot, ".rig/runtime/agents");
+  return absPath === runtimeRoot || absPath.startsWith(runtimeRoot + "/");
+}
+function isTestFile(path) {
+  return /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(path) || /\/(__tests__|tests|test)\//.test(path);
+}
+function evaluate(context) {
+  const policy = loadPolicy(context.projectRoot);
+  switch (context.evaluation.type) {
+    case "tool-call":
+      return evaluateToolCall(policy, context);
+    case "command":
+      return evaluateCommand(policy, context);
+    case "content-write":
+      return evaluateContent(policy, context);
+    case "file-access":
+      return evaluateScope(policy, context, context.evaluation.file_path, context.evaluation.access);
+  }
+}
+function evaluateScope(policy, context, filePath, access) {
+  const allowed = () => ({
+    allowed: true,
+    matchedRules: [],
+    action: "allow",
+    failClosed: false
+  });
+  if (policy.scope.harness_paths_exempt && isHarnessPath(context.projectRoot, filePath)) {
+    return allowed();
+  }
+  if (policy.scope.runtime_paths_exempt && isRuntimePath(context.projectRoot, filePath, context.taskWorkspace)) {
+    return allowed();
+  }
+  if (!context.taskId) {
+    if (access === "write" && policy.scope.fail_closed) {
+      return {
+        allowed: false,
+        matchedRules: [],
+        action: resolveAction(policy.mode, [{ id: "scope:no-task", category: "command", reason: "No active task; fail-closed for write operations" }]),
+        failClosed: true
+      };
+    }
+    return allowed();
+  }
+  const scopes = context.taskScopes || [];
+  if (scopes.length === 0) {
+    return allowed();
+  }
+  if (context.taskWorkspace && context.taskWorkspace !== context.projectRoot && filePath.startsWith("/")) {
+    const absPath = resolve3(filePath);
+    if (!absPath.startsWith(context.taskWorkspace + "/") && !isHarnessPath(context.projectRoot, filePath)) {
+      const reason2 = `Absolute path '${filePath}' is outside task runtime boundary. Allowed root: ${context.taskWorkspace}`;
+      const matched2 = [{ id: "scope:workspace-boundary", category: "command", reason: reason2 }];
+      return {
+        allowed: policy.mode !== "enforce",
+        matchedRules: matched2,
+        action: resolveAction(policy.mode, matched2),
+        failClosed: false
+      };
+    }
+  }
+  const monorepoRoot = context.monorepoRoot || process.env.MONOREPO_ROOT?.trim() || context.taskWorkspace || context.projectRoot;
+  let normalizedPath = filePath;
+  if (context.taskWorkspace && context.taskWorkspace !== context.projectRoot && filePath.startsWith(context.taskWorkspace + "/")) {
+    normalizedPath = filePath.slice(context.taskWorkspace.length + 1);
+  }
+  normalizedPath = normalizePathToScope(context.projectRoot, monorepoRoot, normalizedPath);
+  if (scopeMatches(filePath, scopes) || scopeMatches(normalizedPath, scopes)) {
+    return allowed();
+  }
+  const reason = `File '${filePath}' (normalized: '${normalizedPath}') is outside scope of task ${context.taskId}`;
+  const matched = [{ id: "scope:out-of-scope", category: "command", reason }];
+  return {
+    allowed: policy.mode !== "enforce",
+    matchedRules: matched,
+    action: resolveAction(policy.mode, matched),
+    failClosed: false
+  };
+}
+function evaluateCommand(policy, context) {
+  const evaluation = context.evaluation;
+  if (evaluation.type !== "command") {
+    return { allowed: true, matchedRules: [], action: "allow", failClosed: false };
+  }
+  const command = evaluation.command;
+  const matchedRules = [];
+  for (const rule of policy.rules) {
+    if (rule.category !== "command")
+      continue;
+    if (!matchRule(rule, command))
+      continue;
+    if (matchRuleUnless(rule, command, context.taskId))
+      continue;
+    matchedRules.push({
+      id: rule.id,
+      category: rule.category,
+      description: rule.description,
+      reason: rule.description || `Matched rule ${rule.id}`
+    });
+  }
+  const writeTarget = extractWriteTarget(command);
+  if (writeTarget && !/^\/dev\//.test(writeTarget) && !/^\/proc\//.test(writeTarget)) {
+    const scopeResult = evaluateScope(policy, context, writeTarget, "write");
+    if (!scopeResult.allowed || scopeResult.matchedRules.length > 0) {
+      matchedRules.push(...scopeResult.matchedRules);
+    }
+  }
+  const action = resolveAction(policy.mode, matchedRules);
+  return {
+    allowed: action !== "block",
+    matchedRules,
+    action,
+    failClosed: false
+  };
+}
+function extractWriteTarget(command) {
+  const redirect = command.match(/>>?\s+([^\s;|&]+)/);
+  if (redirect?.[1])
+    return redirect[1];
+  const tee = command.match(/tee\s+(-a\s+)?([^\s;|&]+)/);
+  if (tee?.[2])
+    return tee[2];
+  return "";
+}
+function evaluateContent(policy, context) {
+  const evaluation = context.evaluation;
+  if (evaluation.type !== "content-write") {
+    return { allowed: true, matchedRules: [], action: "allow", failClosed: false };
+  }
+  const { content, file_path } = evaluation;
+  const matchedRules = [];
+  const scopeResult = evaluateScope(policy, context, file_path, "write");
+  if (scopeResult.matchedRules.length > 0) {
+    matchedRules.push(...scopeResult.matchedRules);
+  }
+  for (const rule of policy.rules) {
+    if (rule.category !== "content" && rule.category !== "import" && rule.category !== "test-integrity")
+      continue;
+    if (rule.applies_to === "test-files" && !isTestFile(file_path))
+      continue;
+    if (!matchRule(rule, content))
+      continue;
+    if (matchRuleUnless(rule, content, context.taskId))
+      continue;
+    matchedRules.push({
+      id: rule.id,
+      category: rule.category,
+      description: rule.description,
+      reason: rule.description || `Matched rule ${rule.id}`
+    });
+  }
+  const action = resolveAction(policy.mode, matchedRules);
+  return {
+    allowed: action !== "block",
+    matchedRules,
+    action,
+    failClosed: false
+  };
+}
+function evaluateToolCall(policy, context) {
+  const evaluation = context.evaluation;
+  if (evaluation.type !== "tool-call") {
+    return { allowed: true, matchedRules: [], action: "allow", failClosed: false };
+  }
+  const { tool_name, tool_input } = evaluation;
+  const allMatched = [];
+  const filePaths = extractFilePathsFromToolInput(tool_name, tool_input);
+  for (const fp of filePaths) {
+    const access = isWriteTool(tool_name) ? "write" : "read";
+    const scopeResult = evaluateScope(policy, context, fp, access);
+    if (scopeResult.matchedRules.length > 0) {
+      allMatched.push(...scopeResult.matchedRules);
+    }
+  }
+  const content = extractContentFromToolInput(tool_input);
+  if (content) {
+    const filePath = filePaths[0] || "";
+    const contentContext = {
+      ...context,
+      evaluation: { type: "content-write", file_path: filePath, content }
+    };
+    const contentPolicy = loadPolicy(context.projectRoot);
+    for (const rule of contentPolicy.rules) {
+      if (rule.category !== "content" && rule.category !== "import" && rule.category !== "test-integrity")
+        continue;
+      if (rule.applies_to === "test-files" && !isTestFile(filePath))
+        continue;
+      if (!matchRule(rule, content))
+        continue;
+      if (matchRuleUnless(rule, content, context.taskId))
+        continue;
+      allMatched.push({
+        id: rule.id,
+        category: rule.category,
+        description: rule.description,
+        reason: rule.description || `Matched rule ${rule.id}`
+      });
+    }
+  }
+  if (tool_name === "Bash") {
+    const command = String(tool_input.command || tool_input.cmd || "");
+    if (command) {
+      const cmdContext = {
+        ...context,
+        evaluation: { type: "command", command }
+      };
+      const cmdResult = evaluateCommand(policy, cmdContext);
+      if (cmdResult.matchedRules.length > 0) {
+        allMatched.push(...cmdResult.matchedRules);
+      }
+    }
+  }
+  const seen = new Set;
+  const deduplicated = [];
+  for (const rule of allMatched) {
+    if (!seen.has(rule.id)) {
+      seen.add(rule.id);
+      deduplicated.push(rule);
+    }
+  }
+  const action = resolveAction(policy.mode, deduplicated);
+  return {
+    allowed: action !== "block",
+    matchedRules: deduplicated,
+    action,
+    failClosed: false
+  };
+}
+function isWriteTool(toolName) {
+  return toolName === "Write" || toolName === "Edit" || toolName === "MultiEdit";
+}
+function extractFilePathsFromToolInput(toolName, input) {
+  const paths = [];
+  const add = (value) => {
+    if (typeof value === "string" && value.trim()) {
+      paths.push(value.trim());
+    }
+  };
+  if (toolName === "Read" || toolName === "Write" || toolName === "Edit" || toolName === "MultiEdit") {
+    add(input.file_path);
+    add(input.path);
+  } else if (toolName === "Glob") {
+    add(input.path);
+  } else if (toolName === "Grep") {
+    add(input.path);
+  } else {
+    add(input.file_path);
+    add(input.path);
+  }
+  return paths;
+}
+function extractContentFromToolInput(input) {
+  if (typeof input.content === "string")
+    return input.content;
+  if (typeof input.new_string === "string")
+    return input.new_string;
+  return "";
+}
+function loadSandboxConfig(projectRoot) {
+  return loadPolicy(projectRoot).sandbox;
+}
+var guardHotPathPrimed = false;
+function primeGuardHotPaths() {
+  if (guardHotPathPrimed) {
+    return;
+  }
+  guardHotPathPrimed = true;
+  try {
+    optimizeNextInvocation(matchRule);
+    optimizeNextInvocation(evaluate);
+  } catch {}
+}
+primeGuardHotPaths();
+
+// packages/runtime/src/control-plane/runtime/runtime-paths.ts
+import { existsSync as existsSync5, readdirSync as readdirSync2, realpathSync as realpathSync2 } from "fs";
+import { resolve as resolve5 } from "path";
+
+// packages/runtime/src/control-plane/runtime/sandbox-utils.ts
+init_utils();
+
+// packages/runtime/src/control-plane/runtime/runtime-paths.ts
+function resolveBunBinaryPath() {
+  const explicit = normalizeExecutablePath(process.env.RIG_BUN_PATH?.trim());
+  if (explicit) {
+    return explicit;
+  }
+  const pathBun = normalizeExecutablePath(Bun.which("bun")?.trim());
+  if (pathBun && !looksLikeRuntimeGateway(pathBun)) {
+    return pathBun;
+  }
+  const home = process.env.HOME?.trim();
+  const fallbackCandidates = [
+    home ? resolve5(home, ".bun/bin/bun") : "",
+    "/opt/homebrew/bin/bun",
+    "/usr/local/bin/bun",
+    "/usr/bin/bun"
+  ];
+  for (const candidate of fallbackCandidates) {
+    const normalized = normalizeExecutablePath(candidate);
+    if (normalized) {
+      return normalized;
+    }
+  }
+  const execPath = normalizeExecutablePath(process.execPath?.trim());
+  if (execPath && !looksLikeRuntimeGateway(execPath)) {
+    return execPath;
+  }
+  throw new Error("bun not found in PATH");
+}
+function resolveClaudeBinaryPath() {
+  const explicit = normalizeExecutablePath(process.env.RIG_CLAUDE_PATH?.trim());
+  if (explicit) {
+    return explicit;
+  }
+  const pathClaude = normalizeExecutablePath(Bun.which("claude")?.trim());
+  if (pathClaude && !looksLikeRuntimeGateway(pathClaude)) {
+    return pathClaude;
+  }
+  const home = process.env.HOME?.trim();
+  const fallbackCandidates = [
+    home ? resolve5(home, ".local/bin/claude") : "",
+    home ? resolve5(home, ".local/share/claude/local/claude") : "",
+    "/opt/homebrew/bin/claude",
+    "/usr/local/bin/claude",
+    "/usr/bin/claude"
+  ];
+  for (const candidate of fallbackCandidates) {
+    const normalized = normalizeExecutablePath(candidate);
+    if (normalized) {
+      return normalized;
+    }
+  }
+  throw new Error("claude not found in PATH");
+}
+function resolveBunInstallDir(bunBinaryPath = resolveBunBinaryPath()) {
+  return resolve5(bunBinaryPath, "../..");
+}
+function resolveClaudeInstallDir() {
+  const realPath = resolveClaudeBinaryPath();
+  return resolve5(realPath, "..");
+}
+function resolveNodeInstallDir() {
+  const preferredNode = resolvePreferredNodeBinary();
+  if (!preferredNode)
+    return null;
+  const explicitNode = process.env.RIG_NODE_BIN?.trim();
+  if (explicitNode && resolve5(explicitNode) === resolve5(preferredNode)) {
+    return preferredNode.endsWith("/bin/node") ? resolve5(preferredNode, "../..") : resolve5(preferredNode, "..");
+  }
+  try {
+    const realPath = realpathSync2(preferredNode);
+    if (realPath.endsWith("/bin/node")) {
+      return resolve5(realPath, "../..");
+    }
+    return resolve5(realPath, "..");
+  } catch {
+    return resolve5(preferredNode, "..");
+  }
+}
+function resolveRuntimeDependencyRoots(runtimeDirs) {
+  const roots = [];
+  if (process.platform === "darwin") {
+    for (const macPath of ["/opt/homebrew", "/opt/homebrew/opt"]) {
+      if (existsSync5(macPath)) {
+        roots.push(macPath);
+      }
+    }
+  }
+  for (const dir of runtimeDirs) {
+    if (dir.startsWith("/opt/homebrew/Cellar/")) {
+      roots.push("/opt/homebrew/opt");
+    } else if (dir.startsWith("/usr/local/Cellar/")) {
+      roots.push("/usr/local/opt");
+    }
+  }
+  return uniq(roots);
+}
+function resolvePreferredNodeBinary() {
+  const candidates = [];
+  const envNode = process.env.RIG_NODE_BIN?.trim();
+  if (envNode) {
+    const explicit = resolve5(envNode);
+    if (existsSync5(explicit)) {
+      return explicit;
+    }
+  }
+  const nvmBin = process.env.NVM_BIN?.trim();
+  if (nvmBin) {
+    candidates.push(resolve5(nvmBin, "node"));
+  }
+  const home = process.env.HOME?.trim();
+  if (home) {
+    const nvmVersionsDir = resolve5(home, ".nvm/versions/node");
+    if (existsSync5(nvmVersionsDir)) {
+      try {
+        const versionDirs = readdirSync2(nvmVersionsDir).map((entry) => entry.trim()).filter((entry) => /^v\d+\.\d+\.\d+$/.test(entry)).sort((a, b) => Bun.semver.order(b.replace(/^v/, ""), a.replace(/^v/, "")));
+        for (const versionDir of versionDirs) {
+          candidates.push(resolve5(nvmVersionsDir, versionDir, "bin/node"));
+        }
+      } catch {}
+    }
+  }
+  const whichNode = Bun.which("node");
+  if (whichNode) {
+    candidates.push(whichNode);
+  }
+  const deduped = uniq(candidates.map((candidate) => resolve5(candidate)));
+  const existing = deduped.filter((candidate) => existsSync5(candidate));
+  if (existing.length === 0) {
+    return null;
+  }
+  const stable = existing.find((candidate) => {
+    const major = inferNodeMajor(candidate);
+    return typeof major === "number" && major >= 18 && major <= 24;
+  });
+  if (stable) {
+    return stable;
+  }
+  return existing[0] ?? null;
+}
+function inferNodeMajor(nodeBinaryPath) {
+  const normalized = resolve5(nodeBinaryPath).replace(/\\/g, "/");
+  const match = normalized.match(/(?:^|\/)(?:node-)?v?(\d+)\.\d+\.\d+(?:\/|$)/);
+  if (!match) {
+    return null;
+  }
+  const major = Number.parseInt(match[1], 10);
+  return Number.isFinite(major) ? major : null;
+}
+function normalizeExecutablePath(candidate) {
+  if (!candidate) {
+    return "";
+  }
+  const normalized = resolve5(candidate);
+  if (!existsSync5(normalized)) {
+    return "";
+  }
+  try {
+    return realpathSync2(normalized);
+  } catch {
+    return normalized;
+  }
+}
+function looksLikeRuntimeGateway(candidate) {
+  const normalized = resolve5(candidate).replace(/\\/g, "/");
+  return normalized.includes("/.rig/bin/") || normalized.endsWith("/rig-shell") || normalized.endsWith("/rig-agent");
+}
+
+// packages/runtime/src/control-plane/runtime/sandbox/backend.ts
+init_utils();
+
+// packages/runtime/src/control-plane/runtime/sandbox/backend-none.ts
+class NoSandboxBackend {
+  kind = "none";
+  reason;
+  constructor(reason) {
+    this.reason = reason;
+  }
+  wrap(options) {
+    return {
+      command: options.command,
+      enabled: false,
+      backend: "none",
+      reason: this.reason,
+      metadata: undefined
+    };
+  }
+}
+
+// packages/runtime/src/control-plane/runtime/sandbox/backend.ts
+class SandboxError extends Error {
+  code;
+  constructor(code, message) {
+    super(message);
+    this.code = code;
+    this.name = "SandboxError";
+  }
+}
+function resolveRuntimeSandboxModeWithPolicy(sandboxConfig, envOverride) {
+  if (envOverride) {
+    const normalized = envOverride.trim().toLowerCase();
+    if (normalized === "off" || normalized === "auto" || normalized === "enforce") {
+      if (normalized !== sandboxConfig.mode) {
+        console.warn(`[sandbox] RIG_RUNTIME_SANDBOX=${normalized} overrides policy sandbox.mode=${sandboxConfig.mode}`);
+      }
+      return normalized;
+    }
+  }
+  const policyMode = sandboxConfig.mode;
+  if (policyMode === "off")
+    return "off";
+  if (policyMode === "observe")
+    return "auto";
+  return "enforce";
+}
+var bwrapProbeCache = null;
+async function probeBubblewrap(binary) {
+  if (bwrapProbeCache !== null) {
+    return bwrapProbeCache;
+  }
+  const probe = await Bun.$`${binary} ${["--ro-bind", "/", "/", "--proc", "/proc", "--dev", "/dev", "--", "true"]}`.quiet().nothrow();
+  bwrapProbeCache = probe.exitCode === 0;
+  return bwrapProbeCache;
+}
+async function resolveBackend(projectRoot, options) {
+  const config = loadSandboxConfig(projectRoot);
+  const mode = resolveRuntimeSandboxModeWithPolicy(config, options?.envOverride);
+  const probed = [];
+  if (mode === "off") {
+    return {
+      backend: new NoSandboxBackend,
+      selectedKind: "none",
+      probed,
+      reason: "disabled-by-config"
+    };
+  }
+  const explicitBackend = options?.backendOverride ?? process.env.RIG_SANDBOX_BACKEND?.trim().toLowerCase();
+  const requestedBackend = resolveExplicitBackend(explicitBackend);
+  if (requestedBackend) {
+    if (requestedBackend === "docker") {
+      throw new SandboxError("backend-unavailable", `Backend "docker" is not yet implemented.`);
+    }
+    if (requestedBackend === "none") {
+      return {
+        backend: new NoSandboxBackend("explicit-none"),
+        selectedKind: "none",
+        probed,
+        reason: "explicit-none"
+      };
+    }
+  }
+  const bunDir = resolveBunInstallDir();
+  const claudeDir = (() => {
+    try {
+      return resolveClaudeInstallDir();
+    } catch {
+      return null;
+    }
+  })();
+  const nodeDir = resolveNodeInstallDir();
+  const depRoots = resolveRuntimeDependencyRoots([bunDir, claudeDir, nodeDir].filter(Boolean));
+  const resolvedPaths = {
+    bunDir,
+    claudeDir,
+    nodeDir,
+    depRoots
+  };
+  const fsContext = {
+    pathExists: (p) => existsSync6(p),
+    realPath: toRealPath
+  };
+  if (process.platform === "darwin" && (!requestedBackend || requestedBackend === "macos-seatbelt")) {
+    const seatbelt = Bun.which("sandbox-exec");
+    probed.push("sandbox-exec");
+    if (seatbelt && existsSync6(seatbelt)) {
+      const SeatbeltBackendClass = loadSeatbeltBackend();
+      if (SeatbeltBackendClass) {
+        return {
+          backend: new SeatbeltBackendClass(seatbelt, config, fsContext, resolvedPaths),
+          selectedKind: "macos-seatbelt",
+          probed,
+          reason: "detected-seatbelt"
+        };
+      }
+      return handleUnavailableBackend(mode, probed, "macos-seatbelt", "Seatbelt sandbox backend module failed to load.", "seatbelt-backend-module-unavailable", { explicit: requestedBackend === "macos-seatbelt" });
+    }
+  }
+  if (process.platform === "linux" && (!requestedBackend || requestedBackend === "linux-bwrap")) {
+    const bwrap = Bun.which("bwrap");
+    probed.push("bwrap");
+    if (bwrap && await probeBubblewrap(bwrap)) {
+      const BwrapBackendClass = loadBwrapBackend();
+      if (BwrapBackendClass) {
+        return {
+          backend: new BwrapBackendClass(bwrap, config, fsContext, resolvedPaths),
+          selectedKind: "linux-bwrap",
+          probed,
+          reason: "detected-bwrap"
+        };
+      }
+      return handleUnavailableBackend(mode, probed, "linux-bwrap", "Bubblewrap sandbox backend module failed to load.", "bwrap-backend-module-unavailable", { explicit: requestedBackend === "linux-bwrap" });
+    }
+  }
+  if (requestedBackend) {
+    return handleUnavailableBackend(mode, probed, requestedBackend, `Explicit sandbox backend "${requestedBackend}" is unavailable on ${process.platform}.`, "explicit-backend-unavailable", { explicit: true });
+  }
+  if (mode === "enforce") {
+    throw new SandboxError("backend-unavailable", `Runtime sandbox required (mode=enforce) but no backend available. Probed: ${probed.join(", ")}`);
+  }
+  return {
+    backend: new NoSandboxBackend("sandbox-backend-unavailable"),
+    selectedKind: "none",
+    probed,
+    reason: "sandbox-backend-unavailable"
+  };
+}
+function resolveExplicitBackend(explicitBackend) {
+  if (!explicitBackend) {
+    return null;
+  }
+  switch (explicitBackend) {
+    case "none":
+    case "macos-seatbelt":
+    case "linux-bwrap":
+    case "docker":
+      return explicitBackend;
+    default:
+      throw new SandboxError("backend-unavailable", `Unknown sandbox backend "${explicitBackend}".`);
+  }
+}
+function loadSeatbeltBackend() {
+  try {
+    const mod = (init_backend_seatbelt(), __toCommonJS(exports_backend_seatbelt));
+    return mod.SeatbeltBackend ?? null;
+  } catch {
+    return null;
+  }
+}
+function loadBwrapBackend() {
+  try {
+    const mod = (init_backend_bwrap(), __toCommonJS(exports_backend_bwrap));
+    return mod.BwrapBackend ?? null;
+  } catch {
+    return null;
+  }
+}
+function handleUnavailableBackend(mode, probed, detectedKind, message, reason, options) {
+  if (mode === "enforce" || options?.explicit) {
+    throw new SandboxError("backend-unavailable", `${message} Probed: ${probed.join(", ")}`);
+  }
+  return {
+    backend: new NoSandboxBackend(reason),
+    selectedKind: "none",
+    probed,
+    reason: `${reason}:${detectedKind}`
+  };
+}
+
+// packages/runtime/src/control-plane/runtime/sandbox/orchestrator.ts
+function shouldSandboxRuntime(_runtime) {
+  return true;
+}
+async function wrapWithRuntimeSandbox(options) {
+  const envOverride = process.env.RIG_RUNTIME_SANDBOX;
+  const resolution = await resolveBackend(options.projectRoot, { envOverride });
+  if (resolution.backend.kind === "none") {
+    const plan = resolution.backend.wrap({
+      projectRoot: options.projectRoot,
+      runtime: options.runtime,
+      command: options.command
+    });
+    return {
+      ...plan,
+      reason: plan.reason ?? resolution.reason
+    };
+  }
+  if (!shouldSandboxRuntime(options.runtime)) {
+    return {
+      command: options.command,
+      enabled: false,
+      backend: "none",
+      reason: "runtime-mode-not-sandboxed"
+    };
+  }
+  return resolution.backend.wrap({
+    projectRoot: options.projectRoot,
+    runtime: options.runtime,
+    command: options.command
+  });
+}
+// packages/runtime/src/control-plane/runtime/isolation/home.ts
+import {
+  chmodSync,
+  copyFileSync as copyFileSync2,
+  cpSync,
+  existsSync as existsSync9,
+  mkdirSync as mkdirSync5,
+  statSync as statSync3,
+  writeFileSync as writeFileSync3
+} from "fs";
+import { mkdir } from "fs/promises";
+import { basename as basename2, delimiter, resolve as resolve11 } from "path";
+
+// packages/runtime/src/control-plane/runtime/baked-secrets.ts
+var BAKED_RUNTIME_SECRETS = {
+  ANTHROPIC_API_KEY: typeof RIG_BAKED_ANTHROPIC_API_KEY !== "undefined" ? RIG_BAKED_ANTHROPIC_API_KEY : "",
+  OPENAI_API_KEY: typeof RIG_BAKED_OPENAI_API_KEY !== "undefined" ? RIG_BAKED_OPENAI_API_KEY : "",
+  OPENROUTER_API_KEY: typeof RIG_BAKED_OPENROUTER_API_KEY !== "undefined" ? RIG_BAKED_OPENROUTER_API_KEY : "",
+  AI_REVIEW_MODE: typeof RIG_BAKED_AI_REVIEW_MODE !== "undefined" ? RIG_BAKED_AI_REVIEW_MODE : "",
+  AI_REVIEW_PROVIDER: typeof RIG_BAKED_AI_REVIEW_PROVIDER !== "undefined" ? RIG_BAKED_AI_REVIEW_PROVIDER : "",
+  GREPTILE_API_BASE: typeof RIG_BAKED_GREPTILE_API_BASE !== "undefined" ? RIG_BAKED_GREPTILE_API_BASE : "",
+  GREPTILE_REMOTE: typeof RIG_BAKED_GREPTILE_REMOTE !== "undefined" ? RIG_BAKED_GREPTILE_REMOTE : "",
+  GREPTILE_REPOSITORY: typeof RIG_BAKED_GREPTILE_REPOSITORY !== "undefined" ? RIG_BAKED_GREPTILE_REPOSITORY : "",
+  GREPTILE_CONTEXT_BRANCH: typeof RIG_BAKED_GREPTILE_CONTEXT_BRANCH !== "undefined" ? RIG_BAKED_GREPTILE_CONTEXT_BRANCH : "",
+  GREPTILE_DEFAULT_BRANCH: typeof RIG_BAKED_GREPTILE_DEFAULT_BRANCH !== "undefined" ? RIG_BAKED_GREPTILE_DEFAULT_BRANCH : "",
+  GREPTILE_API_KEY: typeof RIG_BAKED_GREPTILE_API_KEY !== "undefined" ? RIG_BAKED_GREPTILE_API_KEY : "",
+  GREPTILE_GITHUB_TOKEN: typeof RIG_BAKED_GREPTILE_GITHUB_TOKEN !== "undefined" ? RIG_BAKED_GREPTILE_GITHUB_TOKEN : "",
+  GREPTILE_POLL_ATTEMPTS: typeof RIG_BAKED_GREPTILE_POLL_ATTEMPTS !== "undefined" ? RIG_BAKED_GREPTILE_POLL_ATTEMPTS : "",
+  GREPTILE_POLL_INTERVAL_MS: typeof RIG_BAKED_GREPTILE_POLL_INTERVAL_MS !== "undefined" ? RIG_BAKED_GREPTILE_POLL_INTERVAL_MS : "",
+  GH_TOKEN: typeof RIG_BAKED_GITHUB_TOKEN !== "undefined" ? RIG_BAKED_GITHUB_TOKEN : "",
+  GITHUB_TOKEN: typeof RIG_BAKED_GITHUB_TOKEN !== "undefined" ? RIG_BAKED_GITHUB_TOKEN : "",
+  GITHUB_SSH_KEY: typeof RIG_BAKED_GITHUB_SSH_KEY !== "undefined" ? RIG_BAKED_GITHUB_SSH_KEY : "",
+  AWS_ACCESS_KEY_ID: typeof RIG_BAKED_AWS_ACCESS_KEY_ID !== "undefined" ? RIG_BAKED_AWS_ACCESS_KEY_ID : "",
+  AWS_SECRET_ACCESS_KEY: typeof RIG_BAKED_AWS_SECRET_ACCESS_KEY !== "undefined" ? RIG_BAKED_AWS_SECRET_ACCESS_KEY : "",
+  AWS_REGION: typeof RIG_BAKED_AWS_REGION !== "undefined" ? RIG_BAKED_AWS_REGION : "",
+  LINEAR_API_KEY: typeof RIG_BAKED_LINEAR_API_KEY !== "undefined" ? RIG_BAKED_LINEAR_API_KEY : "",
+  LINEAR_WEBHOOK_SECRET: typeof RIG_BAKED_LINEAR_WEBHOOK_SECRET !== "undefined" ? RIG_BAKED_LINEAR_WEBHOOK_SECRET : ""
+};
+function resolveRuntimeSecrets(env, baked = BAKED_RUNTIME_SECRETS) {
+  const resolved = {};
+  const keys = new Set([
+    ...Object.keys(BAKED_RUNTIME_SECRETS),
+    ...Object.keys(baked)
+  ]);
+  for (const key of keys) {
+    const envValue = env[key]?.trim();
+    const bakedValue = baked[key]?.trim();
+    if (envValue) {
+      resolved[key] = envValue;
+    } else if (bakedValue) {
+      resolved[key] = bakedValue;
+    }
+  }
+  return resolved;
+}
+
+// packages/runtime/src/control-plane/native/git-native.ts
+import { tmpdir as tmpdir2 } from "os";
+import { dirname as dirname3, isAbsolute, resolve as resolve8 } from "path";
+var sharedGitNativeOutputDir = resolve8(tmpdir2(), "rig-native");
+var sharedGitNativeOutputPath = resolve8(sharedGitNativeOutputDir, `rig-git-${process.platform}-${process.arch}${process.platform === "win32" ? ".exe" : ""}`);
+function runtimeRigGitFileName() {
+  return `rig-git${process.platform === "win32" ? ".exe" : ""}`;
+}
+
+// packages/runtime/src/control-plane/browser-contract.ts
+function browserEnvFromContext(browser) {
+  if (!browser?.required) {
+    return {};
+  }
+  const env = {
+    RIG_BROWSER_REQUIRED: "1",
+    RIG_BROWSER_PRESET: browser.preset,
+    RIG_BROWSER_MODE: browser.mode,
+    RIG_BROWSER_STATE_DIR: browser.stateDir,
+    RIG_BROWSER_PROFILE: browser.effectiveProfile,
+    RIG_BROWSER_BASE_PROFILE: browser.defaultProfile,
+    RIG_BROWSER_ATTACH_URL: browser.effectiveAttachUrl,
+    RIG_BROWSER_DEFAULT_ATTACH_URL: browser.defaultAttachUrl,
+    RIG_BROWSER_LAUNCH_HELPER: browser.launchHelper,
+    RIG_BROWSER_CHECK_HELPER: browser.checkHelper,
+    RIG_BROWSER_ATTACH_INFO_HELPER: browser.attachInfoHelper,
+    RIG_BROWSER_E2E_HELPER: browser.e2eHelper,
+    RIG_BROWSER_RESET_HELPER: browser.resetProfileHelper
+  };
+  if (browser.devCommand) {
+    env.RIG_BROWSER_DEV_COMMAND = browser.devCommand;
+  }
+  if (browser.launchCommand) {
+    env.RIG_BROWSER_LAUNCH_COMMAND = browser.launchCommand;
+  }
+  if (browser.checkCommand) {
+    env.RIG_BROWSER_CHECK_COMMAND = browser.checkCommand;
+  }
+  if (browser.e2eCommand) {
+    env.RIG_BROWSER_E2E_COMMAND = browser.e2eCommand;
+  }
+  return env;
+}
+
+// packages/runtime/src/control-plane/runtime/context.ts
+import { existsSync as existsSync7, mkdirSync as mkdirSync4, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "fs";
+import { dirname as dirname4, resolve as resolve9 } from "path";
+var RUNTIME_CONTEXT_ENV = "RIG_RUNTIME_CONTEXT_FILE";
+var runtimeContextStringFields = [
+  "runtimeId",
+  "taskId",
+  "role",
+  "workspaceDir",
+  "stateDir",
+  "logsDir",
+  "sessionDir",
+  "sessionFile",
+  "policyFile",
+  "binDir",
+  "createdAt"
+];
+var runtimeContextArrayFields = ["scopes", "validation"];
+var runtimeContextOptionalStringFields = [
+  "artifactRoot",
+  "hostProjectRoot",
+  "monorepoMainRoot",
+  "monorepoBaseRef",
+  "monorepoBaseCommit"
+];
+function loadRuntimeContext(path) {
+  const absPath = resolve9(path);
+  if (!existsSync7(absPath)) {
+    throw new Error(`RuntimeTaskContext file not found: ${absPath}`);
+  }
+  let raw;
+  try {
+    raw = JSON.parse(readFileSync2(absPath, "utf8"));
+  } catch (err) {
+    throw new Error(`Failed to parse RuntimeTaskContext at ${absPath}: ${String(err)}`);
+  }
+  if (typeof raw !== "object" || raw === null) {
+    throw new Error(`RuntimeTaskContext at ${absPath} is not an object`);
+  }
+  const obj = raw;
+  for (const field of runtimeContextStringFields) {
+    if (typeof obj[field] !== "string" || obj[field].length === 0) {
+      throw new Error(`RuntimeTaskContext field "${field}" must be a non-empty string (at ${absPath})`);
+    }
+  }
+  for (const field of runtimeContextArrayFields) {
+    if (!Array.isArray(obj[field])) {
+      throw new Error(`RuntimeTaskContext field "${field}" must be an array (at ${absPath})`);
+    }
+    if (!obj[field].every((entry) => typeof entry === "string")) {
+      throw new Error(`RuntimeTaskContext field "${field}" must be a string[] (at ${absPath})`);
+    }
+  }
+  for (const field of runtimeContextOptionalStringFields) {
+    if (field in obj && obj[field] !== undefined && typeof obj[field] !== "string") {
+      throw new Error(`RuntimeTaskContext field "${field}" must be a string when present (at ${absPath})`);
+    }
+  }
+  if (obj.browser !== undefined) {
+    if (typeof obj.browser !== "object" || obj.browser === null || Array.isArray(obj.browser)) {
+      throw new Error(`RuntimeTaskContext field "browser" must be an object when present (at ${absPath})`);
+    }
+    const browser = obj.browser;
+    for (const field of [
+      "preset",
+      "mode",
+      "stateDir",
+      "defaultProfile",
+      "effectiveProfile",
+      "defaultAttachUrl",
+      "effectiveAttachUrl",
+      "launchHelper",
+      "checkHelper",
+      "attachInfoHelper",
+      "e2eHelper",
+      "resetProfileHelper"
+    ]) {
+      if (typeof browser[field] !== "string" || browser[field].length === 0) {
+        throw new Error(`RuntimeTaskContext field "browser.${field}" must be a non-empty string (at ${absPath})`);
+      }
+    }
+    for (const field of ["devCommand", "launchCommand", "checkCommand", "e2eCommand"]) {
+      if (browser[field] !== undefined && typeof browser[field] !== "string") {
+        throw new Error(`RuntimeTaskContext field "browser.${field}" must be a string when present (at ${absPath})`);
+      }
+    }
+    if (typeof browser.required !== "boolean") {
+      throw new Error(`RuntimeTaskContext field "browser.required" must be a boolean (at ${absPath})`);
+    }
+  }
+  if (obj.memory !== undefined) {
+    if (typeof obj.memory !== "object" || obj.memory === null || Array.isArray(obj.memory)) {
+      throw new Error(`RuntimeTaskContext field "memory" must be an object when present (at ${absPath})`);
+    }
+    const memory = obj.memory;
+    for (const field of ["canonicalPath", "canonicalRef", "canonicalBaseOid", "hydratedPath"]) {
+      if (typeof memory[field] !== "string" || memory[field].length === 0) {
+        throw new Error(`RuntimeTaskContext field "memory.${field}" must be a non-empty string (at ${absPath})`);
+      }
+    }
+    if (typeof memory.createdFresh !== "boolean") {
+      throw new Error(`RuntimeTaskContext field "memory.createdFresh" must be a boolean (at ${absPath})`);
+    }
+    if (typeof memory.retrieval !== "object" || memory.retrieval === null || Array.isArray(memory.retrieval)) {
+      throw new Error(`RuntimeTaskContext field "memory.retrieval" must be an object (at ${absPath})`);
+    }
+    const retrieval = memory.retrieval;
+    for (const field of ["topK", "lexicalWeight", "vectorWeight", "recencyWeight", "confidenceWeight"]) {
+      if (typeof retrieval[field] !== "number" || Number.isNaN(retrieval[field])) {
+        throw new Error(`RuntimeTaskContext field "memory.retrieval.${field}" must be a number (at ${absPath})`);
+      }
+    }
+  }
+  if (obj.initialDirtyFiles !== undefined) {
+    if (typeof obj.initialDirtyFiles !== "object" || obj.initialDirtyFiles === null || Array.isArray(obj.initialDirtyFiles)) {
+      throw new Error(`RuntimeTaskContext field "initialDirtyFiles" must be an object when present (at ${absPath})`);
+    }
+    const dirtyFiles = obj.initialDirtyFiles;
+    for (const key of ["project", "monorepo"]) {
+      if (dirtyFiles[key] === undefined) {
+        continue;
+      }
+      if (!Array.isArray(dirtyFiles[key]) || !dirtyFiles[key].every((entry) => typeof entry === "string")) {
+        throw new Error(`RuntimeTaskContext field "initialDirtyFiles.${key}" must be a string[] when present (at ${absPath})`);
+      }
+    }
+  }
+  if (obj.initialHeadCommits !== undefined) {
+    if (typeof obj.initialHeadCommits !== "object" || obj.initialHeadCommits === null || Array.isArray(obj.initialHeadCommits)) {
+      throw new Error(`RuntimeTaskContext field "initialHeadCommits" must be an object when present (at ${absPath})`);
+    }
+    const headCommits = obj.initialHeadCommits;
+    for (const key of ["project", "monorepo"]) {
+      if (headCommits[key] === undefined) {
+        continue;
+      }
+      if (typeof headCommits[key] !== "string") {
+        throw new Error(`RuntimeTaskContext field "initialHeadCommits.${key}" must be a string when present (at ${absPath})`);
+      }
+    }
+  }
+  return obj;
+}
+function runtimeMemoryEnvFromContext(ctx) {
+  if (!ctx?.memory) {
+    return {};
+  }
+  return {
+    RIG_MEMORY_DB_PATH: ctx.memory.hydratedPath,
+    RIG_MEMORY_CANONICAL_PATH: ctx.memory.canonicalPath,
+    RIG_MEMORY_CANONICAL_REF: ctx.memory.canonicalRef,
+    RIG_MEMORY_CANONICAL_BASE_OID: ctx.memory.canonicalBaseOid,
+    RIG_MEMORY_CREATED_FRESH: ctx.memory.createdFresh ? "1" : "0",
+    RIG_MEMORY_RETRIEVAL_TOP_K: String(ctx.memory.retrieval.topK),
+    RIG_MEMORY_RETRIEVAL_LEXICAL_WEIGHT: String(ctx.memory.retrieval.lexicalWeight),
+    RIG_MEMORY_RETRIEVAL_VECTOR_WEIGHT: String(ctx.memory.retrieval.vectorWeight),
+    RIG_MEMORY_RETRIEVAL_RECENCY_WEIGHT: String(ctx.memory.retrieval.recencyWeight),
+    RIG_MEMORY_RETRIEVAL_CONFIDENCE_WEIGHT: String(ctx.memory.retrieval.confidenceWeight)
+  };
+}
+
+// packages/runtime/src/control-plane/runtime/isolation/shared.ts
+import { existsSync as existsSync8, readFileSync as readFileSync3, rmSync as rmSync2 } from "fs";
+import { resolve as resolve10 } from "path";
+var generatedCredentialFiles = new Set;
+function resolveMonorepoRoot3(projectRoot) {
+  return resolveMonorepoRoot2(projectRoot);
+}
+function isRuntimeGatewayGitPath(candidate) {
+  return /\/\.rig\/bin\/git$/.test(candidate.replace(/\\/g, "/"));
+}
+function resolveHostGitBinary() {
+  const candidates = [
+    process.env.RIG_GIT_BIN?.trim() || "",
+    "/usr/bin/git",
+    "/opt/homebrew/bin/git",
+    "/usr/local/bin/git"
+  ];
+  const bunResolved = Bun.which("git");
+  if (bunResolved && !isRuntimeGatewayGitPath(bunResolved)) {
+    candidates.push(bunResolved);
+  }
+  for (const candidate of candidates) {
+    if (!candidate || isRuntimeGatewayGitPath(candidate)) {
+      continue;
+    }
+    if (existsSync8(candidate)) {
+      return candidate;
+    }
+  }
+  return "git";
+}
+async function runGitCommand(repoRoot, args) {
+  const gitBinary = resolveHostGitBinary();
+  return Bun.$`${gitBinary} -C ${repoRoot} ${args}`.quiet().nothrow();
+}
+function sanitizeRuntimeRefSegment(value) {
+  const sanitized = value.trim().replace(/[^A-Za-z0-9._-]+/g, "-").replace(/^-+|-+$/g, "");
+  return (sanitized || "runtime").slice(0, 64);
+}
+function taskRuntimeId(taskId) {
+  return `task-${taskId}`;
+}
+function resolveGithubCliBinaryPath() {
+  const explicit = process.env.RIG_GH_BIN?.trim();
+  if (explicit && existsSync8(explicit)) {
+    return explicit;
+  }
+  const bunResolved = Bun.which("gh");
+  if (bunResolved && existsSync8(bunResolved)) {
+    return bunResolved;
+  }
+  for (const candidate of ["/opt/homebrew/bin/gh", "/usr/local/bin/gh", "/usr/bin/gh"]) {
+    if (existsSync8(candidate)) {
+      return candidate;
+    }
+  }
+  return "";
+}
+async function resolveGithubCliAuthToken(ghBinary = "") {
+  const gh = ghBinary || resolveGithubCliBinaryPath();
+  if (!gh) {
+    return "";
+  }
+  const auth = Bun.spawn([gh, "auth", "token"], {
+    stdout: "pipe",
+    stderr: "pipe"
+  });
+  const [exitCode, stdout] = await Promise.all([
+    auth.exited,
+    new Response(auth.stdout).text()
+  ]);
+  if (exitCode !== 0) {
+    return "";
+  }
+  return stdout.trim();
+}
+function resolveSystemCertBundlePath() {
+  const candidates = [
+    process.env.SSL_CERT_FILE?.trim(),
+    "/etc/ssl/cert.pem",
+    "/private/etc/ssl/cert.pem",
+    "/opt/homebrew/etc/openssl@3/cert.pem"
+  ];
+  for (const candidate of candidates) {
+    if (candidate && existsSync8(candidate)) {
+      return resolve10(candidate);
+    }
+  }
+  return "";
+}
+
+// packages/runtime/src/control-plane/runtime/isolation/home.ts
+var GITHUB_KNOWN_HOSTS = [
+  "github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl",
+  "github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=",
+  "github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk="
+].join(`
+`);
+async function runtimeEnv(projectRoot, runtime) {
+  const bunBinaryPath = resolveBunBinaryPath();
+  const bunDir = resolveBunInstallDir(bunBinaryPath);
+  const claudeBinaryPath = process.env.RIG_CLAUDE_PATH?.trim() || (() => {
+    try {
+      return resolveClaudeBinaryPath();
+    } catch {
+      return "";
+    }
+  })();
+  const claudeDir = claudeBinaryPath ? (() => {
+    try {
+      return resolveClaudeInstallDir();
+    } catch {
+      return resolve11(claudeBinaryPath, "..");
+    }
+  })() : "";
+  const nodeDir = resolveNodeInstallDir();
+  const hostGhBinary = resolveGithubCliBinaryPath();
+  const runtimeCertBundlePath = await materializeRuntimeCertBundle(runtime);
+  const monorepoMainRoot = resolveMonorepoRoot3(projectRoot);
+  const realHome = process.env.HOME?.trim();
+  const inheritedPath = (process.env.PATH ?? "").split(delimiter).map((entry) => entry.trim()).filter(Boolean).filter((entry) => !entry.endsWith("/.rig/bin") && !entry.endsWith("/rig/tools"));
+  const pathEntries = [
+    runtime.binDir,
+    `${projectRoot}/rig/tools`,
+    `${bunDir}/bin`,
+    claudeDir,
+    nodeDir ? `${nodeDir}/bin` : "",
+    realHome ? resolve11(realHome, ".local/bin") : "",
+    realHome ? resolve11(realHome, ".cargo/bin") : "",
+    ...inheritedPath,
+    "/usr/local/bin",
+    "/usr/local/sbin",
+    "/opt/homebrew/bin",
+    "/opt/homebrew/sbin",
+    "/usr/bin",
+    "/bin",
+    "/usr/sbin",
+    "/sbin"
+  ].filter(Boolean);
+  const runtimeBash = resolve11(runtime.binDir, "bash");
+  const runtimeRigGit = resolve11(runtime.binDir, runtimeRigGitFileName());
+  const preferredShell = existsSync9(runtimeBash) ? runtimeBash : "/bin/bash";
+  const nativeRuntimeLibraryPath = await materializeNativeRuntimeLibrary(runtime.binDir);
+  const env = {
+    PROJECT_RIG_ROOT: projectRoot,
+    RIG_HOST_PROJECT_ROOT: projectRoot,
+    HOME: runtime.homeDir,
+    TMPDIR: runtime.tmpDir,
+    XDG_CACHE_HOME: runtime.cacheDir,
+    XDG_STATE_HOME: runtime.stateDir,
+    RIG_AGENT_ID: runtime.id,
+    RIG_TASK_ID: runtime.taskId,
+    RIG_TASK_RUNTIME_ID: runtime.id,
+    RIG_TASK_WORKSPACE: runtime.workspaceDir,
+    RIG_TASK_RUNTIME_MODE: runtime.mode,
+    RIG_RUNTIME_MODE: runtime.mode,
+    RIG_RUNTIME_HOME: runtime.rootDir,
+    RIG_RUNTIME_BIN_DIR: runtime.binDir,
+    ...existsSync9(runtimeRigGit) ? { RIG_NATIVE_GIT_BIN: runtimeRigGit } : {},
+    RIG_BUN_PATH: bunBinaryPath,
+    ...claudeBinaryPath ? { RIG_CLAUDE_PATH: claudeBinaryPath } : {},
+    RIG_AGENT_BIN: resolve11(runtime.binDir, "rig-agent"),
+    RIG_HOOKS_ACTIVE: "1",
+    RIG_AUTO_PR_ON_COMPLETE: "1",
+    RIG_POLICY_FILE: resolve11(projectRoot, "rig/policy/policy.json"),
+    RIG_STATE_DIR: runtime.stateDir,
+    RIG_LOGS_DIR: runtime.logsDir,
+    RIG_SESSION_FILE: resolve11(runtime.sessionDir, "session.json"),
+    MONOREPO_ROOT: runtime.workspaceDir,
+    MONOREPO_MAIN_ROOT: monorepoMainRoot,
+    TS_API_TESTS_DIR: resolve11(runtime.workspaceDir, "TSAPITests"),
+    BASH: preferredShell,
+    SHELL: preferredShell,
+    PATH: [...new Set(pathEntries)].join(delimiter),
+    LANG: process.env.LANG ?? "en_US.UTF-8",
+    TERM: process.env.TERM ?? "xterm-256color",
+    PYTHONDONTWRITEBYTECODE: "1",
+    PYTHONPYCACHEPREFIX: resolve11(runtime.cacheDir, "python"),
+    ...process.env.RIG_PR_BASE_PROJECT && { RIG_PR_BASE_PROJECT: process.env.RIG_PR_BASE_PROJECT },
+    ...process.env.RIG_PR_BASE_MONOREPO && { RIG_PR_BASE_MONOREPO: process.env.RIG_PR_BASE_MONOREPO },
+    CLAUDE_HOME: runtime.claudeHomeDir,
+    PI_CODING_AGENT_DIR: resolve11(runtime.homeDir, ".pi", "agent"),
+    [RUNTIME_CONTEXT_ENV]: runtime.contextFile,
+    ...nativeRuntimeLibraryPath ? { RIG_NATIVE_RUNTIME_LIB: nativeRuntimeLibraryPath } : {},
+    ...hostGhBinary ? { RIG_GH_BIN: hostGhBinary } : {},
+    ...runtimeCertBundlePath ? {
+      SSL_CERT_FILE: runtimeCertBundlePath,
+      CURL_CA_BUNDLE: runtimeCertBundlePath,
+      REQUESTS_CA_BUNDLE: runtimeCertBundlePath,
+      NODE_EXTRA_CA_CERTS: runtimeCertBundlePath
+    } : {}
+  };
+  const knownHostsPath = resolve11(runtime.homeDir, ".ssh", "known_hosts");
+  if (existsSync9(knownHostsPath)) {
+    const agentSshKey = resolve11(runtime.homeDir, ".ssh", "rig-agent-key");
+    const sshParts = [
+      "ssh",
+      `-o UserKnownHostsFile="${knownHostsPath}"`,
+      "-o StrictHostKeyChecking=yes",
+      "-F /dev/null"
+    ];
+    if (existsSync9(agentSshKey)) {
+      sshParts.splice(1, 0, `-i "${agentSshKey}"`, "-o IdentitiesOnly=yes");
+    }
+    env.GIT_SSH_COMMAND = sshParts.join(" ");
+  }
+  for (const [key, value] of Object.entries(resolveRuntimeSecrets(process.env))) {
+    if (key === "GITHUB_SSH_KEY") {
+      continue;
+    }
+    if (value) {
+      env[key] = value;
+    }
+  }
+  const fallbackGithubToken = !env.GITHUB_TOKEN && !env.GH_TOKEN ? await resolveGithubCliAuthToken(hostGhBinary) : "";
+  if (fallbackGithubToken) {
+    env.GITHUB_TOKEN = fallbackGithubToken;
+  }
+  if (!env.GITHUB_TOKEN && env.GH_TOKEN) {
+    env.GITHUB_TOKEN = env.GH_TOKEN;
+  }
+  if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
+    env.GH_TOKEN = env.GITHUB_TOKEN;
+  }
+  if (!env.GREPTILE_GITHUB_TOKEN && env.GITHUB_TOKEN) {
+    env.GREPTILE_GITHUB_TOKEN = env.GITHUB_TOKEN;
+  }
+  if (existsSync9(runtime.contextFile)) {
+    const runtimeContext = loadRuntimeContext(runtime.contextFile);
+    Object.assign(env, runtimeMemoryEnvFromContext(runtimeContext));
+    Object.assign(env, browserEnvFromContext(runtimeContext.browser));
+  }
+  persistRuntimeSecrets(runtime.rootDir, env);
+  return env;
+}
+function runtimeCommandEnv(baseEnv, command) {
+  const env = { ...baseEnv };
+  delete env.ENV;
+  delete env.BASH_ENV;
+  const executable = command[0]?.trim() ?? "";
+  const shellName = basename2(executable);
+  const isPosixSh = executable === "/bin/sh" || shellName === "sh" || shellName === "dash";
+  if (isPosixSh) {
+    delete env.BASH;
+    if (executable) {
+      env.SHELL = executable;
+    }
+  }
+  return env;
+}
+async function materializeRuntimeCertBundle(runtime) {
+  const sourcePath = resolveSystemCertBundlePath();
+  if (!sourcePath) {
+    return "";
+  }
+  const certsDir = resolve11(runtime.rootDir, "certs");
+  const targetPath = resolve11(certsDir, "ca-certificates.pem");
+  await mkdir(certsDir, { recursive: true });
+  let shouldCopy = !existsSync9(targetPath);
+  if (!shouldCopy) {
+    try {
+      shouldCopy = statSync3(sourcePath).mtimeMs > statSync3(targetPath).mtimeMs;
+    } catch {
+      shouldCopy = true;
+    }
+  }
+  if (shouldCopy) {
+    copyFileSync2(sourcePath, targetPath);
+  }
+  return targetPath;
+}
+function persistRuntimeSecrets(runtimeRoot, env) {
+  const secretsPath = resolve11(runtimeRoot, "runtime-secrets.json");
+  const persisted = {};
+  for (const key of [
+    "GITHUB_TOKEN",
+    "GH_TOKEN",
+    "GREPTILE_GITHUB_TOKEN",
+    "GREPTILE_API_KEY",
+    "AI_REVIEW_MODE",
+    "AI_REVIEW_PROVIDER"
+  ]) {
+    const value = env[key];
+    if (value) {
+      persisted[key] = value;
+    }
+  }
+  if (Object.keys(persisted).length === 0) {
+    return;
+  }
+  writeFileSync3(secretsPath, `${JSON.stringify(persisted, null, 2)}
+`, "utf-8");
+}
+
+// packages/runtime/src/control-plane/runtime/isolation/worktree.ts
+async function cleanupRuntimeWorktree(monorepoRoot, workspaceDir) {
+  await runGitCommand(monorepoRoot, ["worktree", "remove", "--force", workspaceDir]);
+}
+function runtimeWorktreeNameFromRuntimeId(runtimeId) {
+  return sanitizeRuntimeRefSegment(runtimeId.replace(/^task-/, ""));
+}
+
+// packages/runtime/src/control-plane/runtime/isolation/discovery.ts
+init_layout();
+import { resolve as resolve15 } from "path";
+
+// packages/runtime/src/binary-run.ts
+init_layout();
+var runtimeBinaryBuildQueue = Promise.resolve();
+
+// packages/runtime/src/control-plane/runtime/tooling/shell.ts
+import { tmpdir as tmpdir3 } from "os";
+import { basename as basename3, dirname as dirname5, resolve as resolve12 } from "path";
+var sharedNativeShellOutputDir = resolve12(tmpdir3(), "rig-native");
+var sharedNativeShellOutputPath = resolve12(sharedNativeShellOutputDir, `rig-shell-${process.platform}-${process.arch}${process.platform === "win32" ? ".exe" : ""}`);
+// packages/runtime/src/control-plane/runtime/tooling/file-tools.ts
+import { tmpdir as tmpdir4 } from "os";
+import { basename as basename4, dirname as dirname6, resolve as resolve13 } from "path";
+var sharedNativeToolsOutputDir = resolve13(tmpdir4(), "rig-native");
+var sharedNativeToolsOutputPath = resolve13(sharedNativeToolsOutputDir, `rig-tools-${process.platform}-${process.arch}${process.platform === "win32" ? ".exe" : ""}`);
+// packages/runtime/src/control-plane/runtime/tooling/claude-router-binary.ts
+import { tmpdir as tmpdir5 } from "os";
+import { dirname as dirname7, resolve as resolve14 } from "path";
+var sharedRouterOutputDir = resolve14(tmpdir5(), "rig-native");
+var sharedRouterOutputPath = resolve14(sharedRouterOutputDir, `rig-tool-router-${process.platform}-${process.arch}${process.platform === "win32" ? ".exe" : ""}`);
+// packages/runtime/src/control-plane/runtime/isolation/discovery.ts
+function runtimeRootForCleanup(projectRoot, runtimeId) {
+  let monorepoRoot = null;
+  try {
+    monorepoRoot = resolveMonorepoRoot3(projectRoot);
+  } catch {}
+  const workspaceRootCandidate = monorepoRoot ?? projectRoot;
+  const initialWorkspaceDir = resolve15(workspaceRootCandidate, ".worktrees", runtimeWorktreeNameFromRuntimeId(runtimeId));
+  const runtimeRoot = resolveRuntimeWorkspaceLayout(initialWorkspaceDir).runtimeDir;
+  return { monorepoRoot, initialWorkspaceDir, runtimeRoot };
+}
+
+// packages/runtime/src/control-plane/runtime/isolation/runner.ts
+init_layout();
+var SNAPSHOT_SIDECAR_READY_TIMEOUT_MS = 1e4;
+async function startRuntimeSnapshotSidecar(runtime, options = {}) {
+  const instanceId = sanitizeRuntimeRefSegment(options.instanceId?.trim() || runtime.id);
+  const readyFile = resolve16(runtime.stateDir, `runtime-snapshot-sidecar-${instanceId}.ready`);
+  const requestFile = resolve16(runtime.stateDir, `runtime-snapshot-sidecar-${instanceId}.request.json`);
+  rmSync3(readyFile, { force: true });
+  rmSync3(requestFile, { force: true });
+  const sidecarBinary = resolveSnapshotSidecarBinaryPath(runtime.binDir);
+  const useCompiledSidecar = shouldUseCompiledSnapshotSidecar(sidecarBinary);
+  const bunCli = useCompiledSidecar ? null : resolveBunCliInvocation();
+  const command = useCompiledSidecar ? [sidecarBinary] : [bunCli.command, resolveSnapshotSidecarScriptPath()];
+  const proc = Bun.spawn([
+    ...command,
+    "--workspace",
+    runtime.workspaceDir,
+    "--task",
+    runtime.taskId,
+    "--runtime-id",
+    runtime.id,
+    "--instance-id",
+    instanceId,
+    "--ready-file",
+    readyFile,
+    "--request-file",
+    requestFile
+  ], {
+    cwd: runtime.workspaceDir,
+    stdin: "ignore",
+    stdout: "pipe",
+    stderr: "pipe",
+    env: {
+      ...process.env,
+      ...bunCli?.env ?? {}
+    }
+  });
+  const stdoutTextPromise = drainStream(proc.stdout);
+  const stderrTextPromise = drainStream(proc.stderr);
+  await waitForSnapshotSidecarReady(readyFile, proc, stdoutTextPromise, stderrTextPromise);
+  return {
+    cancel: async () => {
+      try {
+        proc.kill("SIGTERM");
+      } catch {}
+      await proc.exited;
+      rmSync3(readyFile, { force: true });
+      rmSync3(requestFile, { force: true });
+    },
+    finalize: async (commandParts, exitCode) => {
+      writeFileSync4(requestFile, `${JSON.stringify({ command: commandParts, exitCode })}
+`, "utf-8");
+      const [sidecarExitCode, stdout, stderr] = await Promise.all([
+        proc.exited,
+        stdoutTextPromise,
+        stderrTextPromise
+      ]);
+      rmSync3(readyFile, { force: true });
+      rmSync3(requestFile, { force: true });
+      if (sidecarExitCode !== 0) {
+        throw new Error(`snapshot sidecar failed (${sidecarExitCode}): ${stderr || stdout}`);
+      }
+    }
+  };
+}
+async function drainStream(stream) {
+  if (!stream)
+    return "";
+  try {
+    return await new Response(stream).text();
+  } catch {
+    return "";
+  }
+}
+async function runInAgentRuntime(options) {
+  const snapshotSidecar = await startRuntimeSnapshotSidecar(options.runtime);
+  try {
+    const runtimeCommand = resolveInternalRuntimeCommand(options.command);
+    const sandboxPlan = await wrapWithRuntimeSandbox({
+      projectRoot: options.projectRoot,
+      runtime: {
+        id: options.runtime.id,
+        mode: options.runtime.mode,
+        rootDir: options.runtime.rootDir,
+        workspaceDir: options.runtime.workspaceDir,
+        homeDir: options.runtime.homeDir,
+        tmpDir: options.runtime.tmpDir,
+        cacheDir: options.runtime.cacheDir,
+        stateDir: options.runtime.stateDir,
+        sessionDir: options.runtime.sessionDir,
+        claudeHomeDir: options.runtime.claudeHomeDir,
+        binDir: options.runtime.binDir
+      },
+      command: runtimeCommand
+    });
+    const proc = Bun.spawn(sandboxPlan.command, {
+      cwd: options.runtime.workspaceDir,
+      env: runtimeCommandEnv(await runtimeEnv(options.projectRoot, options.runtime), sandboxPlan.command),
+      stdin: options.inheritStdio ? "inherit" : "pipe",
+      stdout: options.inheritStdio ? "inherit" : "pipe",
+      stderr: options.inheritStdio ? "inherit" : "pipe"
+    });
+    const exitCode = await proc.exited;
+    if (options.inheritStdio) {
+      await snapshotSidecar.finalize(runtimeCommand, exitCode);
+      return {
+        exitCode,
+        sandboxBackend: sandboxPlan.backend,
+        sandboxEnabled: sandboxPlan.enabled
+      };
+    }
+    const stdout = await new Response(proc.stdout).text();
+    const stderr = await new Response(proc.stderr).text();
+    try {
+      await Bun.write(resolve16(options.runtime.logsDir, "agent-stdout.log"), stdout);
+      await Bun.write(resolve16(options.runtime.logsDir, "agent-stderr.log"), stderr);
+    } catch {}
+    await snapshotSidecar.finalize(runtimeCommand, exitCode);
+    return {
+      exitCode,
+      stdout,
+      stderr,
+      sandboxBackend: sandboxPlan.backend,
+      sandboxEnabled: sandboxPlan.enabled
+    };
+  } catch (error) {
+    await snapshotSidecar.cancel();
+    throw error;
+  }
+}
+function resolveInternalRuntimeCommand(command) {
+  if (command.length === 0) {
+    return [];
+  }
+  const executable = command[0]?.trim() ?? "";
+  if (!executable) {
+    return [...command];
+  }
+  if (basename5(executable) === "bun") {
+    return [resolveBunBinaryPath(), ...command.slice(1)];
+  }
+  return [...command];
+}
+async function cleanupAgentRuntime(options) {
+  const { monorepoRoot, initialWorkspaceDir, runtimeRoot } = runtimeRootForCleanup(options.projectRoot, options.id);
+  const metadataPath = resolve16(runtimeRoot, "runtime.json");
+  if (!existsSync10(runtimeRoot)) {
+    return;
+  }
+  let mode = "worktree";
+  let workspaceDir = "";
+  const metadata = await readRuntimeMetadata(metadataPath);
+  const metadataMatchesRequestedRuntime = metadata !== null && metadata.id === options.id && resolve16(metadata.workspaceDir) === resolve16(initialWorkspaceDir);
+  if (metadata && metadataMatchesRequestedRuntime) {
+    mode = metadata.mode;
+    workspaceDir = metadata.workspaceDir;
+  } else if (existsSync10(initialWorkspaceDir)) {
+    workspaceDir = initialWorkspaceDir;
+  }
+  const preservesTaskWorktree = metadataMatchesRequestedRuntime && metadata ? options.id === taskRuntimeId(metadata.taskId) : false;
+  if (mode === "worktree" && workspaceDir && monorepoRoot && !preservesTaskWorktree) {
+    await cleanupRuntimeWorktree(monorepoRoot, workspaceDir);
+  } else if (mode === "worktree" && workspaceDir && preservesTaskWorktree) {
+    cleanupTaskRuntimeOverlay(workspaceDir);
+  }
+  rmSync3(runtimeRoot, { recursive: true, force: true });
+}
+function cleanupTaskRuntimeOverlay(workspaceDir) {
+  const layout = resolveRuntimeWorkspaceLayout(workspaceDir);
+  for (const path of [
+    layout.homeDir,
+    layout.tmpDir,
+    layout.cacheDir,
+    layout.logsDir,
+    layout.stateDir,
+    layout.sessionDir,
+    layout.binDir,
+    layout.distDir,
+    layout.runtimeDir,
+    layout.contextPath
+  ]) {
+    rmSync3(path, { recursive: true, force: true });
+  }
+}
+function resolveSnapshotSidecarScriptPath() {
+  return resolveRuntimeSourceScriptPath("snapshot-sidecar.ts");
+}
+function resolveSnapshotSidecarBinaryPath(binDir) {
+  return resolve16(binDir, "snapshot-sidecar");
+}
+function shouldUseCompiledSnapshotSidecar(binaryPath) {
+  if (!existsSync10(binaryPath)) {
+    return false;
+  }
+  const preference = process.env.RIG_USE_COMPILED_SNAPSHOT_SIDECAR?.trim().toLowerCase();
+  if (!preference) {
+    return false;
+  }
+  return preference === "1" || preference === "true" || preference === "yes";
+}
+function resolveRuntimeSourceScriptPath(fileName) {
+  const hostRoots = [
+    process.env.RIG_HOST_PROJECT_ROOT?.trim(),
+    process.env.PROJECT_RIG_ROOT?.trim()
+  ].filter((value) => Boolean(value));
+  for (const root of hostRoots) {
+    const candidate = resolve16(root, "packages/runtime/src/control-plane/runtime", fileName);
+    if (existsSync10(candidate)) {
+      return candidate;
+    }
+  }
+  return resolve16(import.meta.dir, "..", fileName);
+}
+function resolveBunCliInvocation() {
+  if (process.env.RIG_BUN_PATH?.trim()) {
+    return {
+      command: process.env.RIG_BUN_PATH.trim(),
+      env: {}
+    };
+  }
+  const systemBun = Bun.which("bun")?.trim();
+  if (systemBun) {
+    return {
+      command: systemBun,
+      env: {}
+    };
+  }
+  if (process.execPath?.trim()) {
+    return {
+      command: process.execPath,
+      env: { BUN_BE_BUN: "1" }
+    };
+  }
+  return { command: "bun", env: {} };
+}
+async function waitForSnapshotSidecarReady(readyFile, proc, stdoutTextPromise, stderrTextPromise) {
+  const deadline = Date.now() + SNAPSHOT_SIDECAR_READY_TIMEOUT_MS;
+  while (Date.now() < deadline) {
+    if (existsSync10(readyFile)) {
+      return;
+    }
+    const exitCode = proc.exitCode;
+    if (exitCode !== null) {
+      const [stderr, stdout] = await Promise.all([stderrTextPromise, stdoutTextPromise]);
+      throw new Error(`snapshot sidecar exited before ready (${exitCode}): ${stderr || stdout}`);
+    }
+    await Bun.sleep(25);
+  }
+  throw new Error(`snapshot sidecar did not become ready within ${SNAPSHOT_SIDECAR_READY_TIMEOUT_MS}ms`);
+}
+async function readRuntimeMetadata(metadataPath) {
+  if (!existsSync10(metadataPath)) {
+    return null;
+  }
+  try {
+    return await Bun.file(metadataPath).json();
+  } catch {
+    return null;
+  }
+}
+export {
+  startRuntimeSnapshotSidecar,
+  runInAgentRuntime,
+  cleanupAgentRuntime
+};