npm - @h-rig/runtime - Versions diffs - 0.0.6-alpha.0 - Mend

@h-rig/runtime 0.0.6-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (176) hide show

package/README.md +27 -0
package/dist/bin/rig-agent-dispatch.js +9615 -0
package/dist/bin/rig-agent.js +9512 -0
package/dist/bin/rig-browser-tool.js +269 -0
package/dist/src/agent-mode.js +48 -0
package/dist/src/baked-secrets.js +121 -0
package/dist/src/binary-build-worker.js +312 -0
package/dist/src/binary-run.js +540 -0
package/dist/src/boundaries.js +1 -0
package/dist/src/build-time-config.js +25 -0
package/dist/src/control-plane/agent-roles.js +27 -0
package/dist/src/control-plane/agent-wrapper.js +9621 -0
package/dist/src/control-plane/authority-files.js +582 -0
package/dist/src/control-plane/browser-contract.js +135 -0
package/dist/src/control-plane/controlled-bash.js +1111 -0
package/dist/src/control-plane/errors.js +13 -0
package/dist/src/control-plane/harness-main.js +10828 -0
package/dist/src/control-plane/hook-materializer.js +75 -0
package/dist/src/control-plane/hooks/audit-trail.js +353 -0
package/dist/src/control-plane/hooks/completion-verification.js +7552 -0
package/dist/src/control-plane/hooks/import-guard.js +890 -0
package/dist/src/control-plane/hooks/inject-context.js +4189 -0
package/dist/src/control-plane/hooks/post-edit-lint.js +43 -0
package/dist/src/control-plane/hooks/safety-guard.js +910 -0
package/dist/src/control-plane/hooks/scope-guard.js +907 -0
package/dist/src/control-plane/hooks/shared.js +44 -0
package/dist/src/control-plane/hooks/submodule-branch.js +7797 -0
package/dist/src/control-plane/hooks/task-runtime-start.js +7799 -0
package/dist/src/control-plane/hooks/test-integrity-guard.js +891 -0
package/dist/src/control-plane/materialize-task-config.js +453 -0
package/dist/src/control-plane/memory-sync/cli.js +2019 -0
package/dist/src/control-plane/memory-sync/db.js +753 -0
package/dist/src/control-plane/memory-sync/embed.js +281 -0
package/dist/src/control-plane/memory-sync/index.js +2049 -0
package/dist/src/control-plane/memory-sync/query.js +294 -0
package/dist/src/control-plane/memory-sync/read.js +784 -0
package/dist/src/control-plane/memory-sync/types.js +6 -0
package/dist/src/control-plane/memory-sync/write.js +1547 -0
package/dist/src/control-plane/native/git-native.js +490 -0
package/dist/src/control-plane/native/git-ops.js +2860 -0
package/dist/src/control-plane/native/harness-cli.js +9721 -0
package/dist/src/control-plane/native/pr-automation.js +373 -0
package/dist/src/control-plane/native/profile-ops.js +481 -0
package/dist/src/control-plane/native/repo-ops.js +2342 -0
package/dist/src/control-plane/native/root-resolver.js +66 -0
package/dist/src/control-plane/native/run-ops.js +3281 -0
package/dist/src/control-plane/native/runtime-native-sidecar.js +299 -0
package/dist/src/control-plane/native/runtime-native.js +392 -0
package/dist/src/control-plane/native/scope-rules.js +17 -0
package/dist/src/control-plane/native/task-ops.js +6320 -0
package/dist/src/control-plane/native/task-state.js +1512 -0
package/dist/src/control-plane/native/utils.js +535 -0
package/dist/src/control-plane/native/validator-binaries.js +889 -0
package/dist/src/control-plane/native/validator.js +2197 -0
package/dist/src/control-plane/native/verifier.js +3249 -0
package/dist/src/control-plane/native/workspace-ops.js +1635 -0
package/dist/src/control-plane/plugin-host-context.js +334 -0
package/dist/src/control-plane/project-main-pre-run-sync.js +630 -0
package/dist/src/control-plane/provider/claude-stream-records.js +158 -0
package/dist/src/control-plane/provider/codex-app-server.js +885 -0
package/dist/src/control-plane/provider/codex-exec-records.js +203 -0
package/dist/src/control-plane/provider/rig-task-run-skill.js +39 -0
package/dist/src/control-plane/provider/runtime-instructions.js +96 -0
package/dist/src/control-plane/remote.js +854 -0
package/dist/src/control-plane/repos/index.js +473 -0
package/dist/src/control-plane/repos/layout.js +124 -0
package/dist/src/control-plane/repos/mirror/bootstrap.js +268 -0
package/dist/src/control-plane/repos/mirror/refresh.js +398 -0
package/dist/src/control-plane/repos/mirror/state.js +167 -0
package/dist/src/control-plane/repos/registry.js +77 -0
package/dist/src/control-plane/repos/types.js +1 -0
package/dist/src/control-plane/runtime/agent-mode.js +48 -0
package/dist/src/control-plane/runtime/baked-secrets.js +120 -0
package/dist/src/control-plane/runtime/claude-tool-router-binary.js +343 -0
package/dist/src/control-plane/runtime/claude-tool-router.js +520 -0
package/dist/src/control-plane/runtime/context.js +216 -0
package/dist/src/control-plane/runtime/events.js +218 -0
package/dist/src/control-plane/runtime/guard-types.js +6 -0
package/dist/src/control-plane/runtime/guard.js +880 -0
package/dist/src/control-plane/runtime/image/fingerprint-sidecar.js +1194 -0
package/dist/src/control-plane/runtime/image/index.js +2255 -0
package/dist/src/control-plane/runtime/image-fingerprint-sidecar.js +1191 -0
package/dist/src/control-plane/runtime/image.js +2255 -0
package/dist/src/control-plane/runtime/index.js +8511 -0
package/dist/src/control-plane/runtime/isolation/discovery.js +599 -0
package/dist/src/control-plane/runtime/isolation/home.js +1217 -0
package/dist/src/control-plane/runtime/isolation/index.js +8193 -0
package/dist/src/control-plane/runtime/isolation/runner.js +2651 -0
package/dist/src/control-plane/runtime/isolation/shared.js +501 -0
package/dist/src/control-plane/runtime/isolation/toolchain.js +1892 -0
package/dist/src/control-plane/runtime/isolation/types.js +1 -0
package/dist/src/control-plane/runtime/isolation/worktree.js +509 -0
package/dist/src/control-plane/runtime/isolation.js +8193 -0
package/dist/src/control-plane/runtime/overlay.js +67 -0
package/dist/src/control-plane/runtime/plugin-mode.js +41 -0
package/dist/src/control-plane/runtime/plugins.js +1131 -0
package/dist/src/control-plane/runtime/provisioning-env.js +220 -0
package/dist/src/control-plane/runtime/queue.js +8358 -0
package/dist/src/control-plane/runtime/rig-shell.js +205 -0
package/dist/src/control-plane/runtime/rig-tools.js +182 -0
package/dist/src/control-plane/runtime/runner-context.js +1 -0
package/dist/src/control-plane/runtime/runtime-paths.js +184 -0
package/dist/src/control-plane/runtime/sandbox/backend-bwrap.js +311 -0
package/dist/src/control-plane/runtime/sandbox/backend-none.js +21 -0
package/dist/src/control-plane/runtime/sandbox/backend-seatbelt.js +268 -0
package/dist/src/control-plane/runtime/sandbox/backend.js +1718 -0
package/dist/src/control-plane/runtime/sandbox/orchestrator.js +1745 -0
package/dist/src/control-plane/runtime/sandbox/utils.js +137 -0
package/dist/src/control-plane/runtime/sandbox-backend-bwrap.js +311 -0
package/dist/src/control-plane/runtime/sandbox-backend-none.js +21 -0
package/dist/src/control-plane/runtime/sandbox-backend-seatbelt.js +268 -0
package/dist/src/control-plane/runtime/sandbox-backend.js +1718 -0
package/dist/src/control-plane/runtime/sandbox-orchestrator.js +1745 -0
package/dist/src/control-plane/runtime/sandbox-utils.js +137 -0
package/dist/src/control-plane/runtime/snapshot/index.js +454 -0
package/dist/src/control-plane/runtime/snapshot/sidecar.js +502 -0
package/dist/src/control-plane/runtime/snapshot/task-run.js +1578 -0
package/dist/src/control-plane/runtime/snapshot-sidecar.js +498 -0
package/dist/src/control-plane/runtime/snapshot.js +454 -0
package/dist/src/control-plane/runtime/task-run-snapshot.js +1578 -0
package/dist/src/control-plane/runtime/tool-gateway.js +422 -0
package/dist/src/control-plane/runtime/tooling/browser-tools.js +32 -0
package/dist/src/control-plane/runtime/tooling/claude-router-binary.js +343 -0
package/dist/src/control-plane/runtime/tooling/claude-router.js +524 -0
package/dist/src/control-plane/runtime/tooling/file-tools.js +182 -0
package/dist/src/control-plane/runtime/tooling/gateway.js +422 -0
package/dist/src/control-plane/runtime/tooling/index.js +1290 -0
package/dist/src/control-plane/runtime/tooling/shell.js +205 -0
package/dist/src/control-plane/runtime/types.js +1 -0
package/dist/src/control-plane/setup-version.js +14 -0
package/dist/src/control-plane/state-sync/index.js +1509 -0
package/dist/src/control-plane/state-sync/read.js +856 -0
package/dist/src/control-plane/state-sync/reconcile.js +260 -0
package/dist/src/control-plane/state-sync/repo.js +302 -0
package/dist/src/control-plane/state-sync/types.js +111 -0
package/dist/src/control-plane/state-sync/write.js +1469 -0
package/dist/src/control-plane/task-fields.js +38 -0
package/dist/src/control-plane/task-source-bootstrap.js +46 -0
package/dist/src/control-plane/task-source.js +30 -0
package/dist/src/control-plane/tasks/legacy-task-config-source.js +130 -0
package/dist/src/control-plane/tasks/plugin-task-source.js +103 -0
package/dist/src/control-plane/tasks/source-aware-task-config-source.js +611 -0
package/dist/src/control-plane/tasks/source-lifecycle.js +1093 -0
package/dist/src/control-plane/tasks/task-record-reader.js +9 -0
package/dist/src/control-plane/validators/boundary/public-apis.js +107 -0
package/dist/src/control-plane/validators/integration/_shared.js +51 -0
package/dist/src/control-plane/validators/integration/adm-audit-http.js +85 -0
package/dist/src/control-plane/validators/integration/adm-auth-http.js +78 -0
package/dist/src/control-plane/validators/integration/adm-issuer-http.js +80 -0
package/dist/src/control-plane/validators/integration/adm-migration.js +78 -0
package/dist/src/control-plane/validators/integration/adm-scaffold.js +78 -0
package/dist/src/control-plane/validators/runtime-registration.js +64 -0
package/dist/src/control-plane/validators/shared.js +683 -0
package/dist/src/events.js +218 -0
package/dist/src/execution.js +35 -0
package/dist/src/index.js +1633 -0
package/dist/src/layout.js +145 -0
package/dist/src/local-server.js +202 -0
package/dist/src/plugins.js +329 -0
package/dist/src/remote-http.js +83 -0
package/dist/src/runtime-context.js +216 -0
package/dist/src/types.js +1 -0
package/native/darwin-arm64/bin/rig-git +0 -0
package/native/darwin-arm64/bin/rig-shell +0 -0
package/native/darwin-arm64/bin/rig-tools +0 -0
package/native/darwin-arm64/lib/runtime-native-darwin-arm64.dylib +0 -0
package/native/darwin-arm64/lib/runtime-native.dylib +0 -0
package/native/darwin-arm64/manifest.json +1 -0
package/native/linux-x64/bin/rig-git +0 -0
package/native/linux-x64/bin/rig-shell +0 -0
package/native/linux-x64/bin/rig-tools +0 -0
package/native/linux-x64/lib/runtime-native-linux-x64.so +0 -0
package/native/linux-x64/lib/runtime-native.so +0 -0
package/native/linux-x64/manifest.json +1 -0
package/package.json +74 -0
package/skills/rig-task-run.md +71 -0

package/dist/src/control-plane/runtime/sandbox-backend-seatbelt.js ADDED Viewed

@@ -0,0 +1,268 @@
+// @bun
+// packages/runtime/src/control-plane/runtime/sandbox/backend-seatbelt.ts
+import { mkdirSync, writeFileSync } from "fs";
+import { resolve as resolve3 } from "path";
+// packages/runtime/src/control-plane/runtime/sandbox/utils.ts
+import { existsSync as existsSync2, readdirSync, realpathSync } from "fs";
+import { resolve as resolve2 } from "path";
+// packages/runtime/src/layout.ts
+import { existsSync } from "fs";
+import { basename, dirname, resolve } from "path";
+function resolveMonorepoRoot(projectRoot) {
+  const normalizedProjectRoot = resolve(projectRoot);
+  const explicit = process.env.MONOREPO_ROOT?.trim();
+  if (explicit) {
+    const explicitRoot = resolve(explicit);
+    const explicitParent = dirname(explicitRoot);
+    if (basename(explicitParent) === ".worktrees") {
+      const owner = dirname(explicitParent);
+      const ownerHasGit = existsSync(resolve(owner, ".git"));
+      const ownerHasTaskConfig = existsSync(resolve(owner, ".rig", "task-config.json"));
+      const ownerHasRigConfig = existsSync(resolve(owner, "rig.config.ts"));
+      if (ownerHasGit && (ownerHasTaskConfig || ownerHasRigConfig)) {
+        return owner;
+      }
+      throw new Error(`MONOREPO_ROOT points to worktree ${explicitRoot}, but the owner checkout is incomplete at ${owner}.`);
+    }
+    if (!existsSync(resolve(explicitRoot, ".git"))) {
+      throw new Error(`MONOREPO_ROOT points to ${explicitRoot}, but no git checkout was found there.`);
+    }
+    const hasTaskConfig = existsSync(resolve(explicitRoot, ".rig", "task-config.json"));
+    const hasRigConfig = existsSync(resolve(explicitRoot, "rig.config.ts"));
+    if (!hasTaskConfig && !hasRigConfig) {
+      throw new Error(`MONOREPO_ROOT points to ${explicitRoot}, but neither .rig/task-config.json nor rig.config.ts exists there.`);
+    }
+    return explicitRoot;
+  }
+  const projectParent = dirname(normalizedProjectRoot);
+  if (basename(projectParent) === ".worktrees") {
+    const worktreeOwner = dirname(projectParent);
+    const ownerHasGit = existsSync(resolve(worktreeOwner, ".git"));
+    const ownerHasTaskConfig = existsSync(resolve(worktreeOwner, ".rig", "task-config.json"));
+    const ownerHasRigConfig = existsSync(resolve(worktreeOwner, "rig.config.ts"));
+    if (ownerHasGit && (ownerHasTaskConfig || ownerHasRigConfig)) {
+      return worktreeOwner;
+    }
+  }
+  return normalizedProjectRoot;
+}
+// packages/runtime/src/control-plane/runtime/sandbox/utils.ts
+function toRealPath(path) {
+  if (!existsSync2(path)) {
+    return resolve2(path);
+  }
+  try {
+    return realpathSync.native(path);
+  } catch {
+    return resolve2(path);
+  }
+}
+function resolveHostGitMetadataPaths(projectRoot, workspaceDir) {
+  const candidates = new Set;
+  const addPath = (candidate) => {
+    if (existsSync2(candidate)) {
+      candidates.add(toRealPath(candidate));
+    }
+  };
+  addPath(resolve2(projectRoot, ".git"));
+  addPath(resolve2(workspaceDir, "..", "..", ".git"));
+  for (const repoRoot of resolveHostRepoRootPaths(projectRoot)) {
+    addPath(resolve2(repoRoot, ".git"));
+  }
+  const workspaceGit = resolve2(workspaceDir, ".git");
+  if (existsSync2(workspaceGit)) {
+    addPath(workspaceGit);
+  }
+  return [...candidates];
+}
+function resolveHostRepoRootPaths(projectRoot) {
+  const candidates = new Set;
+  const addPath = (candidate) => {
+    if (existsSync2(candidate)) {
+      candidates.add(toRealPath(candidate));
+    }
+  };
+  try {
+    const monorepoRoot = resolveMonorepoRoot(projectRoot);
+    if (toRealPath(monorepoRoot) !== toRealPath(projectRoot)) {
+      addPath(monorepoRoot);
+    }
+  } catch {}
+  const reposDir = resolve2(projectRoot, "repos");
+  if (existsSync2(reposDir)) {
+    for (const entry of readdirSync(reposDir, { withFileTypes: true })) {
+      if (entry.isDirectory() || entry.isSymbolicLink()) {
+        addPath(resolve2(reposDir, entry.name));
+      }
+    }
+  }
+  return [...candidates];
+}
+function resolveNetworkWithPolicy(sandboxConfig, envOverride) {
+  if (envOverride) {
+    const envValue = parseBooleanEnv(envOverride, sandboxConfig.network);
+    if (envValue !== sandboxConfig.network) {
+      console.warn(`[sandbox] RIG_RUNTIME_SANDBOX_NETWORK=${envOverride} overrides policy sandbox.network=${sandboxConfig.network}`);
+    }
+    return envValue;
+  }
+  return sandboxConfig.network;
+}
+function parseBooleanEnv(raw, fallback) {
+  if (!raw) {
+    return fallback;
+  }
+  const normalized = raw.trim().toLowerCase();
+  if (normalized === "1" || normalized === "true" || normalized === "yes" || normalized === "on") {
+    return true;
+  }
+  if (normalized === "0" || normalized === "false" || normalized === "no" || normalized === "off") {
+    return false;
+  }
+  return fallback;
+}
+function uniq(values) {
+  return [...new Set(values)];
+}
+function seatbeltString(value) {
+  return `"${value.replace(/\\/g, "\\\\").replace(/"/g, "\\\"")}"`;
+}
+// packages/runtime/src/control-plane/runtime/sandbox/backend-seatbelt.ts
+class SeatbeltBackend {
+  kind = "macos-seatbelt";
+  binaryPath;
+  config;
+  ctx;
+  resolvedPaths;
+  constructor(binaryPath, config, ctx, resolvedPaths) {
+    this.binaryPath = binaryPath;
+    this.config = config;
+    this.ctx = ctx;
+    this.resolvedPaths = resolvedPaths;
+  }
+  wrap(options) {
+    const profilePath = this.writeSeatbeltProfile(options);
+    return {
+      command: [this.binaryPath, "-f", profilePath, ...options.command],
+      enabled: true,
+      backend: "macos-seatbelt",
+      profilePath
+    };
+  }
+  writeSeatbeltProfile(options) {
+    const sandboxDir = resolve3(options.runtime.rootDir, "sandbox");
+    mkdirSync(sandboxDir, { recursive: true });
+    const profilePath = resolve3(sandboxDir, "seatbelt.sb");
+    const profile = this.renderProfile(options);
+    writeFileSync(profilePath, `${profile}
+`, "utf-8");
+    return profilePath;
+  }
+  renderProfile(options) {
+    const { runtime, projectRoot } = options;
+    const { ctx, resolvedPaths, config } = this;
+    const workspaceReal = ctx.realPath(runtime.workspaceDir);
+    const runtimeRootReal = ctx.realPath(runtime.rootDir);
+    const homeReal = ctx.realPath(runtime.homeDir);
+    const tmpReal = ctx.realPath(runtime.tmpDir);
+    const cacheReal = ctx.realPath(runtime.cacheDir);
+    const hostGitDirs = resolveHostGitMetadataPaths(projectRoot, runtime.workspaceDir);
+    const hostRepoRoots = resolveHostRepoRootPaths(projectRoot).map((repoRoot) => ctx.realPath(repoRoot));
+    const bunDir = ctx.realPath(resolvedPaths.bunDir);
+    const claudeDir = resolvedPaths.claudeDir ? ctx.realPath(resolvedPaths.claudeDir) : null;
+    const allowNetwork = resolveNetworkWithPolicy(config, process.env.RIG_RUNTIME_SANDBOX_NETWORK);
+    const lines = [
+      "(version 1)",
+      "(deny default)",
+      '(import "system.sb")',
+      "(allow process*)",
+      "(allow process-info*)",
+      "(allow signal)",
+      "(allow sysctl-read)",
+      "(allow file-read-metadata)"
+    ];
+    if (allowNetwork) {
+      lines.push("(allow network*)");
+    }
+    for (const sysPath of [
+      "/usr/lib",
+      "/usr/bin",
+      "/usr/sbin",
+      "/usr/share",
+      "/bin",
+      "/sbin",
+      "/System",
+      "/Library",
+      "/Library/Frameworks",
+      "/Library/Developer",
+      "/Library/Apple",
+      "/Applications",
+      "/private/var/db",
+      "/opt/homebrew"
+    ]) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(sysPath)}))`);
+    }
+    lines.push(`(allow file-read* (subpath ${seatbeltString(bunDir)}))`);
+    if (claudeDir) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(claudeDir)}))`);
+    }
+    if (resolvedPaths.nodeDir) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(resolvedPaths.nodeDir)}))`);
+    }
+    for (const depPath of resolvedPaths.depRoots) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(depPath)}))`);
+    }
+    for (const rwPath of uniq([
+      workspaceReal,
+      runtimeRootReal,
+      homeReal,
+      tmpReal,
+      cacheReal
+    ])) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(rwPath)}))`);
+      lines.push(`(allow file-write* (subpath ${seatbeltString(rwPath)}))`);
+    }
+    for (const gitPath of hostGitDirs) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(gitPath)}))`);
+      lines.push(`(allow file-write* (subpath ${seatbeltString(gitPath)}))`);
+    }
+    const projectRootReal = ctx.realPath(projectRoot);
+    if (projectRootReal !== workspaceReal && !projectRootReal.startsWith(workspaceReal + "/")) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(projectRootReal)}))`);
+    }
+    for (const repoRoot of hostRepoRoots) {
+      if (!ctx.pathExists(repoRoot) || repoRoot === workspaceReal || repoRoot.startsWith(workspaceReal + "/") || repoRoot === projectRootReal || repoRoot.startsWith(projectRootReal + "/")) {
+        continue;
+      }
+      lines.push(`(allow file-read* (subpath ${seatbeltString(repoRoot)}))`);
+    }
+    const realHome = process.env.HOME?.trim();
+    if (realHome) {
+      for (const binSubdir of [".local/bin", ".cargo/bin"]) {
+        const binPath = resolve3(realHome, binSubdir);
+        if (ctx.pathExists(binPath)) {
+          lines.push(`(allow file-read* (subpath ${seatbeltString(ctx.realPath(binPath))}))`);
+        }
+      }
+    }
+    for (const tempPath of [
+      "/dev",
+      "/tmp",
+      "/private/tmp",
+      "/var/folders",
+      "/private/var/folders"
+    ]) {
+      lines.push(`(allow file-read* (subpath ${seatbeltString(tempPath)}))`);
+      lines.push(`(allow file-write* (subpath ${seatbeltString(tempPath)}))`);
+    }
+    return lines.join(`
+`);
+  }
+}
+export {
+  SeatbeltBackend
+};