@h-rig/runtime 0.0.6-alpha.0

package/dist/src/control-plane/runtime/task-run-snapshot.js

@@ -0,0 +1,1578 @@
+// @bun
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+
+// packages/runtime/src/layout.ts
+import { existsSync } from "fs";
+import { basename, dirname as dirname2, resolve as resolve2 } from "path";
+function resolveMonorepoRoot(projectRoot) {
+  const normalizedProjectRoot = resolve2(projectRoot);
+  const explicit = process.env.MONOREPO_ROOT?.trim();
+  if (explicit) {
+    const explicitRoot = resolve2(explicit);
+    const explicitParent = dirname2(explicitRoot);
+    if (basename(explicitParent) === ".worktrees") {
+      const owner = dirname2(explicitParent);
+      const ownerHasGit = existsSync(resolve2(owner, ".git"));
+      const ownerHasTaskConfig = existsSync(resolve2(owner, ".rig", "task-config.json"));
+      const ownerHasRigConfig = existsSync(resolve2(owner, "rig.config.ts"));
+      if (ownerHasGit && (ownerHasTaskConfig || ownerHasRigConfig)) {
+        return owner;
+      }
+      throw new Error(`MONOREPO_ROOT points to worktree ${explicitRoot}, but the owner checkout is incomplete at ${owner}.`);
+    }
+    if (!existsSync(resolve2(explicitRoot, ".git"))) {
+      throw new Error(`MONOREPO_ROOT points to ${explicitRoot}, but no git checkout was found there.`);
+    }
+    const hasTaskConfig = existsSync(resolve2(explicitRoot, ".rig", "task-config.json"));
+    const hasRigConfig = existsSync(resolve2(explicitRoot, "rig.config.ts"));
+    if (!hasTaskConfig && !hasRigConfig) {
+      throw new Error(`MONOREPO_ROOT points to ${explicitRoot}, but neither .rig/task-config.json nor rig.config.ts exists there.`);
+    }
+    return explicitRoot;
+  }
+  const projectParent = dirname2(normalizedProjectRoot);
+  if (basename(projectParent) === ".worktrees") {
+    const worktreeOwner = dirname2(projectParent);
+    const ownerHasGit = existsSync(resolve2(worktreeOwner, ".git"));
+    const ownerHasTaskConfig = existsSync(resolve2(worktreeOwner, ".rig", "task-config.json"));
+    const ownerHasRigConfig = existsSync(resolve2(worktreeOwner, "rig.config.ts"));
+    if (ownerHasGit && (ownerHasTaskConfig || ownerHasRigConfig)) {
+      return worktreeOwner;
+    }
+  }
+  return normalizedProjectRoot;
+}
+function resolveRuntimeWorkspaceLayout(workspaceDir) {
+  const root = resolve2(workspaceDir);
+  const rigRoot = resolve2(root, ".rig");
+  const logsDir = resolve2(rigRoot, "logs");
+  const stateDir = resolve2(rigRoot, "state");
+  const runtimeDir = resolve2(rigRoot, "runtime");
+  const binDir = resolve2(rigRoot, "bin");
+  return {
+    workspaceDir: root,
+    rigRoot,
+    stateDir,
+    logsDir,
+    artifactsRoot: resolve2(root, RIG_ARTIFACTS_DIRNAME),
+    runtimeDir,
+    homeDir: resolve2(rigRoot, "home"),
+    tmpDir: resolve2(rigRoot, "tmp"),
+    cacheDir: resolve2(rigRoot, "cache"),
+    sessionDir: resolve2(rigRoot, "session"),
+    binDir,
+    distDir: resolve2(rigRoot, "dist"),
+    pluginBinDir: resolve2(binDir, "plugins"),
+    contextPath: resolve2(rigRoot, "runtime-context.json"),
+    controlPlaneEventsFile: resolve2(logsDir, "control-plane.events.jsonl")
+  };
+}
+var RIG_ARTIFACTS_DIRNAME = "artifacts";
+var init_layout = () => {};
+
+// packages/runtime/src/control-plane/runtime/sandbox/utils.ts
+var init_utils = __esm(() => {
+  init_layout();
+});
+
+// packages/runtime/src/control-plane/native/git-native.ts
+import { tmpdir } from "os";
+import { dirname, isAbsolute, resolve } from "path";
+var sharedGitNativeOutputDir = resolve(tmpdir(), "rig-native");
+var sharedGitNativeOutputPath = resolve(sharedGitNativeOutputDir, `rig-git-${process.platform}-${process.arch}${process.platform === "win32" ? ".exe" : ""}`);
+// packages/runtime/src/control-plane/native/utils.ts
+import { ptr as ptr2 } from "bun:ffi";
+init_layout();
+
+// packages/runtime/src/control-plane/native/runtime-native.ts
+import { dlopen, ptr, suffix, toBuffer } from "bun:ffi";
+import { copyFileSync, existsSync as existsSync2, mkdirSync, renameSync, rmSync, statSync } from "fs";
+import { tmpdir as tmpdir2 } from "os";
+import { dirname as dirname3, resolve as resolve3 } from "path";
+var sharedNativeRuntimeOutputDir = resolve3(tmpdir2(), "rig-native");
+var sharedNativeRuntimeOutputPath = resolve3(sharedNativeRuntimeOutputDir, `runtime-native-${process.platform}-${process.arch}.${suffix}`);
+var colocatedNativeRuntimeFileName = `runtime-native.${suffix}`;
+var nativeRuntimeLibrary = await loadNativeRuntimeLibrary();
+function requireNativeRuntimeLibrary(feature) {
+  if (!nativeRuntimeLibrary) {
+    throw new Error(`Native Zig runtime is required for ${feature}`);
+  }
+  return nativeRuntimeLibrary;
+}
+function runtimeScanWorktreesNative(worktreesRoot) {
+  const response = runNativeRuntimeSidecar({
+    op: "scan-worktrees",
+    input: { worktreesRoot }
+  });
+  if (!response.ok) {
+    throw new Error(response.error);
+  }
+  return response.entries ?? [];
+}
+async function ensureNativeRuntimeLibraryPath(outputPath = sharedNativeRuntimeOutputPath, options = {}) {
+  if (await buildNativeRuntimeLibrary(outputPath, options)) {
+    return outputPath;
+  }
+  return !options.force && existsSync2(outputPath) ? outputPath : null;
+}
+async function loadNativeRuntimeLibrary() {
+  if (process.env.RIG_DISABLE_ZIG_NATIVE === "1") {
+    return null;
+  }
+  for (const candidate of nativeRuntimeLibraryCandidates()) {
+    if (!candidate || !existsSync2(candidate)) {
+      continue;
+    }
+    const loaded = tryDlopenNativeRuntimeLibrary(candidate);
+    if (loaded) {
+      return loaded;
+    }
+  }
+  const builtLibraryPath = await ensureNativeRuntimeLibraryPath(sharedNativeRuntimeOutputPath, { force: true });
+  if (!builtLibraryPath) {
+    return null;
+  }
+  return tryDlopenNativeRuntimeLibrary(builtLibraryPath);
+}
+function nativePackageLibraryCandidates(fromDir, names) {
+  const candidates = [];
+  let cursor = resolve3(fromDir);
+  for (let index = 0;index < 8; index += 1) {
+    for (const name of names) {
+      candidates.push(resolve3(cursor, "native", `${process.platform}-${process.arch}`, name), resolve3(cursor, "native", `${process.platform}-${process.arch}`, "lib", name), resolve3(cursor, "native", name), resolve3(cursor, "native", "lib", name));
+    }
+    const parent = dirname3(cursor);
+    if (parent === cursor)
+      break;
+    cursor = parent;
+  }
+  return candidates;
+}
+function nativeRuntimeLibraryCandidates() {
+  const explicit = process.env.RIG_NATIVE_RUNTIME_LIB?.trim() || "";
+  const execDir = process.execPath?.trim() ? dirname3(process.execPath.trim()) : "";
+  const platformSpecific = `runtime-native-${process.platform}-${process.arch}.${suffix}`;
+  return [...new Set([
+    explicit,
+    ...nativePackageLibraryCandidates(import.meta.dir, [colocatedNativeRuntimeFileName, platformSpecific]),
+    execDir ? resolve3(execDir, colocatedNativeRuntimeFileName) : "",
+    execDir ? resolve3(execDir, platformSpecific) : "",
+    execDir ? resolve3(execDir, "..", colocatedNativeRuntimeFileName) : "",
+    execDir ? resolve3(execDir, "..", platformSpecific) : "",
+    execDir ? resolve3(execDir, "lib", colocatedNativeRuntimeFileName) : "",
+    execDir ? resolve3(execDir, "..", "lib", colocatedNativeRuntimeFileName) : "",
+    sharedNativeRuntimeOutputPath
+  ].filter(Boolean))];
+}
+function resolveNativeRuntimeSourcePath() {
+  const explicit = process.env.RIG_NATIVE_RUNTIME_SOURCE?.trim();
+  if (explicit && existsSync2(explicit)) {
+    return explicit;
+  }
+  const bundled = resolve3(import.meta.dir, "../../../native/snapshot.zig");
+  return existsSync2(bundled) ? bundled : null;
+}
+function resolveNativeRuntimeSidecarSourcePath() {
+  const envRoots = [
+    process.cwd()?.trim(),
+    process.env.RIG_HOST_PROJECT_ROOT?.trim(),
+    process.env.PROJECT_RIG_ROOT?.trim()
+  ].filter(Boolean);
+  for (const root of envRoots) {
+    for (const relative of [
+      "packages/runtime/src/control-plane/native/runtime-native-sidecar.ts",
+      "packages/runtime/dist/src/control-plane/native/runtime-native-sidecar.js"
+    ]) {
+      const candidate = resolve3(root, relative);
+      if (existsSync2(candidate)) {
+        return candidate;
+      }
+    }
+  }
+  for (const localCandidate of [
+    resolve3(import.meta.dir, "runtime-native-sidecar.js"),
+    resolve3(import.meta.dir, "runtime-native-sidecar.ts")
+  ]) {
+    if (existsSync2(localCandidate))
+      return localCandidate;
+  }
+  return null;
+}
+async function buildNativeRuntimeLibrary(outputPath, options = {}) {
+  if (process.env.RIG_DISABLE_ZIG_NATIVE === "1") {
+    return false;
+  }
+  const zigBinary = Bun.which("zig");
+  const sourcePath = resolveNativeRuntimeSourcePath();
+  if (!zigBinary || !sourcePath) {
+    return false;
+  }
+  const tempOutputPath = `${outputPath}.${process.pid}.${Date.now()}.${Math.random().toString(36).slice(2)}.tmp`;
+  try {
+    mkdirSync(dirname3(outputPath), { recursive: true });
+    const needsBuild = options.force === true || !existsSync2(outputPath) || statSync(sourcePath).mtimeMs > statSync(outputPath).mtimeMs;
+    if (!needsBuild) {
+      return true;
+    }
+    const build = Bun.spawn([
+      zigBinary,
+      "build-lib",
+      sourcePath,
+      "-dynamic",
+      "-O",
+      "ReleaseFast",
+      `-femit-bin=${tempOutputPath}`
+    ], {
+      cwd: import.meta.dir,
+      stdout: "pipe",
+      stderr: "pipe"
+    });
+    const exitCode = await build.exited;
+    if (exitCode !== 0 || !existsSync2(tempOutputPath)) {
+      rmSync(tempOutputPath, { force: true });
+      return false;
+    }
+    renameSync(tempOutputPath, outputPath);
+    return true;
+  } catch {
+    rmSync(tempOutputPath, { force: true });
+    return false;
+  }
+}
+function tryDlopenNativeRuntimeLibrary(outputPath) {
+  try {
+    return dlopen(outputPath, {
+      rig_scope_match: {
+        args: ["ptr", "ptr"],
+        returns: "u8"
+      },
+      snapshot_capture: {
+        args: ["ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      snapshot_delta: {
+        args: ["ptr", "ptr"],
+        returns: "ptr"
+      },
+      snapshot_store_delta: {
+        args: ["ptr", "ptr", "ptr", "u64", "ptr", "u64", "ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      snapshot_inspect_delta: {
+        args: ["ptr", "u64"],
+        returns: "ptr"
+      },
+      snapshot_apply_delta: {
+        args: ["ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      snapshot_release: {
+        args: ["ptr"],
+        returns: "void"
+      },
+      runtime_hash_file: {
+        args: ["ptr", "u64"],
+        returns: "ptr"
+      },
+      runtime_hash_tree: {
+        args: ["ptr", "u64"],
+        returns: "ptr"
+      },
+      runtime_prepare_paths: {
+        args: ["ptr", "u64", "ptr", "u64", "ptr", "u64", "ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      runtime_link_dependency_layer: {
+        args: ["ptr", "u64", "ptr", "u64"],
+        returns: "ptr"
+      },
+      runtime_scan_worktrees: {
+        args: ["ptr", "u64"],
+        returns: "ptr"
+      }
+    });
+  } catch {
+    return null;
+  }
+}
+function runNativeRuntimeSidecar(request) {
+  const sidecarSourcePath = resolveNativeRuntimeSidecarSourcePath();
+  if (!sidecarSourcePath) {
+    throw new Error("runtime-native-sidecar.ts source file not found.");
+  }
+  const bunCli = resolveNativeRuntimeSidecarInvocation();
+  const proc = Bun.spawnSync([bunCli.command, sidecarSourcePath, JSON.stringify(request)], {
+    cwd: process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.cwd(),
+    stdout: "pipe",
+    stderr: "pipe",
+    env: {
+      ...process.env,
+      ...bunCli.env,
+      RIG_NATIVE_RUNTIME_SIDECAR: "1"
+    }
+  });
+  if (proc.exitCode !== 0) {
+    throw new Error(proc.stderr.toString() || proc.stdout.toString() || `runtime native sidecar exited ${proc.exitCode}`);
+  }
+  const stdout = proc.stdout.toString().trim();
+  if (!stdout) {
+    throw new Error("runtime native sidecar returned empty output.");
+  }
+  return JSON.parse(stdout);
+}
+function resolveNativeRuntimeSidecarInvocation() {
+  const bunPath = Bun.which("bun");
+  if (bunPath) {
+    return { command: bunPath, env: {} };
+  }
+  if (process.execPath?.trim()) {
+    return {
+      command: process.execPath,
+      env: { BUN_BE_BUN: "1" }
+    };
+  }
+  throw new Error("bun is required to run the runtime native sidecar.");
+}
+
+// packages/runtime/src/control-plane/native/scope-rules.ts
+var activeRules = null;
+function getScopeRules() {
+  return activeRules;
+}
+
+// packages/runtime/src/control-plane/native/utils.ts
+function resolveMonorepoRoot2(projectRoot) {
+  return resolveMonorepoRoot(projectRoot);
+}
+var nativeScopeMatcher = null;
+var scopeRegexCache = new Map;
+function unique(values) {
+  return [...new Set(values)];
+}
+function normalizeRelativeScopePath(inputPath) {
+  let normalized = inputPath.replace(/^\.\//, "");
+  const rules = getScopeRules();
+  if (rules?.stripPrefixes) {
+    for (const prefix of rules.stripPrefixes) {
+      if (normalized.startsWith(prefix)) {
+        normalized = normalized.slice(prefix.length);
+      }
+    }
+  }
+  return normalized;
+}
+function normalizePathToScope(projectRoot, monorepoRoot, inputPath) {
+  let normalized = inputPath.replace(/^\.\//, "");
+  if (normalized.startsWith(projectRoot + "/")) {
+    normalized = normalized.slice(projectRoot.length + 1);
+  }
+  if (normalized.startsWith(monorepoRoot + "/")) {
+    normalized = normalized.slice(monorepoRoot.length + 1);
+  }
+  return normalizeRelativeScopePath(normalized);
+}
+function scopeMatches(path, scopes) {
+  const matcher = getNativeScopeMatcher();
+  const pathVariants = unique([path, normalizeRelativeScopePath(path)]);
+  for (const scope of scopes) {
+    const scopeVariants = unique([scope, normalizeRelativeScopePath(scope)]);
+    for (const candidatePath of pathVariants) {
+      for (const candidateScope of scopeVariants) {
+        if (candidatePath === candidateScope) {
+          return true;
+        }
+        if (matcher.match(candidateScope, candidatePath)) {
+          return true;
+        }
+      }
+    }
+  }
+  return false;
+}
+function getNativeScopeMatcher() {
+  if (nativeScopeMatcher) {
+    return nativeScopeMatcher;
+  }
+  nativeScopeMatcher = createNativeScopeMatcher();
+  return nativeScopeMatcher;
+}
+function createNativeScopeMatcher() {
+  const library = requireNativeRuntimeLibrary("scope matching");
+  return {
+    match: (pattern, path) => {
+      const patternBuffer = Buffer.from(`${pattern}\x00`);
+      const pathBuffer = Buffer.from(`${path}\x00`);
+      return library.symbols.rig_scope_match(Number(ptr2(patternBuffer)), Number(ptr2(pathBuffer))) !== 0;
+    }
+  };
+}
+// packages/runtime/src/control-plane/runtime/context.ts
+import { existsSync as existsSync3, mkdirSync as mkdirSync2, readFileSync, writeFileSync } from "fs";
+import { dirname as dirname4, resolve as resolve4 } from "path";
+var DEFAULT_RUNTIME_MEMORY_RETRIEVAL = {
+  topK: 5,
+  lexicalWeight: 0.35,
+  vectorWeight: 0.45,
+  recencyWeight: 0.1,
+  confidenceWeight: 0.1
+};
+var runtimeContextStringFields = [
+  "runtimeId",
+  "taskId",
+  "role",
+  "workspaceDir",
+  "stateDir",
+  "logsDir",
+  "sessionDir",
+  "sessionFile",
+  "policyFile",
+  "binDir",
+  "createdAt"
+];
+var runtimeContextArrayFields = ["scopes", "validation"];
+var runtimeContextOptionalStringFields = [
+  "artifactRoot",
+  "hostProjectRoot",
+  "monorepoMainRoot",
+  "monorepoBaseRef",
+  "monorepoBaseCommit"
+];
+function loadRuntimeContext(path) {
+  const absPath = resolve4(path);
+  if (!existsSync3(absPath)) {
+    throw new Error(`RuntimeTaskContext file not found: ${absPath}`);
+  }
+  let raw;
+  try {
+    raw = JSON.parse(readFileSync(absPath, "utf8"));
+  } catch (err) {
+    throw new Error(`Failed to parse RuntimeTaskContext at ${absPath}: ${String(err)}`);
+  }
+  if (typeof raw !== "object" || raw === null) {
+    throw new Error(`RuntimeTaskContext at ${absPath} is not an object`);
+  }
+  const obj = raw;
+  for (const field of runtimeContextStringFields) {
+    if (typeof obj[field] !== "string" || obj[field].length === 0) {
+      throw new Error(`RuntimeTaskContext field "${field}" must be a non-empty string (at ${absPath})`);
+    }
+  }
+  for (const field of runtimeContextArrayFields) {
+    if (!Array.isArray(obj[field])) {
+      throw new Error(`RuntimeTaskContext field "${field}" must be an array (at ${absPath})`);
+    }
+    if (!obj[field].every((entry) => typeof entry === "string")) {
+      throw new Error(`RuntimeTaskContext field "${field}" must be a string[] (at ${absPath})`);
+    }
+  }
+  for (const field of runtimeContextOptionalStringFields) {
+    if (field in obj && obj[field] !== undefined && typeof obj[field] !== "string") {
+      throw new Error(`RuntimeTaskContext field "${field}" must be a string when present (at ${absPath})`);
+    }
+  }
+  if (obj.browser !== undefined) {
+    if (typeof obj.browser !== "object" || obj.browser === null || Array.isArray(obj.browser)) {
+      throw new Error(`RuntimeTaskContext field "browser" must be an object when present (at ${absPath})`);
+    }
+    const browser = obj.browser;
+    for (const field of [
+      "preset",
+      "mode",
+      "stateDir",
+      "defaultProfile",
+      "effectiveProfile",
+      "defaultAttachUrl",
+      "effectiveAttachUrl",
+      "launchHelper",
+      "checkHelper",
+      "attachInfoHelper",
+      "e2eHelper",
+      "resetProfileHelper"
+    ]) {
+      if (typeof browser[field] !== "string" || browser[field].length === 0) {
+        throw new Error(`RuntimeTaskContext field "browser.${field}" must be a non-empty string (at ${absPath})`);
+      }
+    }
+    for (const field of ["devCommand", "launchCommand", "checkCommand", "e2eCommand"]) {
+      if (browser[field] !== undefined && typeof browser[field] !== "string") {
+        throw new Error(`RuntimeTaskContext field "browser.${field}" must be a string when present (at ${absPath})`);
+      }
+    }
+    if (typeof browser.required !== "boolean") {
+      throw new Error(`RuntimeTaskContext field "browser.required" must be a boolean (at ${absPath})`);
+    }
+  }
+  if (obj.memory !== undefined) {
+    if (typeof obj.memory !== "object" || obj.memory === null || Array.isArray(obj.memory)) {
+      throw new Error(`RuntimeTaskContext field "memory" must be an object when present (at ${absPath})`);
+    }
+    const memory = obj.memory;
+    for (const field of ["canonicalPath", "canonicalRef", "canonicalBaseOid", "hydratedPath"]) {
+      if (typeof memory[field] !== "string" || memory[field].length === 0) {
+        throw new Error(`RuntimeTaskContext field "memory.${field}" must be a non-empty string (at ${absPath})`);
+      }
+    }
+    if (typeof memory.createdFresh !== "boolean") {
+      throw new Error(`RuntimeTaskContext field "memory.createdFresh" must be a boolean (at ${absPath})`);
+    }
+    if (typeof memory.retrieval !== "object" || memory.retrieval === null || Array.isArray(memory.retrieval)) {
+      throw new Error(`RuntimeTaskContext field "memory.retrieval" must be an object (at ${absPath})`);
+    }
+    const retrieval = memory.retrieval;
+    for (const field of ["topK", "lexicalWeight", "vectorWeight", "recencyWeight", "confidenceWeight"]) {
+      if (typeof retrieval[field] !== "number" || Number.isNaN(retrieval[field])) {
+        throw new Error(`RuntimeTaskContext field "memory.retrieval.${field}" must be a number (at ${absPath})`);
+      }
+    }
+  }
+  if (obj.initialDirtyFiles !== undefined) {
+    if (typeof obj.initialDirtyFiles !== "object" || obj.initialDirtyFiles === null || Array.isArray(obj.initialDirtyFiles)) {
+      throw new Error(`RuntimeTaskContext field "initialDirtyFiles" must be an object when present (at ${absPath})`);
+    }
+    const dirtyFiles = obj.initialDirtyFiles;
+    for (const key of ["project", "monorepo"]) {
+      if (dirtyFiles[key] === undefined) {
+        continue;
+      }
+      if (!Array.isArray(dirtyFiles[key]) || !dirtyFiles[key].every((entry) => typeof entry === "string")) {
+        throw new Error(`RuntimeTaskContext field "initialDirtyFiles.${key}" must be a string[] when present (at ${absPath})`);
+      }
+    }
+  }
+  if (obj.initialHeadCommits !== undefined) {
+    if (typeof obj.initialHeadCommits !== "object" || obj.initialHeadCommits === null || Array.isArray(obj.initialHeadCommits)) {
+      throw new Error(`RuntimeTaskContext field "initialHeadCommits" must be an object when present (at ${absPath})`);
+    }
+    const headCommits = obj.initialHeadCommits;
+    for (const key of ["project", "monorepo"]) {
+      if (headCommits[key] === undefined) {
+        continue;
+      }
+      if (typeof headCommits[key] !== "string") {
+        throw new Error(`RuntimeTaskContext field "initialHeadCommits.${key}" must be a string when present (at ${absPath})`);
+      }
+    }
+  }
+  return obj;
+}
+
+// packages/runtime/src/control-plane/memory-sync/query.ts
+var DEFAULT_RESULT_LIMIT = DEFAULT_RUNTIME_MEMORY_RETRIEVAL.topK;
+var DAY_MS = 24 * 60 * 60 * 1000;
+// packages/runtime/src/build-time-config.ts
+function normalizeBuildConfig(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return {};
+  }
+  return Object.fromEntries(Object.entries(value).filter((entry) => typeof entry[1] === "string"));
+}
+function readBuildConfig() {
+  if (typeof __RIG_BUILD_CONFIG__ !== "undefined") {
+    return normalizeBuildConfig(__RIG_BUILD_CONFIG__);
+  }
+  const raw = process.env.RIG_BUILD_CONFIG_JSON?.trim();
+  if (!raw) {
+    return {};
+  }
+  try {
+    return normalizeBuildConfig(JSON.parse(raw));
+  } catch {
+    return {};
+  }
+}
+
+// packages/runtime/src/control-plane/runtime/tooling/shell.ts
+import { tmpdir as tmpdir3 } from "os";
+import { basename as basename2, dirname as dirname5, resolve as resolve5 } from "path";
+var sharedNativeShellOutputDir = resolve5(tmpdir3(), "rig-native");
+var sharedNativeShellOutputPath = resolve5(sharedNativeShellOutputDir, `rig-shell-${process.platform}-${process.arch}${process.platform === "win32" ? ".exe" : ""}`);
+// packages/runtime/src/control-plane/runtime/tooling/file-tools.ts
+import { tmpdir as tmpdir4 } from "os";
+import { basename as basename3, dirname as dirname6, resolve as resolve6 } from "path";
+var sharedNativeToolsOutputDir = resolve6(tmpdir4(), "rig-native");
+var sharedNativeToolsOutputPath = resolve6(sharedNativeToolsOutputDir, `rig-tools-${process.platform}-${process.arch}${process.platform === "win32" ? ".exe" : ""}`);
+// packages/runtime/src/control-plane/plugin-host-context.ts
+import { createPluginHost } from "@rig/core";
+import { loadConfig } from "@rig/core/load-config";
+
+// packages/runtime/src/control-plane/repos/registry.ts
+var MANAGED_REPOS = new Map;
+
+// packages/runtime/src/control-plane/tasks/source-aware-task-config-source.ts
+var STATUS_LABELS = new Set(["ready", "blocked", "in-progress", "under-review", "failed", "cancelled"]);
+
+// packages/runtime/src/control-plane/state-sync/types.ts
+var CANONICAL_TASK_LIFECYCLE_STATUSES = new Set([
+  "draft",
+  "open",
+  "ready",
+  "queued",
+  "in_progress",
+  "under_review",
+  "blocked",
+  "completed",
+  "cancelled"
+]);
+// packages/runtime/src/control-plane/repos/layout.ts
+init_layout();
+// packages/runtime/src/control-plane/state-sync/reconcile.ts
+var STALE_CLAIM_MS = 24 * 60 * 60 * 1000;
+// packages/runtime/src/control-plane/native/validator.ts
+init_layout();
+
+// packages/runtime/src/binary-run.ts
+init_layout();
+var runtimeBinaryBuildQueue = Promise.resolve();
+
+// packages/runtime/src/control-plane/runtime/sandbox-utils.ts
+init_utils();
+
+// packages/runtime/src/control-plane/native/git-ops.ts
+var TASK_ARTIFACT_STAGE_FALLBACK = new Set([
+  "changed-files.txt",
+  "contract-changes.md",
+  "decision-log.md",
+  "git-state.txt",
+  "next-actions.md",
+  "pr-state.json",
+  "task-result.json",
+  "validation-summary.json"
+]);
+
+// packages/runtime/src/control-plane/provider/runtime-instructions.ts
+var CLAUDE_ROUTER_TOOL_NAMES = [
+  "`mcp__rig_runtime_tools__read`",
+  "`mcp__rig_runtime_tools__write`",
+  "`mcp__rig_runtime_tools__edit`",
+  "`mcp__rig_runtime_tools__glob`",
+  "`mcp__rig_runtime_tools__grep`"
+].join(", ");
+var CODEX_DYNAMIC_TOOL_NAMES = [
+  "`shell`",
+  "`read`",
+  "`write`",
+  "`edit`",
+  "`glob`",
+  "`grep`"
+].join(", ");
+
+// packages/runtime/src/control-plane/native/task-ops.ts
+var BUILD_CONFIG = readBuildConfig();
+var BAKED_INFO_OUTPUT = BUILD_CONFIG.AGENT_INFO_OUTPUT ?? "";
+var BAKED_DEPS_OUTPUT = BUILD_CONFIG.AGENT_DEPS_OUTPUT ?? "";
+var BAKED_STATUS_OUTPUT = BUILD_CONFIG.AGENT_STATUS_OUTPUT ?? "";
+var REOPENABLE_TASK_STATUSES = new Set(["completed", "cancelled", "blocked"]);
+var GENERATED_TASK_ARTIFACT_FILES = new Set([
+  "changed-files.txt",
+  "decision-log.md",
+  "next-actions.md",
+  "task-result.json",
+  "validation-summary.json",
+  "review-feedback.md",
+  "review-state.json",
+  "review-status.txt",
+  "review-greptile-raw.json",
+  "pr-state.json",
+  "git-state.txt"
+]);
+
+// packages/runtime/src/control-plane/runtime/isolation/index.ts
+init_layout();
+
+// packages/runtime/src/control-plane/runtime/overlay.ts
+init_layout();
+
+// packages/runtime/src/control-plane/runtime/isolation/shared.ts
+var generatedCredentialFiles = new Set;
+function resolveMonorepoRoot3(projectRoot) {
+  return resolveMonorepoRoot2(projectRoot);
+}
+function sanitizeRuntimeRefSegment(value) {
+  const sanitized = value.trim().replace(/[^A-Za-z0-9._-]+/g, "-").replace(/^-+|-+$/g, "");
+  return (sanitized || "runtime").slice(0, 64);
+}
+function taskRuntimeId(taskId) {
+  return `task-${taskId}`;
+}
+
+// packages/runtime/src/control-plane/runtime/isolation/home.ts
+var GITHUB_KNOWN_HOSTS = [
+  "github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl",
+  "github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=",
+  "github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk="
+].join(`
+`);
+
+// packages/runtime/src/control-plane/runtime/tooling/claude-router.ts
+if (false) {}
+// packages/runtime/src/control-plane/runtime/isolation/discovery.ts
+init_layout();
+import { existsSync as existsSync4 } from "fs";
+import { resolve as resolve8 } from "path";
+
+// packages/runtime/src/control-plane/runtime/tooling/claude-router-binary.ts
+import { tmpdir as tmpdir5 } from "os";
+import { dirname as dirname7, resolve as resolve7 } from "path";
+var sharedRouterOutputDir = resolve7(tmpdir5(), "rig-native");
+var sharedRouterOutputPath = resolve7(sharedRouterOutputDir, `rig-tool-router-${process.platform}-${process.arch}${process.platform === "win32" ? ".exe" : ""}`);
+// packages/runtime/src/control-plane/runtime/isolation/toolchain.ts
+function runtimeWorktreeId(workspaceDir) {
+  return workspaceDir.split("/").at(-1) || "runtime";
+}
+
+// packages/runtime/src/control-plane/runtime/isolation/discovery.ts
+async function readRuntimeMetadata(metadataPath) {
+  if (!existsSync4(metadataPath)) {
+    return null;
+  }
+  try {
+    return await Bun.file(metadataPath).json();
+  } catch {
+    return null;
+  }
+}
+async function listAgentRuntimes(projectRoot) {
+  const runtimes = [];
+  const monorepoRoot = resolveMonorepoRoot3(projectRoot);
+  const worktreesRoot = resolve8(monorepoRoot, ".worktrees");
+  if (!existsSync4(worktreesRoot)) {
+    return [];
+  }
+  const workspaces = runtimeScanWorktreesNative(worktreesRoot);
+  for (let scan of workspaces) {
+    let workspacePath = scan.workspaceDir;
+    const workspaceLayout = resolveRuntimeWorkspaceLayout(workspacePath);
+    const rootDir = scan.runtimeDir || workspaceLayout.runtimeDir;
+    const metadataPath = scan.metadataPath || resolve8(rootDir, "runtime.json");
+    const contextFile = scan.contextPath || workspaceLayout.contextPath;
+    let mode = "worktree";
+    let createdAt = new Date().toISOString();
+    let taskId = "";
+    let runtimeId = "";
+    let binDir = workspaceLayout.binDir;
+    let logsDir = workspaceLayout.logsDir;
+    let stateDir = workspaceLayout.stateDir;
+    let sessionDir = workspaceLayout.sessionDir;
+    const metadata = await readRuntimeMetadata(metadataPath);
+    if (metadata) {
+      runtimeId = metadata.id;
+      mode = metadata.mode;
+      createdAt = metadata.createdAt;
+    }
+    if (existsSync4(contextFile)) {
+      try {
+        const ctx = loadRuntimeContext(contextFile);
+        taskId = ctx.taskId;
+        workspacePath = ctx.workspaceDir;
+        binDir = ctx.binDir;
+        logsDir = ctx.logsDir;
+        stateDir = ctx.stateDir;
+        sessionDir = ctx.sessionDir;
+      } catch {}
+    }
+    if (!runtimeId) {
+      runtimeId = taskRuntimeId(taskId || runtimeWorktreeId(workspacePath));
+    }
+    runtimes.push({
+      id: runtimeId,
+      taskId,
+      mode,
+      rootDir,
+      workspaceDir: workspacePath,
+      homeDir: resolve8(rootDir, "home"),
+      tmpDir: resolve8(rootDir, "tmp"),
+      cacheDir: resolve8(rootDir, "cache"),
+      logsDir,
+      stateDir,
+      sessionDir,
+      claudeHomeDir: resolve8(rootDir, "home", ".claude"),
+      contextFile,
+      binDir,
+      createdAt
+    });
+  }
+  return runtimes;
+}
+
+// packages/runtime/src/control-plane/runtime/isolation/runner.ts
+import { existsSync as existsSync6, rmSync as rmSync2, writeFileSync as writeFileSync2 } from "fs";
+import { basename as basename4, resolve as resolve10 } from "path";
+
+// packages/runtime/src/control-plane/runtime/guard.ts
+import { optimizeNextInvocation } from "bun:jsc";
+import { existsSync as existsSync5, readFileSync as readFileSync2, statSync as statSync2 } from "fs";
+import { resolve as resolve9 } from "path";
+
+// packages/runtime/src/control-plane/runtime/guard-types.ts
+var POLICY_VERSION = 1;
+
+// packages/runtime/src/control-plane/runtime/guard.ts
+var DEFAULT_SCOPE = {
+  fail_closed: true,
+  harness_paths_exempt: true,
+  runtime_paths_exempt: true
+};
+var DEFAULT_SANDBOX = {
+  mode: "enforce",
+  network: true,
+  read_deny: [],
+  write_allow_from_runtime: true
+};
+var DEFAULT_ISOLATION = {
+  default_mode: "worktree",
+  repo_symlink_fallback: false,
+  strict_provisioning: true,
+  fail_closed_on_provision_error: true
+};
+var DEFAULT_COMPLETION = {
+  derive_checks_from_scope: true,
+  checks: [],
+  typescript_config_probe: ["tsconfig.json"],
+  eslint_config_probe: [".eslintrc.js", ".eslintrc.json", "eslint.config.js"]
+};
+var DEFAULT_RUNTIME_IMAGE = {
+  deps: {
+    monorepo_install: false,
+    hp_next_install: false
+  },
+  plugins_require_binaries: true
+};
+var DEFAULT_RUNTIME_SNAPSHOT = {
+  enabled: true
+};
+function defaultPolicy() {
+  return {
+    version: POLICY_VERSION,
+    mode: "enforce",
+    scope: { ...DEFAULT_SCOPE },
+    rules: [],
+    sandbox: { ...DEFAULT_SANDBOX },
+    isolation: { ...DEFAULT_ISOLATION },
+    completion: { ...DEFAULT_COMPLETION },
+    runtime_image: {
+      deps: { ...DEFAULT_RUNTIME_IMAGE.deps },
+      plugins_require_binaries: DEFAULT_RUNTIME_IMAGE.plugins_require_binaries
+    },
+    runtime_snapshot: { ...DEFAULT_RUNTIME_SNAPSHOT }
+  };
+}
+var policyCache = null;
+var policyCachePath = null;
+var seededPolicyConfig = null;
+var compiledRegexCache = new Map;
+function loadPolicy(projectRoot) {
+  if (seededPolicyConfig) {
+    return seededPolicyConfig;
+  }
+  const configPath = resolve9(projectRoot, "rig/policy/policy.json");
+  if (!existsSync5(configPath)) {
+    return defaultPolicy();
+  }
+  let mtimeMs;
+  try {
+    mtimeMs = statSync2(configPath).mtimeMs;
+  } catch {
+    return defaultPolicy();
+  }
+  if (policyCache && policyCachePath === configPath && policyCache.mtimeMs === mtimeMs) {
+    return policyCache.config;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(readFileSync2(configPath, "utf-8"));
+  } catch {
+    return defaultPolicy();
+  }
+  const config = mergeWithDefaults(parsed);
+  policyCache = { mtimeMs, config };
+  policyCachePath = configPath;
+  return config;
+}
+function mergeWithDefaults(parsed) {
+  const base = defaultPolicy();
+  if (typeof parsed.mode === "string" && isValidMode(parsed.mode)) {
+    base.mode = parsed.mode;
+  }
+  if (parsed.scope && typeof parsed.scope === "object" && !Array.isArray(parsed.scope)) {
+    const s = parsed.scope;
+    if (typeof s.fail_closed === "boolean")
+      base.scope.fail_closed = s.fail_closed;
+    if (typeof s.harness_paths_exempt === "boolean")
+      base.scope.harness_paths_exempt = s.harness_paths_exempt;
+    if (typeof s.runtime_paths_exempt === "boolean")
+      base.scope.runtime_paths_exempt = s.runtime_paths_exempt;
+  }
+  if (Array.isArray(parsed.rules)) {
+    base.rules = precompilePolicyRuleRegexes(parsed.rules.filter(isValidRule));
+  }
+  if (Array.isArray(parsed.deny) && base.rules.length === 0) {
+    base.rules = precompilePolicyRuleRegexes(migrateLegacyDeny(parsed.deny));
+  }
+  if (parsed.sandbox && typeof parsed.sandbox === "object" && !Array.isArray(parsed.sandbox)) {
+    const sb = parsed.sandbox;
+    if (typeof sb.mode === "string" && isValidMode(sb.mode))
+      base.sandbox.mode = sb.mode;
+    if (typeof sb.network === "boolean")
+      base.sandbox.network = sb.network;
+    if (Array.isArray(sb.read_deny))
+      base.sandbox.read_deny = sb.read_deny.filter((v) => typeof v === "string");
+    if (typeof sb.write_allow_from_runtime === "boolean")
+      base.sandbox.write_allow_from_runtime = sb.write_allow_from_runtime;
+  }
+  if (parsed.isolation && typeof parsed.isolation === "object" && !Array.isArray(parsed.isolation)) {
+    const iso = parsed.isolation;
+    if (iso.default_mode === "worktree")
+      base.isolation.default_mode = iso.default_mode;
+    if (typeof iso.repo_symlink_fallback === "boolean")
+      base.isolation.repo_symlink_fallback = iso.repo_symlink_fallback;
+    if (typeof iso.strict_provisioning === "boolean")
+      base.isolation.strict_provisioning = iso.strict_provisioning;
+    if (typeof iso.fail_closed_on_provision_error === "boolean")
+      base.isolation.fail_closed_on_provision_error = iso.fail_closed_on_provision_error;
+  }
+  if (parsed.completion && typeof parsed.completion === "object" && !Array.isArray(parsed.completion)) {
+    const comp = parsed.completion;
+    if (typeof comp.derive_checks_from_scope === "boolean")
+      base.completion.derive_checks_from_scope = comp.derive_checks_from_scope;
+    if (Array.isArray(comp.checks))
+      base.completion.checks = comp.checks.filter((v) => typeof v === "string");
+    if (Array.isArray(comp.typescript_config_probe))
+      base.completion.typescript_config_probe = comp.typescript_config_probe.filter((v) => typeof v === "string");
+    if (Array.isArray(comp.eslint_config_probe))
+      base.completion.eslint_config_probe = comp.eslint_config_probe.filter((v) => typeof v === "string");
+  }
+  if (parsed.runtime_image && typeof parsed.runtime_image === "object" && !Array.isArray(parsed.runtime_image)) {
+    const runtimeImage = parsed.runtime_image;
+    if (runtimeImage.deps && typeof runtimeImage.deps === "object" && !Array.isArray(runtimeImage.deps)) {
+      const deps = runtimeImage.deps;
+      if (typeof deps.monorepo_install === "boolean") {
+        base.runtime_image.deps.monorepo_install = deps.monorepo_install;
+      }
+      if (typeof deps.hp_next_install === "boolean") {
+        base.runtime_image.deps.hp_next_install = deps.hp_next_install;
+      }
+    }
+    if (typeof runtimeImage.plugins_require_binaries === "boolean") {
+      base.runtime_image.plugins_require_binaries = runtimeImage.plugins_require_binaries;
+    }
+  }
+  if (parsed.runtime_snapshot && typeof parsed.runtime_snapshot === "object" && !Array.isArray(parsed.runtime_snapshot)) {
+    const runtimeSnapshot = parsed.runtime_snapshot;
+    if (typeof runtimeSnapshot.enabled === "boolean") {
+      base.runtime_snapshot.enabled = runtimeSnapshot.enabled;
+    }
+  }
+  return base;
+}
+function isValidMode(value) {
+  return value === "off" || value === "observe" || value === "enforce";
+}
+function isValidRule(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value))
+    return false;
+  const r = value;
+  return typeof r.id === "string" && typeof r.category === "string" && r.match != null && typeof r.match === "object";
+}
+function migrateLegacyDeny(deny) {
+  const rules = [];
+  for (const entry of deny) {
+    if (typeof entry.id !== "string")
+      continue;
+    const match = {};
+    if (typeof entry.pattern === "string")
+      match.pattern = entry.pattern;
+    if (typeof entry.regex === "string")
+      match.regex = entry.regex;
+    if (!match.pattern && !match.regex)
+      continue;
+    rules.push({
+      id: entry.id,
+      category: "command",
+      match,
+      action: "block",
+      ...typeof entry.description === "string" ? { description: entry.description } : {}
+    });
+  }
+  return rules;
+}
+function precompilePolicyRuleRegexes(rules) {
+  return rules.map((rule) => {
+    const compiledRegex = rule.match.regex ? compileSafeRegex(rule.match.regex, `rules.${rule.id}.match.regex`, true) : undefined;
+    const compiledUnlessRegex = rule.unless?.regex ? compileSafeRegex(rule.unless.regex, `rules.${rule.id}.unless.regex`, true) : undefined;
+    return {
+      ...rule,
+      ...compiledRegex ? { compiledRegex } : {},
+      ...compiledUnlessRegex ? { compiledUnlessRegex } : {}
+    };
+  });
+}
+function getRegexUnsafeReason(pattern) {
+  if (pattern.length > 512) {
+    return "pattern exceeds max safe length (512 chars)";
+  }
+  if (/\\[1-9]/.test(pattern)) {
+    return "pattern uses backreferences";
+  }
+  if (/\((?:[^()\\]|\\.)*[+*](?:[^()\\]|\\.)*\)\s*[*+{]/.test(pattern)) {
+    return "pattern contains nested quantifiers";
+  }
+  if (/\((?:[^()\\]|\\.)*\.\\?[+*](?:[^()\\]|\\.)*\)\s*[*+{]/.test(pattern)) {
+    return "pattern contains nested broad quantifiers";
+  }
+  return null;
+}
+function compileSafeRegex(pattern, sourceLabel, logOnFailure) {
+  const cached = compiledRegexCache.get(pattern);
+  if (cached !== undefined) {
+    return cached ?? undefined;
+  }
+  const unsafeReason = getRegexUnsafeReason(pattern);
+  if (unsafeReason) {
+    if (logOnFailure) {
+      console.warn(`[policy] Skipping unsafe regex in ${sourceLabel}: ${unsafeReason}`);
+    }
+    compiledRegexCache.set(pattern, null);
+    return;
+  }
+  try {
+    const compiled = new RegExp(pattern);
+    compiledRegexCache.set(pattern, compiled);
+    return compiled;
+  } catch (error) {
+    if (logOnFailure) {
+      const message = error instanceof Error ? error.message : String(error);
+      console.warn(`[policy] Skipping invalid regex in ${sourceLabel}: ${message}`);
+    }
+    compiledRegexCache.set(pattern, null);
+    return;
+  }
+}
+function matchRule(rule, input) {
+  const { match } = rule;
+  if (match.pattern && input.includes(match.pattern)) {
+    return true;
+  }
+  if (match.regex) {
+    const compiled = rule.compiledRegex || compileSafeRegex(match.regex, `rules.${rule.id}.match.regex`, false);
+    if (!compiled) {
+      return false;
+    }
+    try {
+      return compiled.test(input);
+    } catch {
+      return false;
+    }
+  }
+  return false;
+}
+function matchRuleUnless(rule, command, taskId) {
+  if (!rule.unless)
+    return false;
+  if (rule.unless.regex) {
+    const compiled = rule.compiledUnlessRegex || compileSafeRegex(rule.unless.regex, `rules.${rule.id}.unless.regex`, false);
+    if (!compiled) {
+      return false;
+    }
+    try {
+      if (compiled.test(command))
+        return true;
+    } catch {}
+  }
+  if (rule.unless.task_in && taskId) {
+    if (rule.unless.task_in.includes(taskId))
+      return true;
+  }
+  return false;
+}
+function resolveAction(mode, matched) {
+  if (matched.length === 0)
+    return "allow";
+  if (mode === "off")
+    return "allow";
+  if (mode === "observe")
+    return "warn";
+  return "block";
+}
+function resolveAbsolutePath(projectRoot, rawPath) {
+  if (rawPath.startsWith("/"))
+    return resolve9(rawPath);
+  return resolve9(projectRoot, rawPath);
+}
+function isHarnessPath(projectRoot, rawPath) {
+  const absPath = resolveAbsolutePath(projectRoot, rawPath);
+  const managedRoots = [
+    resolve9(projectRoot, "rig"),
+    resolve9(projectRoot, ".rig"),
+    resolve9(projectRoot, "artifacts")
+  ];
+  return managedRoots.some((root) => absPath === root || absPath.startsWith(root + "/"));
+}
+function isRuntimePath(projectRoot, rawPath, taskWorkspace) {
+  const absPath = resolveAbsolutePath(projectRoot, rawPath);
+  if (taskWorkspace) {
+    const workspaceRigRoot = resolve9(taskWorkspace, ".rig");
+    const workspaceArtifactsRoot = resolve9(taskWorkspace, "artifacts");
+    if (absPath === workspaceRigRoot || absPath.startsWith(workspaceRigRoot + "/") || absPath === workspaceArtifactsRoot || absPath.startsWith(workspaceArtifactsRoot + "/")) {
+      return true;
+    }
+  }
+  const runtimeRoot = resolve9(projectRoot, ".rig/runtime/agents");
+  return absPath === runtimeRoot || absPath.startsWith(runtimeRoot + "/");
+}
+function isTestFile(path) {
+  return /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(path) || /\/(__tests__|tests|test)\//.test(path);
+}
+function evaluate(context) {
+  const policy = loadPolicy(context.projectRoot);
+  switch (context.evaluation.type) {
+    case "tool-call":
+      return evaluateToolCall(policy, context);
+    case "command":
+      return evaluateCommand(policy, context);
+    case "content-write":
+      return evaluateContent(policy, context);
+    case "file-access":
+      return evaluateScope(policy, context, context.evaluation.file_path, context.evaluation.access);
+  }
+}
+function evaluateScope(policy, context, filePath, access) {
+  const allowed = () => ({
+    allowed: true,
+    matchedRules: [],
+    action: "allow",
+    failClosed: false
+  });
+  if (policy.scope.harness_paths_exempt && isHarnessPath(context.projectRoot, filePath)) {
+    return allowed();
+  }
+  if (policy.scope.runtime_paths_exempt && isRuntimePath(context.projectRoot, filePath, context.taskWorkspace)) {
+    return allowed();
+  }
+  if (!context.taskId) {
+    if (access === "write" && policy.scope.fail_closed) {
+      return {
+        allowed: false,
+        matchedRules: [],
+        action: resolveAction(policy.mode, [{ id: "scope:no-task", category: "command", reason: "No active task; fail-closed for write operations" }]),
+        failClosed: true
+      };
+    }
+    return allowed();
+  }
+  const scopes = context.taskScopes || [];
+  if (scopes.length === 0) {
+    return allowed();
+  }
+  if (context.taskWorkspace && context.taskWorkspace !== context.projectRoot && filePath.startsWith("/")) {
+    const absPath = resolve9(filePath);
+    if (!absPath.startsWith(context.taskWorkspace + "/") && !isHarnessPath(context.projectRoot, filePath)) {
+      const reason2 = `Absolute path '${filePath}' is outside task runtime boundary. Allowed root: ${context.taskWorkspace}`;
+      const matched2 = [{ id: "scope:workspace-boundary", category: "command", reason: reason2 }];
+      return {
+        allowed: policy.mode !== "enforce",
+        matchedRules: matched2,
+        action: resolveAction(policy.mode, matched2),
+        failClosed: false
+      };
+    }
+  }
+  const monorepoRoot = context.monorepoRoot || process.env.MONOREPO_ROOT?.trim() || context.taskWorkspace || context.projectRoot;
+  let normalizedPath = filePath;
+  if (context.taskWorkspace && context.taskWorkspace !== context.projectRoot && filePath.startsWith(context.taskWorkspace + "/")) {
+    normalizedPath = filePath.slice(context.taskWorkspace.length + 1);
+  }
+  normalizedPath = normalizePathToScope(context.projectRoot, monorepoRoot, normalizedPath);
+  if (scopeMatches(filePath, scopes) || scopeMatches(normalizedPath, scopes)) {
+    return allowed();
+  }
+  const reason = `File '${filePath}' (normalized: '${normalizedPath}') is outside scope of task ${context.taskId}`;
+  const matched = [{ id: "scope:out-of-scope", category: "command", reason }];
+  return {
+    allowed: policy.mode !== "enforce",
+    matchedRules: matched,
+    action: resolveAction(policy.mode, matched),
+    failClosed: false
+  };
+}
+function evaluateCommand(policy, context) {
+  const evaluation = context.evaluation;
+  if (evaluation.type !== "command") {
+    return { allowed: true, matchedRules: [], action: "allow", failClosed: false };
+  }
+  const command = evaluation.command;
+  const matchedRules = [];
+  for (const rule of policy.rules) {
+    if (rule.category !== "command")
+      continue;
+    if (!matchRule(rule, command))
+      continue;
+    if (matchRuleUnless(rule, command, context.taskId))
+      continue;
+    matchedRules.push({
+      id: rule.id,
+      category: rule.category,
+      description: rule.description,
+      reason: rule.description || `Matched rule ${rule.id}`
+    });
+  }
+  const writeTarget = extractWriteTarget(command);
+  if (writeTarget && !/^\/dev\//.test(writeTarget) && !/^\/proc\//.test(writeTarget)) {
+    const scopeResult = evaluateScope(policy, context, writeTarget, "write");
+    if (!scopeResult.allowed || scopeResult.matchedRules.length > 0) {
+      matchedRules.push(...scopeResult.matchedRules);
+    }
+  }
+  const action = resolveAction(policy.mode, matchedRules);
+  return {
+    allowed: action !== "block",
+    matchedRules,
+    action,
+    failClosed: false
+  };
+}
+function extractWriteTarget(command) {
+  const redirect = command.match(/>>?\s+([^\s;|&]+)/);
+  if (redirect?.[1])
+    return redirect[1];
+  const tee = command.match(/tee\s+(-a\s+)?([^\s;|&]+)/);
+  if (tee?.[2])
+    return tee[2];
+  return "";
+}
+function evaluateContent(policy, context) {
+  const evaluation = context.evaluation;
+  if (evaluation.type !== "content-write") {
+    return { allowed: true, matchedRules: [], action: "allow", failClosed: false };
+  }
+  const { content, file_path } = evaluation;
+  const matchedRules = [];
+  const scopeResult = evaluateScope(policy, context, file_path, "write");
+  if (scopeResult.matchedRules.length > 0) {
+    matchedRules.push(...scopeResult.matchedRules);
+  }
+  for (const rule of policy.rules) {
+    if (rule.category !== "content" && rule.category !== "import" && rule.category !== "test-integrity")
+      continue;
+    if (rule.applies_to === "test-files" && !isTestFile(file_path))
+      continue;
+    if (!matchRule(rule, content))
+      continue;
+    if (matchRuleUnless(rule, content, context.taskId))
+      continue;
+    matchedRules.push({
+      id: rule.id,
+      category: rule.category,
+      description: rule.description,
+      reason: rule.description || `Matched rule ${rule.id}`
+    });
+  }
+  const action = resolveAction(policy.mode, matchedRules);
+  return {
+    allowed: action !== "block",
+    matchedRules,
+    action,
+    failClosed: false
+  };
+}
+function evaluateToolCall(policy, context) {
+  const evaluation = context.evaluation;
+  if (evaluation.type !== "tool-call") {
+    return { allowed: true, matchedRules: [], action: "allow", failClosed: false };
+  }
+  const { tool_name, tool_input } = evaluation;
+  const allMatched = [];
+  const filePaths = extractFilePathsFromToolInput(tool_name, tool_input);
+  for (const fp of filePaths) {
+    const access = isWriteTool(tool_name) ? "write" : "read";
+    const scopeResult = evaluateScope(policy, context, fp, access);
+    if (scopeResult.matchedRules.length > 0) {
+      allMatched.push(...scopeResult.matchedRules);
+    }
+  }
+  const content = extractContentFromToolInput(tool_input);
+  if (content) {
+    const filePath = filePaths[0] || "";
+    const contentContext = {
+      ...context,
+      evaluation: { type: "content-write", file_path: filePath, content }
+    };
+    const contentPolicy = loadPolicy(context.projectRoot);
+    for (const rule of contentPolicy.rules) {
+      if (rule.category !== "content" && rule.category !== "import" && rule.category !== "test-integrity")
+        continue;
+      if (rule.applies_to === "test-files" && !isTestFile(filePath))
+        continue;
+      if (!matchRule(rule, content))
+        continue;
+      if (matchRuleUnless(rule, content, context.taskId))
+        continue;
+      allMatched.push({
+        id: rule.id,
+        category: rule.category,
+        description: rule.description,
+        reason: rule.description || `Matched rule ${rule.id}`
+      });
+    }
+  }
+  if (tool_name === "Bash") {
+    const command = String(tool_input.command || tool_input.cmd || "");
+    if (command) {
+      const cmdContext = {
+        ...context,
+        evaluation: { type: "command", command }
+      };
+      const cmdResult = evaluateCommand(policy, cmdContext);
+      if (cmdResult.matchedRules.length > 0) {
+        allMatched.push(...cmdResult.matchedRules);
+      }
+    }
+  }
+  const seen = new Set;
+  const deduplicated = [];
+  for (const rule of allMatched) {
+    if (!seen.has(rule.id)) {
+      seen.add(rule.id);
+      deduplicated.push(rule);
+    }
+  }
+  const action = resolveAction(policy.mode, deduplicated);
+  return {
+    allowed: action !== "block",
+    matchedRules: deduplicated,
+    action,
+    failClosed: false
+  };
+}
+function isWriteTool(toolName) {
+  return toolName === "Write" || toolName === "Edit" || toolName === "MultiEdit";
+}
+function extractFilePathsFromToolInput(toolName, input) {
+  const paths = [];
+  const add = (value) => {
+    if (typeof value === "string" && value.trim()) {
+      paths.push(value.trim());
+    }
+  };
+  if (toolName === "Read" || toolName === "Write" || toolName === "Edit" || toolName === "MultiEdit") {
+    add(input.file_path);
+    add(input.path);
+  } else if (toolName === "Glob") {
+    add(input.path);
+  } else if (toolName === "Grep") {
+    add(input.path);
+  } else {
+    add(input.file_path);
+    add(input.path);
+  }
+  return paths;
+}
+function extractContentFromToolInput(input) {
+  if (typeof input.content === "string")
+    return input.content;
+  if (typeof input.new_string === "string")
+    return input.new_string;
+  return "";
+}
+var guardHotPathPrimed = false;
+function primeGuardHotPaths() {
+  if (guardHotPathPrimed) {
+    return;
+  }
+  guardHotPathPrimed = true;
+  try {
+    optimizeNextInvocation(matchRule);
+    optimizeNextInvocation(evaluate);
+  } catch {}
+}
+primeGuardHotPaths();
+
+// packages/runtime/src/control-plane/runtime/sandbox/backend.ts
+init_utils();
+// packages/runtime/src/control-plane/runtime/isolation/runner.ts
+init_layout();
+var SNAPSHOT_SIDECAR_READY_TIMEOUT_MS = 1e4;
+async function startRuntimeSnapshotSidecar(runtime, options = {}) {
+  const instanceId = sanitizeRuntimeRefSegment(options.instanceId?.trim() || runtime.id);
+  const readyFile = resolve10(runtime.stateDir, `runtime-snapshot-sidecar-${instanceId}.ready`);
+  const requestFile = resolve10(runtime.stateDir, `runtime-snapshot-sidecar-${instanceId}.request.json`);
+  rmSync2(readyFile, { force: true });
+  rmSync2(requestFile, { force: true });
+  const sidecarBinary = resolveSnapshotSidecarBinaryPath(runtime.binDir);
+  const useCompiledSidecar = shouldUseCompiledSnapshotSidecar(sidecarBinary);
+  const bunCli = useCompiledSidecar ? null : resolveBunCliInvocation();
+  const command = useCompiledSidecar ? [sidecarBinary] : [bunCli.command, resolveSnapshotSidecarScriptPath()];
+  const proc = Bun.spawn([
+    ...command,
+    "--workspace",
+    runtime.workspaceDir,
+    "--task",
+    runtime.taskId,
+    "--runtime-id",
+    runtime.id,
+    "--instance-id",
+    instanceId,
+    "--ready-file",
+    readyFile,
+    "--request-file",
+    requestFile
+  ], {
+    cwd: runtime.workspaceDir,
+    stdin: "ignore",
+    stdout: "pipe",
+    stderr: "pipe",
+    env: {
+      ...process.env,
+      ...bunCli?.env ?? {}
+    }
+  });
+  const stdoutTextPromise = drainStream(proc.stdout);
+  const stderrTextPromise = drainStream(proc.stderr);
+  await waitForSnapshotSidecarReady(readyFile, proc, stdoutTextPromise, stderrTextPromise);
+  return {
+    cancel: async () => {
+      try {
+        proc.kill("SIGTERM");
+      } catch {}
+      await proc.exited;
+      rmSync2(readyFile, { force: true });
+      rmSync2(requestFile, { force: true });
+    },
+    finalize: async (commandParts, exitCode) => {
+      writeFileSync2(requestFile, `${JSON.stringify({ command: commandParts, exitCode })}
+`, "utf-8");
+      const [sidecarExitCode, stdout, stderr] = await Promise.all([
+        proc.exited,
+        stdoutTextPromise,
+        stderrTextPromise
+      ]);
+      rmSync2(readyFile, { force: true });
+      rmSync2(requestFile, { force: true });
+      if (sidecarExitCode !== 0) {
+        throw new Error(`snapshot sidecar failed (${sidecarExitCode}): ${stderr || stdout}`);
+      }
+    }
+  };
+}
+async function drainStream(stream) {
+  if (!stream)
+    return "";
+  try {
+    return await new Response(stream).text();
+  } catch {
+    return "";
+  }
+}
+function resolveSnapshotSidecarScriptPath() {
+  return resolveRuntimeSourceScriptPath("snapshot-sidecar.ts");
+}
+function resolveSnapshotSidecarBinaryPath(binDir) {
+  return resolve10(binDir, "snapshot-sidecar");
+}
+function shouldUseCompiledSnapshotSidecar(binaryPath) {
+  if (!existsSync6(binaryPath)) {
+    return false;
+  }
+  const preference = process.env.RIG_USE_COMPILED_SNAPSHOT_SIDECAR?.trim().toLowerCase();
+  if (!preference) {
+    return false;
+  }
+  return preference === "1" || preference === "true" || preference === "yes";
+}
+function resolveRuntimeSourceScriptPath(fileName) {
+  const hostRoots = [
+    process.env.RIG_HOST_PROJECT_ROOT?.trim(),
+    process.env.PROJECT_RIG_ROOT?.trim()
+  ].filter((value) => Boolean(value));
+  for (const root of hostRoots) {
+    const candidate = resolve10(root, "packages/runtime/src/control-plane/runtime", fileName);
+    if (existsSync6(candidate)) {
+      return candidate;
+    }
+  }
+  return resolve10(import.meta.dir, "..", fileName);
+}
+function resolveBunCliInvocation() {
+  if (process.env.RIG_BUN_PATH?.trim()) {
+    return {
+      command: process.env.RIG_BUN_PATH.trim(),
+      env: {}
+    };
+  }
+  const systemBun = Bun.which("bun")?.trim();
+  if (systemBun) {
+    return {
+      command: systemBun,
+      env: {}
+    };
+  }
+  if (process.execPath?.trim()) {
+    return {
+      command: process.execPath,
+      env: { BUN_BE_BUN: "1" }
+    };
+  }
+  return { command: "bun", env: {} };
+}
+async function waitForSnapshotSidecarReady(readyFile, proc, stdoutTextPromise, stderrTextPromise) {
+  const deadline = Date.now() + SNAPSHOT_SIDECAR_READY_TIMEOUT_MS;
+  while (Date.now() < deadline) {
+    if (existsSync6(readyFile)) {
+      return;
+    }
+    const exitCode = proc.exitCode;
+    if (exitCode !== null) {
+      const [stderr, stdout] = await Promise.all([stderrTextPromise, stdoutTextPromise]);
+      throw new Error(`snapshot sidecar exited before ready (${exitCode}): ${stderr || stdout}`);
+    }
+    await Bun.sleep(25);
+  }
+  throw new Error(`snapshot sidecar did not become ready within ${SNAPSHOT_SIDECAR_READY_TIMEOUT_MS}ms`);
+}
+// packages/runtime/src/control-plane/runtime/task-run-snapshot.ts
+async function resolveTaskRunSnapshotSidecar(input) {
+  const listRuntimes = input.listRuntimes ?? listAgentRuntimes;
+  const startSidecar = input.startSidecar ?? startRuntimeSnapshotSidecar;
+  const runtimes = await listRuntimes(input.projectRoot);
+  const runtime = runtimes.find((candidate) => candidate.id === input.runtimeId) ?? (input.workspaceDir ? runtimes.find((candidate) => candidate.workspaceDir === input.workspaceDir) : undefined);
+  if (!runtime) {
+    return {
+      sidecar: null,
+      error: `Could not locate runtime metadata for ${input.runtimeId}.`
+    };
+  }
+  try {
+    return {
+      sidecar: await startSidecar(runtime),
+      error: null
+    };
+  } catch (error) {
+    return {
+      sidecar: null,
+      error: error instanceof Error ? error.message : String(error)
+    };
+  }
+}
+async function finalizeTaskRunSnapshot(input) {
+  const snapshotSidecar = await (input.snapshotSidecarPromise ?? Promise.resolve(null));
+  if (!snapshotSidecar) {
+    return "unavailable";
+  }
+  if (input.exit.error) {
+    await snapshotSidecar.cancel();
+    return "cancelled";
+  }
+  const exitCode = typeof input.exit.code === "number" ? input.exit.code : 1;
+  try {
+    await snapshotSidecar.finalize(input.latestProviderCommand ?? input.hostAgentCommand, exitCode);
+    return "finalized";
+  } catch (error) {
+    if (exitCode !== 0) {
+      throw error;
+    }
+    return "unavailable";
+  }
+}
+export {
+  resolveTaskRunSnapshotSidecar,
+  finalizeTaskRunSnapshot
+};