mixdog 0.7.1

package/scripts/bridge-unify-smoke.mjs

@@ -0,0 +1,308 @@
+#!/usr/bin/env node
+// bridge-unify-smoke.mjs — arg-routing checks for the unified `bridge` tool.
+//
+// Exercises the type-discriminator routing and tag-registry guard rails on the
+// fast-fail branches (no provider/model needed): list on an empty store,
+// send/close against an unknown tag, spawn missing role, and the type-less
+// (default spawn) backward-compat path. Does NOT spin a real worker.
+
+import { tmpdir } from 'os';
+import { join, dirname } from 'path';
+import { fileURLToPath } from 'url';
+import { mkdirSync, writeFileSync, rmSync } from 'fs';
+
+const ROOT = join(dirname(fileURLToPath(import.meta.url)), '..');
+process.env.CLAUDE_PLUGIN_ROOT ||= ROOT;
+// MUST be unconditional (`=`, not `||=`): when the smoke runs inside a real
+// mixdog environment CLAUDE_PLUGIN_DATA already points at the LIVE plugin data
+// dir, so `||=` would write the synthetic `sess_<pid>_<scenario>_<ts>` fixtures
+// straight into the production session store. Those fixtures (provider/model
+// `none`, closed:false, no `owner`) slip past both sweeps and linger forever in
+// `bridge list` / the statusline. Force an isolated per-pid temp dir, always.
+const _SMOKE_DATA_DIR = join(tmpdir(), `mixdog-bridge-unify-smoke-${process.pid}`);
+process.env.CLAUDE_PLUGIN_DATA = _SMOKE_DATA_DIR;
+process.env.MIXDOG_SKIP_USER_DATA_BACKUP = '1';
+
+const { handleToolCall } = await import('../src/agent/index.mjs');
+// updateSessionStage drives the in-memory runtime stage the send busy-guard
+// consults when session.status is still unset — exercised by the startup-window
+// race case (#1) below.
+const { updateSessionStage, drainPendingMessages } = await import('../src/agent/orchestrator/session/manager.mjs');
+// initProviders lets the cold-tag respawn case register a network-free dummy
+// provider so the spawn path passes its synchronous provider check and returns
+// a detached jobId (the real API call is deferred to the IIFE, never reached).
+const { initProviders } = await import('../src/agent/orchestrator/providers/registry.mjs');
+
+// Write a minimal on-disk session fixture so the unified `bridge type=send`
+// path (which resolves a raw sess_ id via getSession/loadSession) can be
+// exercised without spinning a real provider-backed worker. The send handler's
+// busy-guard reads session.status BEFORE calling askSession, so a fixture is
+// enough to assert the resumability guard rails (bugs #1/#2).
+const _sessionsDir = join(process.env.CLAUDE_PLUGIN_DATA, 'sessions');
+function writeSessionFixture(id, status) {
+  mkdirSync(_sessionsDir, { recursive: true });
+  const now = Date.now();
+  const session = {
+    id,
+    status,
+    closed: false,
+    generation: 0,
+    provider: 'none',          // unknown provider → askSession fails fast (no hang)
+    model: 'none',
+    messages: [],
+    tools: [],
+    createdAt: now,
+    updatedAt: now,
+  };
+  writeFileSync(join(_sessionsDir, `${id}.json`), JSON.stringify(session));
+  return id;
+}
+
+let passed = 0;
+let failed = 0;
+function check(name, fn) {
+  return Promise.resolve()
+    .then(fn)
+    .then(() => { passed++; console.log(`  PASS  ${name}`); })
+    .catch((e) => { failed++; console.log(`  FAIL  ${name}\n        ${e?.message || e}`); });
+}
+
+// Tool results are MCP content blocks: { content: [{ type:'text', text }], isError? }.
+function textOf(res) {
+  if (res && Array.isArray(res.content)) {
+    return res.content.map((c) => (c && typeof c.text === 'string' ? c.text : '')).join('');
+  }
+  return typeof res === 'string' ? res : JSON.stringify(res);
+}
+function assert(cond, msg) { if (!cond) throw new Error(msg || 'assertion failed'); }
+
+await check('type=list on empty store → "No active sessions."', async () => {
+  const res = await handleToolCall('bridge', { type: 'list' }, {});
+  const t = textOf(res);
+  assert(/No active sessions/.test(t), `unexpected: ${t}`);
+});
+
+await check('type=send with unknown tag → clear error', async () => {
+  const res = await handleToolCall('bridge', { type: 'send', tag: 'nope1', message: 'hi' }, {});
+  const t = textOf(res);
+  assert(res.isError === true, 'expected isError');
+  assert(/not found \(may have been reaped after 5min\) — include a role to respawn fresh/.test(t), `unexpected: ${t}`);
+});
+
+await check('type=send unknown tag WITH role → respawns fresh (jobId)', async () => {
+  // Register a network-free dummy provider so the spawn path passes its
+  // synchronous provider check. The bench escape hatch (provider+model) builds
+  // an ad-hoc preset so no user-workflow.json role mapping is needed. spawn
+  // returns the jobId synchronously; the real API call (which would fail on the
+  // dummy key) is deferred to the detached IIFE and never asserted here.
+  await initProviders({ anthropic: { enabled: true, apiKey: 'dummy-smoke-key' } });
+  const res = await handleToolCall('bridge', { type: 'send', tag: 'respawn1', role: 'worker', provider: 'anthropic', model: 'claude-3-haiku', message: 'hi' }, {});
+  const t = textOf(res);
+  assert(res.isError !== true, `expected success, got: ${t}`);
+  assert(/"jobId"\s*:\s*"bridge_/.test(t), `expected a jobId, got: ${t}`);
+});
+
+await check('type=send missing message → error', async () => {
+  const res = await handleToolCall('bridge', { type: 'send', tag: 'x' }, {});
+  assert(res.isError === true, 'expected isError');
+});
+
+await check('type=close with unknown tag → error', async () => {
+  const res = await handleToolCall('bridge', { type: 'close', tag: 'nope2' }, {});
+  const t = textOf(res);
+  assert(res.isError === true, 'expected isError');
+  assert(/does not map to a live session/.test(t), `unexpected: ${t}`);
+});
+
+await check('type=close missing tag → error', async () => {
+  const res = await handleToolCall('bridge', { type: 'close' }, {});
+  assert(res.isError === true, 'expected isError');
+});
+
+await check('unknown type → error', async () => {
+  const res = await handleToolCall('bridge', { type: 'bogus', role: 'worker' }, {});
+  const t = textOf(res);
+  assert(res.isError === true, 'expected isError');
+  assert(/unknown type/.test(t), `unexpected: ${t}`);
+});
+
+await check('default (no type) + no role → spawn path "role is required"', async () => {
+  const res = await handleToolCall('bridge', {}, {});
+  const t = textOf(res);
+  assert(res.isError === true, 'expected isError');
+  assert(/role is required/.test(t), `unexpected: ${t}`);
+});
+
+await check('type=spawn + role but no prompt/message → prompt resolution error', async () => {
+  const res = await handleToolCall('bridge', { type: 'spawn', role: 'nonexistent-role-xyz' }, {});
+  const t = textOf(res);
+  assert(res.isError === true, 'expected isError');
+  // Either prompt-missing or role-not-found surfaces — both prove routing into spawn.
+  assert(/prompt|role|provide exactly one/.test(t), `unexpected: ${t}`);
+});
+
+// --- Resumability guard rails (bugs #1/#2) ---------------------------------
+// These drive the unified `bridge type=send` path against an on-disk session
+// fixture addressed by raw sess_ id (the tag→sessionId registry is module
+// private; raw-id passthrough exercises the same handler code).
+
+await check('type=send while worker running → queued (not rejected)', async () => {
+  // pendingMessages pattern: a send during the in-flight turn must NOT become
+  // the first user message and must NOT be rejected — it enqueues and drains
+  // after the current turn. A non-terminal status trips the queue branch
+  // before askSession.
+  const sid = writeSessionFixture(`sess_${process.pid}_running_${Date.now()}`, 'running');
+  const res = await handleToolCall('bridge', { type: 'send', sessionId: sid, message: 'race' }, {});
+  const t = textOf(res);
+  assert(res.isError !== true, `expected success (queued), got: ${t}`);
+  assert(/"queued"\s*:\s*true/.test(t), `expected queued:true, got: ${t}`);
+  assert(!/still starting|retry shortly/.test(t), `must not reject a busy send anymore: ${t}`);
+  // The message must actually be parked on the pending queue.
+  const drained = drainPendingMessages(sid);
+  assert(drained.length === 1 && drained[0] === 'race', `expected ['race'] queued, got: ${JSON.stringify(drained)}`);
+});
+
+await check('type=send to non-terminal (connecting) status → queued', async () => {
+  // Same branch, mid-startup stage label — queues instead of rejecting. Since
+  // queuing preserves order, the connecting/startup window can queue safely:
+  // the queued send runs after the worker's first turn.
+  const sid = writeSessionFixture(`sess_${process.pid}_connecting_${Date.now()}`, 'connecting');
+  const res = await handleToolCall('bridge', { type: 'send', sessionId: sid, message: 'race' }, {});
+  const t = textOf(res);
+  assert(res.isError !== true, `expected success (queued), got: ${t}`);
+  assert(/"queued"\s*:\s*true/.test(t), `expected queued:true, got: ${t}`);
+  assert(!/still starting|retry shortly/.test(t), `must not reject a connecting send anymore: ${t}`);
+});
+
+await check('type=send to idle session → returns a jobId synchronously (detached, no inline response)', async () => {
+  // Bug #1 + async detach: once the initial turn has settled to a terminal
+  // status the send must NOT be rejected by the busy-guard — it passes the
+  // guard, cancels the pending 120s reap, and (now) returns IMMEDIATELY with a
+  // detached jobId instead of blocking on askSession. The provider failure on
+  // the dummy session now surfaces asynchronously via notifyFn, NOT in this
+  // synchronous return value.
+  const sid = writeSessionFixture(`sess_${process.pid}_idle_${Date.now()}`, 'idle');
+  const res = await handleToolCall('bridge', { type: 'send', sessionId: sid, message: 'resume' }, {});
+  const t = textOf(res);
+  assert(res.isError !== true, `expected a synchronous jobId return (not an error), got: ${t}`);
+  // Must be the immediate detached return, NOT the busy-guard.
+  assert(!/still starting|retry shortly/.test(t), `guard wrongly rejected an idle resume: ${t}`);
+  assert(/bridge_\d+_/.test(t), `expected a detached jobId in the sync return, got: ${t}`);
+  assert(/"detached":\s*true/.test(t), `expected detached:true in the sync return, got: ${t}`);
+  // The resume reply is delivered later via dispatch_result/notifyFn — the
+  // synchronous return must NOT carry an inline response/usage payload.
+  assert(!/"response"/.test(t), `send must not return an inline response now: ${t}`);
+});
+
+await check('type=send during startup window (tag bound, status not yet running) → queued', async () => {
+  // Bug #1 (round 2): spawn binds the tag and retry rebinds it BEFORE the
+  // session status is written 'running' / the runtime entry reaches askSession.
+  // A send landing in that gap must NOT slip through as the first user turn.
+  // The runtime stage is marked 'connecting' at the moment the tag is bound, so
+  // the queue branch's active-status set catches the window even though
+  // session.status is still unwritten — the send is QUEUED and drained after
+  // the worker's first turn, preserving order. Simulate by writing a fixture
+  // with NO status, then setting the runtime stage to 'connecting' the way the
+  // spawn/retry bind now does.
+  const sid = writeSessionFixture(`sess_${process.pid}_startwin_${Date.now()}`, undefined);
+  updateSessionStage(sid, 'connecting');
+  const res = await handleToolCall('bridge', { type: 'send', sessionId: sid, message: 'race' }, {});
+  const t = textOf(res);
+  assert(res.isError !== true, `expected success (queued), got: ${t}`);
+  assert(/"queued"\s*:\s*true/.test(t), `expected queued:true, got: ${t}`);
+  assert(!/still starting|retry shortly/.test(t), `startup-window send must queue, not reject: ${t}`);
+});
+
+await check('failed resume re-arms reap → session stays usable for a follow-up send', async () => {
+  // Bug #2 (round 2): send cancels the pending reap before resuming, but the
+  // reap was previously re-armed only on the success path — a failed resumed
+  // turn left the reap canceled, so the idle/error session was never terminally
+  // reaped. The fix re-arms _scheduleBridgeReap in a finally (idempotent). The
+  // reap timer is module-private, so assert the observable consequence: after a
+  // FIRST resume that fails on the dummy provider, a SECOND send to the same
+  // session still passes the busy-guard and reaches askSession (the failed
+  // resume left the session addressable + the reap re-armed, not orphaned).
+  const sid = writeSessionFixture(`sess_${process.pid}_failresume_${Date.now()}`, 'idle');
+  const first = await handleToolCall('bridge', { type: 'send', sessionId: sid, message: 'resume-1' }, {});
+  const t1 = textOf(first);
+  assert(first.isError !== true, `expected first resume to detach (jobId), got: ${t1}`);
+  assert(!/still starting|retry shortly/.test(t1), `first resume wrongly guard-rejected: ${t1}`);
+  assert(/bridge_\d+_/.test(t1), `expected first resume jobId, got: ${t1}`);
+  // The detached resume fails on the dummy provider in the background and
+  // re-arms the reap in its finally. Yield so that async tail can settle.
+  await new Promise((r) => setTimeout(r, 50));
+  // Re-mark idle (real path: failed turn flips status to 'idle'/'error'; the
+  // fixture write here restores a terminal status so the second send is guarded
+  // the same way) and re-send.
+  writeSessionFixture(sid, 'idle');
+  const second = await handleToolCall('bridge', { type: 'send', sessionId: sid, message: 'resume-2' }, {});
+  const t2 = textOf(second);
+  assert(second.isError !== true, `expected second resume to detach (jobId), got: ${t2}`);
+  assert(!/still starting|retry shortly/.test(t2), `second resume wrongly guard-rejected (session orphaned by failed resume?): ${t2}`);
+  assert(/bridge_\d+_/.test(t2), `expected second resume jobId (session addressable + reap re-armed, not orphaned), got: ${t2}`);
+});
+
+await check('type=send in post-askSession/pre-idle gap (persisted running, runtime done) → NOT stranded', async () => {
+  // Bug #2: spawn keeps persisted status 'running' until AFTER the completion
+  // emit (updateSessionStatus(idle) runs OUTSIDE askSession, past the drain
+  // point). A send landing after askSession returned but before status flips
+  // to 'idle' used to see persisted 'running' and ENQUEUE — but askSession had
+  // already drained and returned, so nothing consumed it: stranded + out of
+  // order. The busy-guard now prefers the RUNTIME terminal stage over the
+  // stale persisted 'running', so the send does a fresh detached resume
+  // instead of queuing into the void. Simulate: persisted status 'running'
+  // (not yet flipped), runtime stage 'done' (markSessionDone ran before the
+  // turn-loop drain).
+  const sid = writeSessionFixture(`sess_${process.pid}_gap_${Date.now()}`, 'running');
+  updateSessionStage(sid, 'done');
+  const res = await handleToolCall('bridge', { type: 'send', sessionId: sid, message: 'gap' }, {});
+  const t = textOf(res);
+  assert(res.isError !== true, `expected a detached resume, got: ${t}`);
+  assert(!/"queued"\s*:\s*true/.test(t), `must NOT enqueue in the post-askSession/pre-idle gap (would strand): ${t}`);
+  assert(/bridge_\d+_/.test(t), `expected a detached jobId (fresh resume), got: ${t}`);
+  // Nothing parked on the queue — proves the message was not stranded.
+  assert(drainPendingMessages(sid).length === 0, 'queue must be empty (message not stranded)');
+});
+
+await check('type=send raw MISSING sess_ id WITH role → respawns fresh (jobId), not a dead-session resume', async () => {
+  // Bug #5: a raw `sess_...` id that does NOT resolve to a LIVE session must
+  // fall into the reaped/unknown branch — with a role present, that means a
+  // fresh respawn (spawn path), NOT an async askSession launched against a
+  // missing/closed session. The id below is never written to disk, so
+  // _isLiveSession() rejects it and the precheck flips bridgeType→spawn.
+  await initProviders({ anthropic: { enabled: true, apiKey: 'dummy-smoke-key' } });
+  const missing = `sess_${process.pid}_ghost_${Date.now()}`;
+  const res = await handleToolCall('bridge', { type: 'send', sessionId: missing, role: 'worker', provider: 'anthropic', model: 'claude-3-haiku', message: 'hi' }, {});
+  const t = textOf(res);
+  assert(res.isError !== true, `expected a fresh respawn, got: ${t}`);
+  assert(/"jobId"\s*:\s*"bridge_/.test(t), `expected a jobId (fresh spawn), got: ${t}`);
+  // A fresh spawn allocates a NEW session id — it must not echo the dead id.
+  assert(!t.includes(missing), `respawn must not resume the missing/dead session id: ${t}`);
+});
+
+await check('multiple sends to a running worker → queued FIFO, drained in order', async () => {
+  // Order preservation: two sends landing during the same in-flight turn must
+  // queue in arrival order and drain in that order (the askSession turn loop
+  // shifts them off the front as follow-up turns). queueDepth reflects the
+  // growing queue.
+  const sid = writeSessionFixture(`sess_${process.pid}_fifo_${Date.now()}`, 'running');
+  const r1 = await handleToolCall('bridge', { type: 'send', sessionId: sid, message: 'first' }, {});
+  const r2 = await handleToolCall('bridge', { type: 'send', sessionId: sid, message: 'second' }, {});
+  const t1 = textOf(r1); const t2 = textOf(r2);
+  assert(/"queued"\s*:\s*true/.test(t1) && /"queued"\s*:\s*true/.test(t2), `both sends must queue, got: ${t1} | ${t2}`);
+  assert(/"queueDepth"\s*:\s*1/.test(t1), `first queued send should report queueDepth 1, got: ${t1}`);
+  assert(/"queueDepth"\s*:\s*2/.test(t2), `second queued send should report queueDepth 2, got: ${t2}`);
+  // Drain mirrors what askSession does after each turn — FIFO order.
+  const drained = drainPendingMessages(sid);
+  assert(drained.length === 2 && drained[0] === 'first' && drained[1] === 'second',
+    `expected ['first','second'] in order, got: ${JSON.stringify(drained)}`);
+  // Queue is emptied after drain.
+  assert(drainPendingMessages(sid).length === 0, 'queue must be empty after drain');
+});
+
+console.log(`\nbridge-unify-smoke: ${passed} passed, ${failed} failed`);
+// Remove the isolated data dir so no fixture survives the run. Belt-and-braces
+// with the unconditional CLAUDE_PLUGIN_DATA override above: even the isolated
+// temp store should not accumulate per-pid dirs across repeated smoke runs.
+try { rmSync(_SMOKE_DATA_DIR, { recursive: true, force: true }); } catch { /* best-effort */ }
+process.exit(failed === 0 ? 0 : 1);

package/scripts/build-runtime-linux.sh

@@ -0,0 +1,348 @@
+#!/usr/bin/env bash
+# build-runtime-linux.sh — Build self-contained PostgreSQL 16 + pgvector runtime on Linux.
+# Designed to run inside ubuntu:20.04 container (glibc 2.31 floor) so produced
+# binaries run on every distro from Ubuntu 20.04 / Debian 11 / RHEL 8 forward.
+# Targets the runner's native arch (x64 or arm64).
+# Produces: dist/mixdog-runtime-linux-{arch}-pg{pgver}-pgvector{vecver}.tar.gz
+# Bundles foreign dyn deps via ldd transitive closure (binaries + ALL extension
+# modules under lib/postgresql/) + patchelf rpath rewrite. Final smoke: initdb,
+# pg_ctl start, CREATE EXTENSION vector, distance query, stop.
+
+set -euo pipefail
+
+PG_VERSION="16.4"
+PGVECTOR_VERSION="0.8.2"
+TARGET_OS="${TARGET_OS:-linux}"
+TARGET_ARCH="${TARGET_ARCH:-x64}"
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+ROOT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
+BUILD_DIR="$ROOT_DIR/build/runtime-linux-$TARGET_ARCH"
+STAGE_DIR="$BUILD_DIR/stage"
+DIST_DIR="$ROOT_DIR/dist"
+RUNTIME_DIR="$BUILD_DIR/runtime"
+
+OUTPUT_NAME="mixdog-runtime-${TARGET_OS}-${TARGET_ARCH}-pg${PG_VERSION}-pgvector${PGVECTOR_VERSION}.tar.gz"
+
+mkdir -p "$BUILD_DIR" "$STAGE_DIR" "$DIST_DIR" "$RUNTIME_DIR"/{bin,lib,share}
+
+# ---------------------------------------------------------------------------
+# Build deps. SUDO=sudo iff non-root; inside ubuntu:20.04 container we are root.
+# ---------------------------------------------------------------------------
+SUDO=""
+if [[ "$(id -u)" -ne 0 ]]; then SUDO="sudo"; fi
+# Export rather than inline-assign before $SUDO: when SUDO is empty (root),
+# `$SUDO DEBIAN_FRONTEND=... apt-get` would parse the env-assignment as a
+# command name and fail with "command not found".
+export DEBIAN_FRONTEND=noninteractive
+
+echo "==> Installing build dependencies"
+$SUDO apt-get update -qq
+$SUDO apt-get install -y --no-install-recommends \
+  build-essential libreadline-dev zlib1g-dev libssl-dev \
+  libicu-dev libxml2-dev libzstd-dev liblz4-dev \
+  pkg-config curl git ca-certificates patchelf file \
+  bsdmainutils
+
+if [[ -x "$STAGE_DIR/bin/postgres" ]]; then
+  echo "==> Cache hit: PG already built at $STAGE_DIR — skipping configure/make"
+  unset TARGET_OS TARGET_ARCH
+else
+  echo "==> Downloading PostgreSQL $PG_VERSION source"
+  cd "$BUILD_DIR"
+  if [[ ! -f "postgresql-${PG_VERSION}.tar.gz" ]]; then
+    curl -fsSL "https://ftp.postgresql.org/pub/source/v${PG_VERSION}/postgresql-${PG_VERSION}.tar.gz" \
+      -o "postgresql-${PG_VERSION}.tar.gz"
+  fi
+  rm -rf "postgresql-${PG_VERSION}"
+  tar xzf "postgresql-${PG_VERSION}.tar.gz"
+
+  echo "==> Configuring PostgreSQL"
+  cd "postgresql-${PG_VERSION}"
+  ./configure \
+    --prefix="$STAGE_DIR" \
+    --without-perl \
+    --without-python \
+    --without-tcl \
+    --with-openssl \
+    --with-libxml \
+    --with-icu \
+    --with-readline \
+    --enable-thread-safety \
+    CFLAGS="-O2"
+
+  echo "==> Building PostgreSQL"
+  # PG Makefile.global has its own TARGET_ARCH var; env-passed TARGET_ARCH=x64
+  # would collide as a make-variable override and leak into compile commands.
+  unset TARGET_OS TARGET_ARCH
+  make -j"$(nproc)"
+  make install
+  make -C contrib/pgcrypto install
+fi
+
+PG_CONFIG="$STAGE_DIR/bin/pg_config"
+export PATH="$STAGE_DIR/bin:$PATH"
+
+echo "==> Stripping PostgreSQL binaries"
+find "$STAGE_DIR" -name '*.so*' -type f -exec strip --strip-debug {} \; 2>/dev/null || true
+find "$STAGE_DIR/bin" -type f -exec strip --strip-all {} \; 2>/dev/null || true
+
+if [[ -f "$STAGE_DIR/lib/postgresql/vector.so" ]]; then
+  echo "==> Cache hit: pgvector already installed — skipping clone/build"
+else
+  echo "==> Cloning pgvector $PGVECTOR_VERSION"
+  cd "$BUILD_DIR"
+  rm -rf pgvector
+  git clone --branch "v${PGVECTOR_VERSION}" --depth 1 \
+    https://github.com/pgvector/pgvector.git pgvector
+
+  echo "==> Building pgvector"
+  cd pgvector
+  make PG_CONFIG="$PG_CONFIG" -j"$(nproc)"
+  make PG_CONFIG="$PG_CONFIG" install
+fi
+
+echo "==> Assembling runtime layout"
+rm -rf "$RUNTIME_DIR"
+mkdir -p "$RUNTIME_DIR"/{bin,lib,share}
+cp -a "$STAGE_DIR/bin/postgres"   "$RUNTIME_DIR/bin/"
+cp -a "$STAGE_DIR/bin/pg_ctl"     "$RUNTIME_DIR/bin/"
+cp -a "$STAGE_DIR/bin/pg_dump"    "$RUNTIME_DIR/bin/"
+cp -a "$STAGE_DIR/bin/pg_restore" "$RUNTIME_DIR/bin/"
+cp -a "$STAGE_DIR/bin/psql"       "$RUNTIME_DIR/bin/"
+cp -a "$STAGE_DIR/bin/initdb"     "$RUNTIME_DIR/bin/"
+
+cp -a "$STAGE_DIR/lib"/.   "$RUNTIME_DIR/lib/"   2>/dev/null || true
+cp -a "$STAGE_DIR/share"/. "$RUNTIME_DIR/share/" 2>/dev/null || true
+
+# ---------------------------------------------------------------------------
+# Bundle foreign dyn deps — seed from binaries AND every extension module
+# under lib/postgresql/. dlopen-loaded modules (extensions) need the same
+# treatment as direct binary deps; missing them = runtime "ERROR: could not
+# load library" on CREATE EXTENSION.
+# ---------------------------------------------------------------------------
+echo "==> Bundling foreign dynamic dependencies (binaries + extensions)"
+
+KEEP_RE='^(linux-vdso|ld-linux|libc\.so|libm\.so|libpthread\.so|libdl\.so|librt\.so|libnsl\.so|libresolv\.so)'
+
+collect_deps() {
+  ldd "$1" 2>/dev/null \
+    | awk '/=>/{print $3}' \
+    | grep -E '^/' \
+    | while read -r path; do
+        bn=$(basename "$path")
+        if echo "$bn" | grep -Eq "$KEEP_RE"; then
+          continue  # system lib — keep on host
+        fi
+        echo "$path"
+      done \
+    | sort -u
+}
+
+declare -A SEEN
+declare -a QUEUE
+# Seeds: binaries + every .so under lib/postgresql/ (extensions, contrib mods).
+for seed in "$RUNTIME_DIR/bin/postgres" "$RUNTIME_DIR/bin/psql" \
+            "$RUNTIME_DIR/bin/pg_ctl"; do
+  [[ -f "$seed" ]] && QUEUE+=("$seed")
+done
+while IFS= read -r -d '' ext; do
+  QUEUE+=("$ext")
+done < <(find "$RUNTIME_DIR/lib/postgresql" -name '*.so' -print0 2>/dev/null)
+
+declare -a FOREIGN
+while [[ ${#QUEUE[@]} -gt 0 ]]; do
+  current="${QUEUE[0]}"
+  QUEUE=("${QUEUE[@]:1}")
+  while IFS= read -r dep; do
+    real="$(readlink -f "$dep")"
+    [[ -n "${SEEN[$real]+x}" ]] && continue
+    SEEN[$real]=1
+    FOREIGN+=("$dep")
+    QUEUE+=("$dep")
+  done < <(collect_deps "$current")
+done
+
+# Sanity: glibc / loader must never be bundled — if KEEP_RE regresses this catches it.
+if find "$RUNTIME_DIR/lib" -maxdepth 1 \
+     \( -name 'libc.so*' -o -name 'ld-linux*' -o -name 'libpthread.so*' \) \
+   | grep -q .; then
+  echo "FATAL: bundled glibc/loader detected — KEEP_RE filter did not work"
+  exit 1
+fi
+
+echo "  bundling ${#FOREIGN[@]} foreign libraries"
+for so_path in "${FOREIGN[@]}"; do
+  real_path="$(readlink -f "$so_path")"
+  real_name="$(basename "$real_path")"
+  if [[ ! -f "$RUNTIME_DIR/lib/$real_name" ]]; then
+    cp -L "$real_path" "$RUNTIME_DIR/lib/$real_name"
+    chmod u+w "$RUNTIME_DIR/lib/$real_name"
+    echo "    + $real_name"
+  fi
+  link="$so_path"
+  while [[ -L "$link" ]]; do
+    link_name="$(basename "$link")"
+    link_target="$(readlink "$link")"
+    if [[ ! -e "$RUNTIME_DIR/lib/$link_name" ]]; then
+      ln -sf "$(basename "$link_target")" "$RUNTIME_DIR/lib/$link_name"
+    fi
+    link="$(dirname "$link")/$link_target"
+  done
+done
+
+echo "==> Stripping static archives from lib/"
+find "$RUNTIME_DIR/lib" -name '*.a' -delete
+
+echo "==> Patching rpath"
+# Binaries: $ORIGIN/../lib (from bin/ to lib/)
+find "$RUNTIME_DIR/bin" -type f -executable | while read -r bin; do
+  if file "$bin" 2>/dev/null | grep -q ELF; then
+    patchelf --set-rpath '$ORIGIN/../lib' "$bin" 2>/dev/null || true
+  fi
+done
+# Top-level lib/*.so*: $ORIGIN
+find "$RUNTIME_DIR/lib" -maxdepth 1 -type f -name '*.so*' | while read -r so; do
+  if file "$so" 2>/dev/null | grep -q ELF; then
+    patchelf --set-rpath '$ORIGIN' "$so" 2>/dev/null || true
+  fi
+done
+# Every extension module under lib/postgresql/: $ORIGIN/.. (=lib/) and $ORIGIN/../.. (=runtime root)
+find "$RUNTIME_DIR/lib/postgresql" -name '*.so' 2>/dev/null | while read -r ext; do
+  if file "$ext" 2>/dev/null | grep -q ELF; then
+    patchelf --set-rpath '$ORIGIN/..:$ORIGIN/../..' "$ext" 2>/dev/null || true
+  fi
+done
+
+# ---------------------------------------------------------------------------
+# Self-contained smoke — full PG lifecycle, not just --version
+# ---------------------------------------------------------------------------
+echo "==> Self-contained smoke test (initdb + CREATE EXTENSION vector + distance query)"
+unset LD_LIBRARY_PATH
+SMOKE_DATA="$BUILD_DIR/smoke-pgdata"
+SMOKE_LOG="$BUILD_DIR/smoke-pg.log"
+SMOKE_PORT=55899
+
+# PG initdb refuses to run as root. Inside ubuntu:20.04 container we are root,
+# so create an unprivileged user and run the smoke under it.
+if [[ "$(id -u)" -eq 0 ]]; then
+  if ! id pguser >/dev/null 2>&1; then useradd -m -s /bin/bash pguser; fi
+  chown -R pguser:pguser "$BUILD_DIR"
+  RUN_AS=(runuser -u pguser --)
+else
+  RUN_AS=()
+fi
+
+"${RUN_AS[@]}" "$RUNTIME_DIR/bin/postgres" --version || { echo "FAIL: postgres --version"; exit 1; }
+MISSING="$(ldd "$RUNTIME_DIR/bin/postgres" 2>&1 | grep 'not found' || true)"
+if [[ -n "$MISSING" ]]; then echo "FAIL: missing deps in postgres:"; echo "$MISSING"; exit 1; fi
+
+SMOKE_OK=""
+for attempt in 1 2 3; do
+  echo "==> Self-contained smoke (attempt $attempt/3)"
+  rm -rf "$SMOKE_DATA"
+  set +e
+  (
+    set -e
+    "${RUN_AS[@]}" "$RUNTIME_DIR/bin/initdb" -D "$SMOKE_DATA" --auth-local=trust --no-locale -E UTF8 -U postgres > /dev/null
+    "${RUN_AS[@]}" "$RUNTIME_DIR/bin/pg_ctl" -D "$SMOKE_DATA" -o "-p $SMOKE_PORT -h 127.0.0.1" -l "$SMOKE_LOG" -w start
+    "${RUN_AS[@]}" "$RUNTIME_DIR/bin/psql" -h 127.0.0.1 -p "$SMOKE_PORT" -U postgres -d postgres -c "CREATE EXTENSION vector;" > /dev/null
+    EXTV="$("${RUN_AS[@]}" "$RUNTIME_DIR/bin/psql" -h 127.0.0.1 -p "$SMOKE_PORT" -U postgres -d postgres -tAc "SELECT extversion FROM pg_extension WHERE extname='vector';")"
+    DIST="$("${RUN_AS[@]}" "$RUNTIME_DIR/bin/psql" -h 127.0.0.1 -p "$SMOKE_PORT" -U postgres -d postgres -tAc "SELECT '[1,2,3]'::vector <-> '[1,2,4]'::vector;")"
+    echo "  vector extension version: $EXTV"
+    echo "  distance query result:    $DIST"
+    [[ "$EXTV" == "$PGVECTOR_VERSION" ]] || { echo "FAIL: extversion=$EXTV expected=$PGVECTOR_VERSION"; exit 1; }
+    "${RUN_AS[@]}" "$RUNTIME_DIR/bin/pg_ctl" -D "$SMOKE_DATA" -m fast stop > /dev/null
+  )
+  attempt_rc=$?
+  set -e
+  if [[ $attempt_rc -eq 0 ]]; then
+    rm -rf "$SMOKE_DATA"
+    echo "  PASS smoke (extension load + vector distance)"
+    SMOKE_OK=1
+    break
+  fi
+  echo "  attempt $attempt failed (rc=$attempt_rc) — cleaning up"
+  echo "  -- last 20 lines of $SMOKE_LOG --"
+  tail -20 "$SMOKE_LOG" 2>/dev/null || true
+  "${RUN_AS[@]}" "$RUNTIME_DIR/bin/pg_ctl" -D "$SMOKE_DATA" -m immediate stop > /dev/null 2>&1 || true
+  pkill -f "$RUNTIME_DIR/bin/postgres" > /dev/null 2>&1 || true
+  rm -rf "$SMOKE_DATA"
+done
+if [[ -z "${SMOKE_OK:-}" ]]; then
+  echo "FAIL: smoke failed all 3 attempts"
+  exit 1
+fi
+
+# Licenses
+curl -fsSL "https://raw.githubusercontent.com/postgres/postgres/REL_16_STABLE/COPYRIGHT" \
+  -o "$RUNTIME_DIR/LICENSE.postgresql"
+cp "$BUILD_DIR/pgvector/LICENSE" "$RUNTIME_DIR/LICENSE.pgvector"
+
+echo "==> Creating tarball: $OUTPUT_NAME"
+tar czf "$DIST_DIR/$OUTPUT_NAME" -C "$RUNTIME_DIR" .
+
+echo "==> Generating sha256 sidecar"
+cd "$DIST_DIR"
+sha256sum "$OUTPUT_NAME" > "${OUTPUT_NAME}.sha256"
+
+# ---------------------------------------------------------------------------
+# Phase A: Re-smoke from EXTRACTED tarball with hostile env. Catches false-pass
+# where the build host happens to satisfy a dep that the tarball is missing.
+# Uses `env -i` to clear all variables, minimal PATH, fresh data dir.
+# ---------------------------------------------------------------------------
+echo "==> Re-smoke from extracted tarball (hostile env, verify self-contained)"
+EXTRACT_DIR="$BUILD_DIR/extract-smoke"
+rm -rf "$EXTRACT_DIR"; mkdir -p "$EXTRACT_DIR"
+tar xzf "$DIST_DIR/$OUTPUT_NAME" -C "$EXTRACT_DIR"
+if [[ "$(id -u)" -eq 0 ]]; then chown -R pguser:pguser "$EXTRACT_DIR"; fi
+EXTRACT_DATA="$EXTRACT_DIR/extract-pgdata"
+EXTRACT_LOG="$EXTRACT_DIR/extract-pg.log"
+EXTRACT_PORT=55898
+
+"${RUN_AS[@]}" env -i HOME="$EXTRACT_DIR" PATH="/usr/bin:/bin" \
+  "$EXTRACT_DIR/bin/postgres" --version
+
+EXTRACT_SMOKE_OK=""
+for attempt in 1 2 3; do
+  echo "==> Re-smoke from extracted tarball (attempt $attempt/3)"
+  rm -rf "$EXTRACT_DATA"
+  set +e
+  (
+    set -e
+    "${RUN_AS[@]}" env -i HOME="$EXTRACT_DIR" PATH="/usr/bin:/bin" \
+      "$EXTRACT_DIR/bin/initdb" -D "$EXTRACT_DATA" --auth-local=trust --no-locale -E UTF8 -U postgres > /dev/null
+    "${RUN_AS[@]}" env -i HOME="$EXTRACT_DIR" PATH="/usr/bin:/bin" \
+      "$EXTRACT_DIR/bin/pg_ctl" -D "$EXTRACT_DATA" -o "-p $EXTRACT_PORT -h 127.0.0.1" -l "$EXTRACT_LOG" -w start
+    "${RUN_AS[@]}" env -i HOME="$EXTRACT_DIR" PATH="/usr/bin:/bin" \
+      "$EXTRACT_DIR/bin/psql" -h 127.0.0.1 -p "$EXTRACT_PORT" -U postgres -d postgres -c "CREATE EXTENSION vector;" > /dev/null
+    EXTV2="$("${RUN_AS[@]}" env -i HOME="$EXTRACT_DIR" PATH="/usr/bin:/bin" \
+      "$EXTRACT_DIR/bin/psql" -h 127.0.0.1 -p "$EXTRACT_PORT" -U postgres -d postgres -tAc \
+      "SELECT extversion FROM pg_extension WHERE extname='vector';")"
+    [[ "$EXTV2" == "$PGVECTOR_VERSION" ]] || { echo "FAIL: extracted-smoke extversion=$EXTV2"; exit 1; }
+    "${RUN_AS[@]}" env -i HOME="$EXTRACT_DIR" PATH="/usr/bin:/bin" \
+      "$EXTRACT_DIR/bin/pg_ctl" -D "$EXTRACT_DATA" -m fast stop > /dev/null
+  )
+  attempt_rc=$?
+  set -e
+  if [[ $attempt_rc -eq 0 ]]; then
+    rm -rf "$EXTRACT_DIR"
+    echo "  PASS extracted-tarball smoke"
+    EXTRACT_SMOKE_OK=1
+    break
+  fi
+  echo "  attempt $attempt failed (rc=$attempt_rc) — cleaning up"
+  echo "  -- last 20 lines of $EXTRACT_LOG --"
+  tail -20 "$EXTRACT_LOG" 2>/dev/null || true
+  "${RUN_AS[@]}" env -i HOME="$EXTRACT_DIR" PATH="/usr/bin:/bin" \
+    "$EXTRACT_DIR/bin/pg_ctl" -D "$EXTRACT_DATA" -m immediate stop > /dev/null 2>&1 || true
+  pkill -f "$EXTRACT_DIR/bin/postgres" > /dev/null 2>&1 || true
+  rm -rf "$EXTRACT_DATA"
+done
+if [[ -z "${EXTRACT_SMOKE_OK:-}" ]]; then
+  echo "FAIL: extracted-tarball smoke failed all 3 attempts"
+  exit 1
+fi
+
+echo "==> Done: $DIST_DIR/$OUTPUT_NAME"
+ls -lh "$DIST_DIR/$OUTPUT_NAME"