Copilot commented on code in PR #12331:
URL: https://github.com/apache/gluten/pull/12331#discussion_r3452241359


##########
dev/build-arrow.sh:
##########
@@ -22,11 +22,27 @@ SUDO="${SUDO:-""}"
 source ${CURRENT_DIR}/build-helper-functions.sh
 VELOX_ARROW_BUILD_VERSION=15.0.0
 ARROW_PREFIX=$CURRENT_DIR/../ep/_ep/arrow_ep
+ARROW_MANAGED_PREFIX="$CURRENT_DIR/../ep/_ep/arrow_ep"
 BUILD_TYPE=Release
+# When invoked via builddeps-veloxbe.sh, INSTALL_PREFIX is already resolved and
+# exported (isolated local prefix on macOS, system on Linux) and is respected
+# here. For a standalone run, consult the isolation resolver so we do not
+# silently target /usr/local on an isolated platform.
+if [ -z "${INSTALL_PREFIX:-}" ] && [ -f "${CURRENT_DIR}/build-isolation.sh" ]; 
then
+  source "${CURRENT_DIR}/build-isolation.sh"
+  resolve_build_isolation || true
+fi

Review Comment:
   `resolve_build_isolation` failures are currently ignored (`|| true`). If the 
resolver rejects an invalid configuration (e.g. `GLUTEN_BUILD_ISOLATION=on` 
with vcpkg, or an invalid mode), this script will silently fall back to 
`INSTALL_PREFIX=/usr/local`, which defeats the isolation contract and can mask 
real configuration errors. Make the resolver failure fatal here (consistent 
with other entrypoints) so standalone Arrow builds don’t unexpectedly target 
`/usr/local`.



##########
dev/build-isolation.sh:
##########
@@ -0,0 +1,466 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============================================================================
+# Gluten native build component-isolation & dependency-discovery resolver.
+#
+# This file is the SINGLE source of truth for native-build path policy. It is
+# meant to be `source`d (not executed standalone) and exposes one entry point:
+#
+#     resolve_build_isolation
+#
+# which normalizes all path inputs, classifies them into roles
+# (source / build / install / discovery / ignore / runtime), and emits two
+# generated artifacts that every build layer consumes:
+#
+#   * build-isolation.cmake : a CMake toolchain fragment carrying the ignore /
+#                             prefix policy (CMAKE_IGNORE_PREFIX_PATH, ...).
+#   * path-policy.env       : resolved role variables + machine-readable
+#                             resolved_{trusted,ignored,runtime_ignored}_roots
+#                             for shell-only stages (pkg-config, runtime gate).
+#
+# Design goals (see design doc):
+#   - User-explicit paths always win over ambient environment residue.
+#   - macOS AND Linux are first-class default-on platforms; the only platform
+#     difference is the DEFAULT trusted/ignored root set.
+#   - Safe to source under `set -euo pipefail`; all env reads are guarded;
+#     functions are local-scoped; only documented variables are exported.
+# ============================================================================
+
+# --- internal helpers -------------------------------------------------------
+
+# Canonicalize a path for classification. Existing paths use realpath/pwd -P;
+# a not-yet-existing install root is canonicalized via its nearest existing
+# parent plus the remaining (non-existent) segments. Never fails the caller.
+_gi_canonical() {
+  local raw="${1:-}"
+  [ -z "$raw" ] && { printf '%s' ""; return 0; }
+  if [ -e "$raw" ]; then
+    ( cd "$raw" 2>/dev/null && pwd -P ) 2>/dev/null && return 0
+    # Not a directory we can cd into (e.g. a file): resolve its dirname.
+    local d b
+    d=$(dirname -- "$raw"); b=$(basename -- "$raw")
+    if [ -d "$d" ]; then printf '%s/%s' "$(cd "$d" && pwd -P)" "$b"; return 0; 
fi
+  fi
+  # Walk up to the nearest existing ancestor, then re-append the tail.
+  local cur="$raw" tail=""
+  while [ -n "$cur" ] && [ "$cur" != "/" ] && [ ! -d "$cur" ]; do
+    tail="$(basename -- "$cur")${tail:+/$tail}"
+    cur=$(dirname -- "$cur")
+  done
+  if [ -d "$cur" ]; then
+    cur=$(cd "$cur" && pwd -P)
+    printf '%s%s' "$cur" "${tail:+/$tail}"
+  else
+    printf '%s' "$raw"
+  fi
+}
+
+# True if CHILD is PARENT or lives under PARENT (both already canonical).
+_gi_is_under() {
+  local child="${1:-}" parent="${2:-}"
+  [ -z "$child" ] && return 1
+  [ -z "$parent" ] && return 1
+  [ "$child" = "$parent" ] && return 0
+  case "$child" in
+    "$parent"/*) return 0 ;;
+    *) return 1 ;;
+  esac
+}
+
+# Append a value to a newline-accumulator variable if not already present.
+_gi_add_unique() {
+  # $1 = accumulator var name, $2 = value
+  local __name="$1" __val="$2" __cur
+  [ -z "$__val" ] && return 0
+  eval "__cur=\${$__name:-}"
+  case "
+$__cur
+" in
+    *"
+$__val
+"*) return 0 ;;
+  esac
+  eval "$__name=\"\${$__name:+\$$__name
+}$__val\""
+}
+
+# --- main entry point -------------------------------------------------------
+#
+# Usage: resolve_build_isolation
+# Honors (all optional, guarded):
+#   GLUTEN_BUILD_ISOLATION  auto|on|off          (default auto)
+#   INSTALL_PREFIX          component install root
+#   VELOX_HOME / VELOX_BUILD_PATH / ARROW_HOME / ARROW_INSTALL_DIR
+#   ENABLE_VCPKG / GLUTEN_VCPKG_ENABLED / VCPKG_ROOT
+#   CONDA_PREFIX
+#   GLUTEN_TRUST_PREFIX            (path; promote to trusted discovery root)
+#   GLUTEN_ALLOW_IGNORED_ROOTS     (path; re-allow an otherwise-ignored root)
+#   GLUTEN_ISOLATION_DRYRUN=1      (write artifacts to GLUTEN_ISOLATION_OUT, 
print, do not touch build)
+# Exports (documented):
+#   GLUTEN_ISOLATION              on|off  (resolved)
+#   GLUTEN_ISOLATION_DIR          directory holding generated artifacts
+#   GLUTEN_ISOLATION_TOOLCHAIN    path to build-isolation.cmake (when on)
+#   GLUTEN_ISOLATION_ENV          path to path-policy.env
+#   INSTALL_PREFIX                resolved install prefix (may be newly set on 
macOS default)
+resolve_build_isolation() {
+  # GLUTEN_ISOLATION_FAKE_OS lets the test harness exercise the other 
platform's
+  # default trusted/ignored derivation without a second host. Never set in 
real builds.
+  local os; os="${GLUTEN_ISOLATION_FAKE_OS:-$(uname)}"
+
+  # 1. Locate Gluten root from this script's location.
+  local _src="${BASH_SOURCE[0]:-$0}"
+  local gluten_dir; gluten_dir=$(cd "$(dirname -- "$_src")/.." && pwd -P)
+
+  # 2. Normalize vcpkg signals into a single boolean.
+  local vcpkg_enabled=false
+  if [ "${ENABLE_VCPKG:-}" = "ON" ] || [ "${GLUTEN_VCPKG_ENABLED:-}" = "ON" ] 
|| \
+     [ "${GLUTEN_VCPKG_ENABLED:-}" = "1" ] || [ -n "${VCPKG_ROOT:-}" ]; then
+    vcpkg_enabled=true
+  fi
+
+  # 3. Decide isolation on/off. Never silently downgrade an explicit `on`.
+  local mode="${GLUTEN_BUILD_ISOLATION:-auto}"
+  local isolation="off"
+  case "$mode" in
+    on)
+      if [ "$vcpkg_enabled" = true ]; then
+        echo "FATAL: GLUTEN_BUILD_ISOLATION=on is incompatible with vcpkg 
(vcpkg owns the CMake toolchain)." >&2
+        echo "       Use GLUTEN_BUILD_ISOLATION=auto or =off to take the vcpkg 
path." >&2
+        return 1
+      fi
+      isolation="on" ;;
+    off)
+      isolation="off" ;;
+    auto|"")
+      if [ "$vcpkg_enabled" = true ]; then
+        isolation="off"          # vcpkg keeps its own discovery
+      else
+        isolation="on"           # macOS AND Linux default-on (user decision 
U1)
+      fi ;;
+    *)
+      echo "FATAL: invalid GLUTEN_BUILD_ISOLATION='$mode' (expected 
auto|on|off)." >&2
+      return 1 ;;
+  esac
+
+  # 4. Resolve install prefix + provenance.
+  #    GLUTEN_INSTALL_PREFIX_EXPLICIT (when exported by a parent entry) is the
+  #    authoritative "was this user-requested vs platform-default" signal, so a
+  #    parent that defaulted INSTALL_PREFIX to deps-install does not look like 
a
+  #    separate-install request to child entries.
+  local install_prefix_explicit=false
+  local install_prefix="${INSTALL_PREFIX:-}"
+  if [ -n "${GLUTEN_INSTALL_PREFIX_EXPLICIT:-}" ]; then
+    install_prefix_explicit="$GLUTEN_INSTALL_PREFIX_EXPLICIT"
+  elif [ -n "$install_prefix" ]; then
+    install_prefix_explicit=true
+  fi
+  if [ -z "$install_prefix" ] && [ "$isolation" = "on" ] && [ "$os" = "Darwin" 
]; then
+    # macOS default: local prefix under the Velox tree (never system).
+    local velox_home="${VELOX_HOME:-$gluten_dir/ep/build-velox/build/velox_ep}"
+    install_prefix="${velox_home}/deps-install"
+  fi
+  # Linux default (no explicit prefix): install_prefix stays empty => setup
+  # installs to its system location, which is trusted-managed (Docker/CI 
intact).
+
+  local canon_install; canon_install=$(_gi_canonical "$install_prefix")
+
+  # 5. Build trusted / ignored / neutral root sets (canonical).
+  local trusted_roots="" ignored_roots="" runtime_ignored_roots=""
+
+  if [ "$isolation" = "on" ]; then
+    # Trusted: explicit install prefix + Velox local prefixes.
+    [ -n "$canon_install" ] && _gi_add_unique trusted_roots "$canon_install"
+    [ -n "${VELOX_HOME:-}" ]       && _gi_add_unique trusted_roots 
"$(_gi_canonical "$VELOX_HOME")"
+    [ -n "${VELOX_BUILD_PATH:-}" ] && _gi_add_unique trusted_roots 
"$(_gi_canonical "$VELOX_BUILD_PATH")"
+    [ -n "${ARROW_HOME:-}" ]       && _gi_add_unique trusted_roots 
"$(_gi_canonical "$ARROW_HOME")"
+    [ -n "${ARROW_INSTALL_DIR:-}" ]&& _gi_add_unique trusted_roots 
"$(_gi_canonical "$ARROW_INSTALL_DIR")"
+    if [ -n "${GLUTEN_TRUST_PREFIX:-}" ]; then
+      local _p; for _p in ${GLUTEN_TRUST_PREFIX//:/ }; do
+        _gi_add_unique trusted_roots "$(_gi_canonical "$_p")"; done
+    fi
+
+    # Decide whether the system dirs (/usr/local, /usr) are ignored by default.
+    #   macOS default              -> ignore /usr/local  (unless prefix under 
it)
+    #   Linux default              -> system trusted (do NOT ignore /usr)
+    #   any platform + explicit non-system INSTALL_PREFIX -> ignore /usr/local 
+ /usr
+    local want_ignore_system=false
+    local sys_under_prefix=false
+    if [ -n "$canon_install" ] && { _gi_is_under "$canon_install" "/usr/local" 
|| _gi_is_under "$canon_install" "/usr"; }; then
+      sys_under_prefix=true     # user chose a system-dir prefix (system mode)
+    fi
+    if [ "$install_prefix_explicit" = true ] && [ "$sys_under_prefix" = false 
]; then
+      want_ignore_system=true   # separate install: keep system dirs out (U1)
+    elif [ "$install_prefix_explicit" = false ] && [ "$os" = "Darwin" ]; then
+      want_ignore_system=true   # macOS default isolation
+    fi
+
+    if [ "$want_ignore_system" = true ]; then
+      _gi_add_unique ignored_roots "/usr/local"
+      # On a separate-install request, also keep the broader /usr out of 
implicit discovery.
+      if [ "$install_prefix_explicit" = true ]; then
+        _gi_add_unique ignored_roots "/usr"
+      fi
+    fi
+
+    # Ambient pollution that is filtered on BOTH platforms when isolated:
+    #   - unrelated Conda prefix (unless the install prefix lives under it)
+    if [ -n "${CONDA_PREFIX:-}" ]; then
+      local canon_conda; canon_conda=$(_gi_canonical "$CONDA_PREFIX")
+      if [ -z "$canon_install" ] || ! _gi_is_under "$canon_install" 
"$canon_conda"; then
+        _gi_add_unique ignored_roots "$canon_conda"
+      fi
+    fi
+
+    # Honor the allow-list: anything explicitly re-allowed is removed from
+    # ignored and recorded as trusted (trusted wins, with a stable marker).
+    local overlap_markers=""
+    if [ -n "${GLUTEN_ALLOW_IGNORED_ROOTS:-}" ]; then
+      local _a; for _a in ${GLUTEN_ALLOW_IGNORED_ROOTS//:/ }; do
+        local canon_a; canon_a=$(_gi_canonical "$_a")
+        _gi_add_unique trusted_roots "$canon_a"
+      done
+    fi
+
+    # Remove from ignored any root that is also trusted (trusted precedence).
+    local filtered_ignored="" _ir
+    local _t_block="
+$trusted_roots
+"
+    while IFS= read -r _ir; do
+      [ -z "$_ir" ] && continue
+      case "$_t_block" in
+        *"
+$_ir
+"*)
+          overlap_markers="${overlap_markers:+$overlap_markers
+}# resolved-overlap: $_ir" ;;
+        *)
+          filtered_ignored="${filtered_ignored:+$filtered_ignored
+}$_ir" ;;
+      esac
+    done <<EOF
+$ignored_roots
+EOF
+    ignored_roots="$filtered_ignored"
+
+    # Runtime gate uses the same ignored set (dynamic-link pollution).
+    runtime_ignored_roots="$ignored_roots"
+  fi
+
+  # 6. Resolve artifact output directory.
+  local out_dir
+  if [ "${GLUTEN_ISOLATION_DRYRUN:-}" = "1" ]; then
+    out_dir="${GLUTEN_ISOLATION_OUT:-${TMPDIR:-/tmp}/gluten-isolation-dryrun}"
+  else
+    out_dir="${gluten_dir}/.gluten-build-cache/isolation"
+  fi
+  mkdir -p "$out_dir"
+
+  # 7. Compute a fingerprint over discovery-affecting inputs.
+  local fingerprint
+  fingerprint=$(printf '%s|%s|%s|%s|%s|%s|%s|%s\n' \
+    "$mode" "$isolation" "$vcpkg_enabled" "$canon_install" \
+    "${VELOX_HOME:-}" "${VELOX_BUILD_PATH:-}" \
+    "$(printf '%s' "$trusted_roots" | tr '\n' ',')" \
+    "$(printf '%s' "$ignored_roots" | tr '\n' ',')" \
+    | cksum | awk '{print $1}')
+
+  # 7b. Compiler-level isolation flags: `-idirafter <root>/include` demotes 
each
+  #     ignored root below all -I/-isystem dirs so a stale header there cannot
+  #     shadow bundled/deps-install headers (see long note at step 8b). 
Computed
+  #     here so both the toolchain (step 8) and the export (step 10) can use 
it.
+  local idirafter_flags="" _ira
+  if [ "$isolation" = "on" ] && [ -n "$ignored_roots" ]; then
+    while IFS= read -r _ira; do
+      [ -z "$_ira" ] && continue
+      idirafter_flags="${idirafter_flags:+$idirafter_flags }-idirafter 
$_ira/include"
+    done <<EOF
+$ignored_roots
+EOF
+  fi
+
+  # 8. Generate build-isolation.cmake (toolchain fragment) when isolated.
+  local toolchain_file="$out_dir/build-isolation.cmake"
+  local env_file="$out_dir/path-policy.env"
+  local tmp; tmp="$(mktemp "$out_dir/.gi.XXXXXX")"
+
+  if [ "$isolation" = "on" ]; then
+    {
+      echo "# Generated by dev/build-isolation.sh -- DO NOT EDIT."
+      echo "# fingerprint: $fingerprint"
+      echo "# Chain any user-provided toolchain saved before we took the slot."
+      echo 'if(DEFINED ENV{GLUTEN_ORIGINAL_CMAKE_TOOLCHAIN_FILE} AND NOT 
"$ENV{GLUTEN_ORIGINAL_CMAKE_TOOLCHAIN_FILE}" STREQUAL "")'
+      echo '  include("$ENV{GLUTEN_ORIGINAL_CMAKE_TOOLCHAIN_FILE}")'
+      echo 'endif()'
+      echo "set(CMAKE_NO_SYSTEM_FROM_IMPORTED ON CACHE BOOL \"\" FORCE)"
+      echo "set(CMAKE_FIND_USE_PACKAGE_REGISTRY OFF CACHE BOOL \"\" FORCE)"
+      echo "set(CMAKE_FIND_USE_SYSTEM_PACKAGE_REGISTRY OFF CACHE BOOL \"\" 
FORCE)"
+      echo "set(CMAKE_EXPORT_NO_PACKAGE_REGISTRY ON CACHE BOOL \"\" FORCE)"
+      if [ -n "$ignored_roots" ]; then
+        # CMAKE_IGNORE_PREFIX_PATH ignores prefix roots; add explicit subdirs 
too.
+        local _cmlist="" _ir2
+        while IFS= read -r _ir2; do
+          [ -z "$_ir2" ] && continue
+          
_cmlist="${_cmlist:+$_cmlist;}$_ir2;$_ir2/include;$_ir2/lib;$_ir2/lib64;$_ir2/lib/cmake"
+        done <<EOF
+$ignored_roots
+EOF
+        local _prefixlist="" _ir3
+        while IFS= read -r _ir3; do
+          [ -z "$_ir3" ] && continue
+          _prefixlist="${_prefixlist:+$_prefixlist;}$_ir3"
+        done <<EOF
+$ignored_roots
+EOF
+        echo "list(APPEND CMAKE_IGNORE_PREFIX_PATH \"$_prefixlist\")"
+        echo "list(APPEND CMAKE_IGNORE_PATH \"$_cmlist\")"
+        echo "list(APPEND CMAKE_SYSTEM_IGNORE_PATH \"$_cmlist\")"
+      fi
+      # NOTE: compiler -idirafter demotion is NOT injected here via
+      # CMAKE_<LANG>_FLAGS_INIT -- CMake's platform/compiler modules run after
+      # the toolchain file and overwrite *_FLAGS_INIT, dropping it. Instead the
+      # resolver exports CFLAGS/CXXFLAGS (which CMake always appends to the
+      # compile flags and which child cmake processes inherit), and entries 
that
+      # set -DCMAKE_CXX_FLAGS fold GLUTEN_ISOLATION_CXXFLAGS in directly.
+      # NOTE: we deliberately do NOT prepend trusted roots to CMAKE_PREFIX_PATH
+      # here. This toolchain file is inherited by EVERY nested cmake build,
+      # including Velox's and Arrow's self-contained bundled-dependency builds.
+      # Prepending deps-install globally redirects those bundled builds to the
+      # wrong artifacts (e.g. Velox's bundled Arrow picking up a partial Arrow
+      # or a build-relative Thrift config from deps-install). The toolchain
+      # carries ONLY the ignore policy (the universally-safe part); each entry
+      # point passes -DCMAKE_PREFIX_PATH for its own top-level configure where
+      # discovering deps-install is actually wanted. trusted_roots is still
+      # recorded in path-policy.env for the runtime link gate.
+    } > "$tmp"
+    mv -f "$tmp" "$toolchain_file"
+  else
+    rm -f "$tmp"
+    rm -f "$toolchain_file"
+  fi
+
+  # 8b. Build the equivalent -D flag string for shell entry points that splice
+  #     flags directly into their cmake invocation. Emitted ONLY when there are
+  #     ignored roots, so Linux-default (system trusted) stays a no-op and
+  #     macOS-default is byte-identical to the legacy hardcoded flags.
+  local cmake_flags=""
+  # Compiler-level isolation: clang/gcc search an ignored root's /include (e.g.
+  # /usr/local/include) AHEAD of command-line -isystem dirs, so a stale header
+  # there (old gtest/fmt/...) shadows the bundled/deps-install copy even when
+  # CMake points -isystem at the right one. CMAKE_IGNORE_* only governs CMake's
+  # find_*, not the compiler's include search. `-idirafter <root>/include`
+  # demotes that root below every -I/-isystem dir (the compiler de-dups it from
+  # its default-early slot), so the correct headers win while the root stays
+  # available as a last resort. Applied to every build via the toolchain
+  # CMAKE_<LANG>_FLAGS_INIT and exported for entries that set their own flags.
+  if [ "$isolation" = "on" ] && [ -n "$ignored_roots" ]; then
+    local _prefixlist2="" _cmlist2 _ir4
+    local _cmlist2=""
+    while IFS= read -r _ir4; do
+      [ -z "$_ir4" ] && continue
+      _prefixlist2="${_prefixlist2:+$_prefixlist2;}$_ir4"
+      
_cmlist2="${_cmlist2:+$_cmlist2;}$_ir4;$_ir4/include;$_ir4/lib;$_ir4/lib64;$_ir4/lib/cmake"
+    done <<EOF
+$ignored_roots
+EOF
+    cmake_flags="-DCMAKE_NO_SYSTEM_FROM_IMPORTED=ON"
+    cmake_flags="$cmake_flags -DCMAKE_FIND_USE_PACKAGE_REGISTRY=OFF"
+    cmake_flags="$cmake_flags -DCMAKE_FIND_USE_SYSTEM_PACKAGE_REGISTRY=OFF"
+    cmake_flags="$cmake_flags -DCMAKE_IGNORE_PREFIX_PATH=$_prefixlist2"
+    cmake_flags="$cmake_flags -DCMAKE_IGNORE_PATH=$_cmlist2"
+    cmake_flags="$cmake_flags -DCMAKE_SYSTEM_IGNORE_PATH=$_cmlist2"
+  fi
+
+  # 9. Generate path-policy.env (+ inline machine-readable resolved roots).
+  tmp="$(mktemp "$out_dir/.gi.XXXXXX")"
+  {
+    echo "# Generated by dev/build-isolation.sh -- DO NOT EDIT."
+    echo "GLUTEN_ISOLATION=$isolation"
+    echo "GLUTEN_ISOLATION_MODE=$mode"
+    echo "vcpkg_enabled=$vcpkg_enabled"
+    echo "isolation_os=$os"
+    echo "install_prefix=$canon_install"
+    echo "install_prefix_explicit=$install_prefix_explicit"
+    echo "resolver_fingerprint=$fingerprint"
+    echo "GLUTEN_ISOLATION_CMAKE_FLAGS=$cmake_flags"
+    echo "GLUTEN_ISOLATION_CXXFLAGS=$idirafter_flags"
+    [ "$isolation" = "on" ] && echo 
"GLUTEN_ISOLATION_TOOLCHAIN=$toolchain_file"
+    [ "$isolation" = "on" ] && echo 
"GLUTEN_PROPAGATE_CMAKE_TOOLCHAIN_FILE=$toolchain_file"
+    # Stable overlap markers (tests assert on these, not on log scraping).
+    if [ -n "${overlap_markers:-}" ]; then
+      printf '%s\n' "$overlap_markers"
+    fi
+    echo "# --- resolved_trusted_roots ---"
+    printf '%s\n' "$trusted_roots" | while IFS= read -r r; do if [ -n "$r" ]; 
then echo "resolved_trusted_root=$r"; fi; done
+    echo "# --- resolved_ignored_roots ---"
+    printf '%s\n' "$ignored_roots" | while IFS= read -r r; do if [ -n "$r" ]; 
then echo "resolved_ignored_root=$r"; fi; done
+    echo "# --- resolved_runtime_ignored_roots ---"
+    printf '%s\n' "$runtime_ignored_roots" | while IFS= read -r r; do if [ -n 
"$r" ]; then echo "resolved_runtime_ignored_root=$r"; fi; done
+  } > "$tmp"
+  mv -f "$tmp" "$env_file"
+
+  # Also drop the flat machine-readable root files the runtime gate reads.
+  printf '%s\n' "$trusted_roots"        | grep -v '^$' > 
"$out_dir/resolved_trusted_roots" 2>/dev/null || : > 
"$out_dir/resolved_trusted_roots"
+  printf '%s\n' "$ignored_roots"        | grep -v '^$' > 
"$out_dir/resolved_ignored_roots" 2>/dev/null || : > 
"$out_dir/resolved_ignored_roots"
+  printf '%s\n' "$runtime_ignored_roots"| grep -v '^$' > 
"$out_dir/resolved_runtime_ignored_roots" 2>/dev/null || : > 
"$out_dir/resolved_runtime_ignored_roots"
+
+  # 10. Export for the calling shell + one-time human-readable summary.
+  export GLUTEN_ISOLATION="$isolation"
+  export GLUTEN_ISOLATION_DIR="$out_dir"
+  export GLUTEN_ISOLATION_ENV="$env_file"
+  export GLUTEN_ISOLATION_CMAKE_FLAGS="$cmake_flags"
+  export GLUTEN_ISOLATION_CXXFLAGS="$idirafter_flags"
+  export GLUTEN_INSTALL_PREFIX_EXPLICIT="$install_prefix_explicit"
+  # Export CFLAGS/CXXFLAGS so the -idirafter demotion reaches EVERY nested 
cmake
+  # (CMake always appends $ENV{CXXFLAGS} to the compile flags, and child cmake
+  # processes -- e.g. Velox's bundled Arrow and its FetchContent googletest --
+  # inherit it). Guarded so repeated resolver calls don't duplicate the flags.
+  if [ -n "$idirafter_flags" ]; then
+    case " ${CFLAGS:-} " in *" $idirafter_flags "*) ;; *) export 
CFLAGS="${CFLAGS:+$CFLAGS }$idirafter_flags" ;; esac
+    case " ${CXXFLAGS:-} " in *" $idirafter_flags "*) ;; *) export 
CXXFLAGS="${CXXFLAGS:+$CXXFLAGS }$idirafter_flags" ;; esac
+  fi
+  if [ "$isolation" = "on" ]; then
+    export GLUTEN_ISOLATION_TOOLCHAIN="$toolchain_file"
+    # Propagate the ignore/prefix policy to EVERY nested cmake build by 
exporting
+    # CMAKE_TOOLCHAIN_FILE (CMake >=3.21 reads it as the default toolchain). 
This
+    # is what makes isolation comprehensive: Velox builds its own dependencies
+    # (folly, etc.) via its own scripts that never receive our -D flags, so
+    # without this they would still discover /usr/local. Any pre-existing user
+    # toolchain is preserved once in GLUTEN_ORIGINAL_CMAKE_TOOLCHAIN_FILE and
+    # re-included by the generated file (no self-recursion: the generated file
+    # never references CMAKE_TOOLCHAIN_FILE).
+    if [ -n "${CMAKE_TOOLCHAIN_FILE:-}" ] && \
+       [ "${CMAKE_TOOLCHAIN_FILE}" != "$toolchain_file" ] && \
+       [ -z "${GLUTEN_ORIGINAL_CMAKE_TOOLCHAIN_FILE:-}" ]; then
+      export GLUTEN_ORIGINAL_CMAKE_TOOLCHAIN_FILE="$CMAKE_TOOLCHAIN_FILE"
+    fi
+    export CMAKE_TOOLCHAIN_FILE="$toolchain_file"
+    [ -n "$install_prefix" ] && export INSTALL_PREFIX="$install_prefix"
+  fi

Review Comment:
   When isolation resolves to `off`, the resolver removes the generated 
toolchain file but never unsets/restores `CMAKE_TOOLCHAIN_FILE` if a previous 
resolver call set it. This can leave the environment pointing at a deleted 
toolchain (or keep isolation active) when toggling modes within the same 
shell/session. Add an `else` branch to restore 
`GLUTEN_ORIGINAL_CMAKE_TOOLCHAIN_FILE` (if captured) or unset 
`CMAKE_TOOLCHAIN_FILE` when it equals the generated toolchain path.



##########
dev/build-isolation.sh:
##########
@@ -0,0 +1,466 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============================================================================
+# Gluten native build component-isolation & dependency-discovery resolver.
+#
+# This file is the SINGLE source of truth for native-build path policy. It is
+# meant to be `source`d (not executed standalone) and exposes one entry point:
+#
+#     resolve_build_isolation
+#
+# which normalizes all path inputs, classifies them into roles
+# (source / build / install / discovery / ignore / runtime), and emits two
+# generated artifacts that every build layer consumes:
+#
+#   * build-isolation.cmake : a CMake toolchain fragment carrying the ignore /
+#                             prefix policy (CMAKE_IGNORE_PREFIX_PATH, ...).
+#   * path-policy.env       : resolved role variables + machine-readable
+#                             resolved_{trusted,ignored,runtime_ignored}_roots
+#                             for shell-only stages (pkg-config, runtime gate).
+#
+# Design goals (see design doc):
+#   - User-explicit paths always win over ambient environment residue.
+#   - macOS AND Linux are first-class default-on platforms; the only platform
+#     difference is the DEFAULT trusted/ignored root set.
+#   - Safe to source under `set -euo pipefail`; all env reads are guarded;
+#     functions are local-scoped; only documented variables are exported.
+# ============================================================================
+
+# --- internal helpers -------------------------------------------------------
+
+# Canonicalize a path for classification. Existing paths use realpath/pwd -P;
+# a not-yet-existing install root is canonicalized via its nearest existing
+# parent plus the remaining (non-existent) segments. Never fails the caller.
+_gi_canonical() {
+  local raw="${1:-}"
+  [ -z "$raw" ] && { printf '%s' ""; return 0; }
+  if [ -e "$raw" ]; then
+    ( cd "$raw" 2>/dev/null && pwd -P ) 2>/dev/null && return 0
+    # Not a directory we can cd into (e.g. a file): resolve its dirname.
+    local d b
+    d=$(dirname -- "$raw"); b=$(basename -- "$raw")
+    if [ -d "$d" ]; then printf '%s/%s' "$(cd "$d" && pwd -P)" "$b"; return 0; 
fi
+  fi
+  # Walk up to the nearest existing ancestor, then re-append the tail.
+  local cur="$raw" tail=""
+  while [ -n "$cur" ] && [ "$cur" != "/" ] && [ ! -d "$cur" ]; do
+    tail="$(basename -- "$cur")${tail:+/$tail}"
+    cur=$(dirname -- "$cur")
+  done
+  if [ -d "$cur" ]; then
+    cur=$(cd "$cur" && pwd -P)
+    printf '%s%s' "$cur" "${tail:+/$tail}"
+  else
+    printf '%s' "$raw"
+  fi
+}
+
+# True if CHILD is PARENT or lives under PARENT (both already canonical).
+_gi_is_under() {
+  local child="${1:-}" parent="${2:-}"
+  [ -z "$child" ] && return 1
+  [ -z "$parent" ] && return 1
+  [ "$child" = "$parent" ] && return 0
+  case "$child" in
+    "$parent"/*) return 0 ;;
+    *) return 1 ;;
+  esac
+}
+
+# Append a value to a newline-accumulator variable if not already present.
+_gi_add_unique() {
+  # $1 = accumulator var name, $2 = value
+  local __name="$1" __val="$2" __cur
+  [ -z "$__val" ] && return 0
+  eval "__cur=\${$__name:-}"
+  case "
+$__cur
+" in
+    *"
+$__val
+"*) return 0 ;;
+  esac
+  eval "$__name=\"\${$__name:+\$$__name
+}$__val\""
+}
+
+# --- main entry point -------------------------------------------------------
+#
+# Usage: resolve_build_isolation
+# Honors (all optional, guarded):
+#   GLUTEN_BUILD_ISOLATION  auto|on|off          (default auto)
+#   INSTALL_PREFIX          component install root
+#   VELOX_HOME / VELOX_BUILD_PATH / ARROW_HOME / ARROW_INSTALL_DIR
+#   ENABLE_VCPKG / GLUTEN_VCPKG_ENABLED / VCPKG_ROOT
+#   CONDA_PREFIX
+#   GLUTEN_TRUST_PREFIX            (path; promote to trusted discovery root)
+#   GLUTEN_ALLOW_IGNORED_ROOTS     (path; re-allow an otherwise-ignored root)
+#   GLUTEN_ISOLATION_DRYRUN=1      (write artifacts to GLUTEN_ISOLATION_OUT, 
print, do not touch build)
+# Exports (documented):
+#   GLUTEN_ISOLATION              on|off  (resolved)
+#   GLUTEN_ISOLATION_DIR          directory holding generated artifacts
+#   GLUTEN_ISOLATION_TOOLCHAIN    path to build-isolation.cmake (when on)
+#   GLUTEN_ISOLATION_ENV          path to path-policy.env
+#   INSTALL_PREFIX                resolved install prefix (may be newly set on 
macOS default)
+resolve_build_isolation() {
+  # GLUTEN_ISOLATION_FAKE_OS lets the test harness exercise the other 
platform's
+  # default trusted/ignored derivation without a second host. Never set in 
real builds.
+  local os; os="${GLUTEN_ISOLATION_FAKE_OS:-$(uname)}"
+
+  # 1. Locate Gluten root from this script's location.
+  local _src="${BASH_SOURCE[0]:-$0}"
+  local gluten_dir; gluten_dir=$(cd "$(dirname -- "$_src")/.." && pwd -P)
+
+  # 2. Normalize vcpkg signals into a single boolean.
+  local vcpkg_enabled=false
+  if [ "${ENABLE_VCPKG:-}" = "ON" ] || [ "${GLUTEN_VCPKG_ENABLED:-}" = "ON" ] 
|| \
+     [ "${GLUTEN_VCPKG_ENABLED:-}" = "1" ] || [ -n "${VCPKG_ROOT:-}" ]; then
+    vcpkg_enabled=true
+  fi
+
+  # 3. Decide isolation on/off. Never silently downgrade an explicit `on`.
+  local mode="${GLUTEN_BUILD_ISOLATION:-auto}"
+  local isolation="off"
+  case "$mode" in
+    on)
+      if [ "$vcpkg_enabled" = true ]; then
+        echo "FATAL: GLUTEN_BUILD_ISOLATION=on is incompatible with vcpkg 
(vcpkg owns the CMake toolchain)." >&2
+        echo "       Use GLUTEN_BUILD_ISOLATION=auto or =off to take the vcpkg 
path." >&2
+        return 1
+      fi
+      isolation="on" ;;
+    off)
+      isolation="off" ;;
+    auto|"")
+      if [ "$vcpkg_enabled" = true ]; then
+        isolation="off"          # vcpkg keeps its own discovery
+      else
+        isolation="on"           # macOS AND Linux default-on (user decision 
U1)
+      fi ;;
+    *)
+      echo "FATAL: invalid GLUTEN_BUILD_ISOLATION='$mode' (expected 
auto|on|off)." >&2
+      return 1 ;;
+  esac
+
+  # 4. Resolve install prefix + provenance.
+  #    GLUTEN_INSTALL_PREFIX_EXPLICIT (when exported by a parent entry) is the
+  #    authoritative "was this user-requested vs platform-default" signal, so a
+  #    parent that defaulted INSTALL_PREFIX to deps-install does not look like 
a
+  #    separate-install request to child entries.
+  local install_prefix_explicit=false
+  local install_prefix="${INSTALL_PREFIX:-}"
+  if [ -n "${GLUTEN_INSTALL_PREFIX_EXPLICIT:-}" ]; then
+    install_prefix_explicit="$GLUTEN_INSTALL_PREFIX_EXPLICIT"
+  elif [ -n "$install_prefix" ]; then
+    install_prefix_explicit=true
+  fi
+  if [ -z "$install_prefix" ] && [ "$isolation" = "on" ] && [ "$os" = "Darwin" 
]; then
+    # macOS default: local prefix under the Velox tree (never system).
+    local velox_home="${VELOX_HOME:-$gluten_dir/ep/build-velox/build/velox_ep}"
+    install_prefix="${velox_home}/deps-install"
+  fi
+  # Linux default (no explicit prefix): install_prefix stays empty => setup
+  # installs to its system location, which is trusted-managed (Docker/CI 
intact).
+
+  local canon_install; canon_install=$(_gi_canonical "$install_prefix")
+
+  # 5. Build trusted / ignored / neutral root sets (canonical).
+  local trusted_roots="" ignored_roots="" runtime_ignored_roots=""
+
+  if [ "$isolation" = "on" ]; then
+    # Trusted: explicit install prefix + Velox local prefixes.
+    [ -n "$canon_install" ] && _gi_add_unique trusted_roots "$canon_install"
+    [ -n "${VELOX_HOME:-}" ]       && _gi_add_unique trusted_roots 
"$(_gi_canonical "$VELOX_HOME")"
+    [ -n "${VELOX_BUILD_PATH:-}" ] && _gi_add_unique trusted_roots 
"$(_gi_canonical "$VELOX_BUILD_PATH")"
+    [ -n "${ARROW_HOME:-}" ]       && _gi_add_unique trusted_roots 
"$(_gi_canonical "$ARROW_HOME")"
+    [ -n "${ARROW_INSTALL_DIR:-}" ]&& _gi_add_unique trusted_roots 
"$(_gi_canonical "$ARROW_INSTALL_DIR")"
+    if [ -n "${GLUTEN_TRUST_PREFIX:-}" ]; then
+      local _p; for _p in ${GLUTEN_TRUST_PREFIX//:/ }; do
+        _gi_add_unique trusted_roots "$(_gi_canonical "$_p")"; done
+    fi
+
+    # Decide whether the system dirs (/usr/local, /usr) are ignored by default.
+    #   macOS default              -> ignore /usr/local  (unless prefix under 
it)
+    #   Linux default              -> system trusted (do NOT ignore /usr)
+    #   any platform + explicit non-system INSTALL_PREFIX -> ignore /usr/local 
+ /usr
+    local want_ignore_system=false
+    local sys_under_prefix=false
+    if [ -n "$canon_install" ] && { _gi_is_under "$canon_install" "/usr/local" 
|| _gi_is_under "$canon_install" "/usr"; }; then
+      sys_under_prefix=true     # user chose a system-dir prefix (system mode)
+    fi
+    if [ "$install_prefix_explicit" = true ] && [ "$sys_under_prefix" = false 
]; then
+      want_ignore_system=true   # separate install: keep system dirs out (U1)
+    elif [ "$install_prefix_explicit" = false ] && [ "$os" = "Darwin" ]; then
+      want_ignore_system=true   # macOS default isolation
+    fi
+
+    if [ "$want_ignore_system" = true ]; then
+      _gi_add_unique ignored_roots "/usr/local"
+      # On a separate-install request, also keep the broader /usr out of 
implicit discovery.
+      if [ "$install_prefix_explicit" = true ]; then
+        _gi_add_unique ignored_roots "/usr"
+      fi
+    fi
+
+    # Ambient pollution that is filtered on BOTH platforms when isolated:
+    #   - unrelated Conda prefix (unless the install prefix lives under it)
+    if [ -n "${CONDA_PREFIX:-}" ]; then
+      local canon_conda; canon_conda=$(_gi_canonical "$CONDA_PREFIX")
+      if [ -z "$canon_install" ] || ! _gi_is_under "$canon_install" 
"$canon_conda"; then
+        _gi_add_unique ignored_roots "$canon_conda"
+      fi
+    fi
+
+    # Honor the allow-list: anything explicitly re-allowed is removed from
+    # ignored and recorded as trusted (trusted wins, with a stable marker).
+    local overlap_markers=""
+    if [ -n "${GLUTEN_ALLOW_IGNORED_ROOTS:-}" ]; then
+      local _a; for _a in ${GLUTEN_ALLOW_IGNORED_ROOTS//:/ }; do
+        local canon_a; canon_a=$(_gi_canonical "$_a")
+        _gi_add_unique trusted_roots "$canon_a"
+      done
+    fi
+
+    # Remove from ignored any root that is also trusted (trusted precedence).
+    local filtered_ignored="" _ir
+    local _t_block="
+$trusted_roots
+"
+    while IFS= read -r _ir; do
+      [ -z "$_ir" ] && continue
+      case "$_t_block" in
+        *"
+$_ir
+"*)
+          overlap_markers="${overlap_markers:+$overlap_markers
+}# resolved-overlap: $_ir" ;;
+        *)
+          filtered_ignored="${filtered_ignored:+$filtered_ignored
+}$_ir" ;;
+      esac
+    done <<EOF
+$ignored_roots
+EOF
+    ignored_roots="$filtered_ignored"
+
+    # Runtime gate uses the same ignored set (dynamic-link pollution).
+    runtime_ignored_roots="$ignored_roots"
+  fi
+
+  # 6. Resolve artifact output directory.
+  local out_dir
+  if [ "${GLUTEN_ISOLATION_DRYRUN:-}" = "1" ]; then
+    out_dir="${GLUTEN_ISOLATION_OUT:-${TMPDIR:-/tmp}/gluten-isolation-dryrun}"
+  else
+    out_dir="${gluten_dir}/.gluten-build-cache/isolation"
+  fi
+  mkdir -p "$out_dir"
+
+  # 7. Compute a fingerprint over discovery-affecting inputs.
+  local fingerprint
+  fingerprint=$(printf '%s|%s|%s|%s|%s|%s|%s|%s\n' \
+    "$mode" "$isolation" "$vcpkg_enabled" "$canon_install" \
+    "${VELOX_HOME:-}" "${VELOX_BUILD_PATH:-}" \
+    "$(printf '%s' "$trusted_roots" | tr '\n' ',')" \
+    "$(printf '%s' "$ignored_roots" | tr '\n' ',')" \
+    | cksum | awk '{print $1}')
+
+  # 7b. Compiler-level isolation flags: `-idirafter <root>/include` demotes 
each
+  #     ignored root below all -I/-isystem dirs so a stale header there cannot
+  #     shadow bundled/deps-install headers (see long note at step 8b). 
Computed
+  #     here so both the toolchain (step 8) and the export (step 10) can use 
it.
+  local idirafter_flags="" _ira
+  if [ "$isolation" = "on" ] && [ -n "$ignored_roots" ]; then
+    while IFS= read -r _ira; do
+      [ -z "$_ira" ] && continue
+      idirafter_flags="${idirafter_flags:+$idirafter_flags }-idirafter 
$_ira/include"
+    done <<EOF
+$ignored_roots
+EOF
+  fi
+
+  # 8. Generate build-isolation.cmake (toolchain fragment) when isolated.
+  local toolchain_file="$out_dir/build-isolation.cmake"
+  local env_file="$out_dir/path-policy.env"
+  local tmp; tmp="$(mktemp "$out_dir/.gi.XXXXXX")"
+
+  if [ "$isolation" = "on" ]; then
+    {
+      echo "# Generated by dev/build-isolation.sh -- DO NOT EDIT."
+      echo "# fingerprint: $fingerprint"
+      echo "# Chain any user-provided toolchain saved before we took the slot."
+      echo 'if(DEFINED ENV{GLUTEN_ORIGINAL_CMAKE_TOOLCHAIN_FILE} AND NOT 
"$ENV{GLUTEN_ORIGINAL_CMAKE_TOOLCHAIN_FILE}" STREQUAL "")'
+      echo '  include("$ENV{GLUTEN_ORIGINAL_CMAKE_TOOLCHAIN_FILE}")'
+      echo 'endif()'
+      echo "set(CMAKE_NO_SYSTEM_FROM_IMPORTED ON CACHE BOOL \"\" FORCE)"
+      echo "set(CMAKE_FIND_USE_PACKAGE_REGISTRY OFF CACHE BOOL \"\" FORCE)"
+      echo "set(CMAKE_FIND_USE_SYSTEM_PACKAGE_REGISTRY OFF CACHE BOOL \"\" 
FORCE)"
+      echo "set(CMAKE_EXPORT_NO_PACKAGE_REGISTRY ON CACHE BOOL \"\" FORCE)"
+      if [ -n "$ignored_roots" ]; then
+        # CMAKE_IGNORE_PREFIX_PATH ignores prefix roots; add explicit subdirs 
too.
+        local _cmlist="" _ir2
+        while IFS= read -r _ir2; do
+          [ -z "$_ir2" ] && continue
+          
_cmlist="${_cmlist:+$_cmlist;}$_ir2;$_ir2/include;$_ir2/lib;$_ir2/lib64;$_ir2/lib/cmake"
+        done <<EOF
+$ignored_roots
+EOF
+        local _prefixlist="" _ir3
+        while IFS= read -r _ir3; do
+          [ -z "$_ir3" ] && continue
+          _prefixlist="${_prefixlist:+$_prefixlist;}$_ir3"
+        done <<EOF
+$ignored_roots
+EOF
+        echo "list(APPEND CMAKE_IGNORE_PREFIX_PATH \"$_prefixlist\")"
+        echo "list(APPEND CMAKE_IGNORE_PATH \"$_cmlist\")"
+        echo "list(APPEND CMAKE_SYSTEM_IGNORE_PATH \"$_cmlist\")"
+      fi
+      # NOTE: compiler -idirafter demotion is NOT injected here via
+      # CMAKE_<LANG>_FLAGS_INIT -- CMake's platform/compiler modules run after
+      # the toolchain file and overwrite *_FLAGS_INIT, dropping it. Instead the
+      # resolver exports CFLAGS/CXXFLAGS (which CMake always appends to the
+      # compile flags and which child cmake processes inherit), and entries 
that
+      # set -DCMAKE_CXX_FLAGS fold GLUTEN_ISOLATION_CXXFLAGS in directly.
+      # NOTE: we deliberately do NOT prepend trusted roots to CMAKE_PREFIX_PATH
+      # here. This toolchain file is inherited by EVERY nested cmake build,
+      # including Velox's and Arrow's self-contained bundled-dependency builds.
+      # Prepending deps-install globally redirects those bundled builds to the
+      # wrong artifacts (e.g. Velox's bundled Arrow picking up a partial Arrow
+      # or a build-relative Thrift config from deps-install). The toolchain
+      # carries ONLY the ignore policy (the universally-safe part); each entry
+      # point passes -DCMAKE_PREFIX_PATH for its own top-level configure where
+      # discovering deps-install is actually wanted. trusted_roots is still
+      # recorded in path-policy.env for the runtime link gate.
+    } > "$tmp"
+    mv -f "$tmp" "$toolchain_file"
+  else
+    rm -f "$tmp"
+    rm -f "$toolchain_file"
+  fi
+
+  # 8b. Build the equivalent -D flag string for shell entry points that splice
+  #     flags directly into their cmake invocation. Emitted ONLY when there are
+  #     ignored roots, so Linux-default (system trusted) stays a no-op and
+  #     macOS-default is byte-identical to the legacy hardcoded flags.
+  local cmake_flags=""
+  # Compiler-level isolation: clang/gcc search an ignored root's /include (e.g.
+  # /usr/local/include) AHEAD of command-line -isystem dirs, so a stale header
+  # there (old gtest/fmt/...) shadows the bundled/deps-install copy even when
+  # CMake points -isystem at the right one. CMAKE_IGNORE_* only governs CMake's
+  # find_*, not the compiler's include search. `-idirafter <root>/include`
+  # demotes that root below every -I/-isystem dir (the compiler de-dups it from
+  # its default-early slot), so the correct headers win while the root stays
+  # available as a last resort. Applied to every build via the toolchain
+  # CMAKE_<LANG>_FLAGS_INIT and exported for entries that set their own flags.
+  if [ "$isolation" = "on" ] && [ -n "$ignored_roots" ]; then
+    local _prefixlist2="" _cmlist2 _ir4
+    local _cmlist2=""
+    while IFS= read -r _ir4; do
+      [ -z "$_ir4" ] && continue
+      _prefixlist2="${_prefixlist2:+$_prefixlist2;}$_ir4"
+      
_cmlist2="${_cmlist2:+$_cmlist2;}$_ir4;$_ir4/include;$_ir4/lib;$_ir4/lib64;$_ir4/lib/cmake"
+    done <<EOF
+$ignored_roots
+EOF
+    cmake_flags="-DCMAKE_NO_SYSTEM_FROM_IMPORTED=ON"
+    cmake_flags="$cmake_flags -DCMAKE_FIND_USE_PACKAGE_REGISTRY=OFF"
+    cmake_flags="$cmake_flags -DCMAKE_FIND_USE_SYSTEM_PACKAGE_REGISTRY=OFF"
+    cmake_flags="$cmake_flags -DCMAKE_IGNORE_PREFIX_PATH=$_prefixlist2"
+    cmake_flags="$cmake_flags -DCMAKE_IGNORE_PATH=$_cmlist2"
+    cmake_flags="$cmake_flags -DCMAKE_SYSTEM_IGNORE_PATH=$_cmlist2"
+  fi
+
+  # 9. Generate path-policy.env (+ inline machine-readable resolved roots).
+  tmp="$(mktemp "$out_dir/.gi.XXXXXX")"
+  {
+    echo "# Generated by dev/build-isolation.sh -- DO NOT EDIT."
+    echo "GLUTEN_ISOLATION=$isolation"
+    echo "GLUTEN_ISOLATION_MODE=$mode"
+    echo "vcpkg_enabled=$vcpkg_enabled"
+    echo "isolation_os=$os"
+    echo "install_prefix=$canon_install"
+    echo "install_prefix_explicit=$install_prefix_explicit"
+    echo "resolver_fingerprint=$fingerprint"
+    echo "GLUTEN_ISOLATION_CMAKE_FLAGS=$cmake_flags"
+    echo "GLUTEN_ISOLATION_CXXFLAGS=$idirafter_flags"
+    [ "$isolation" = "on" ] && echo 
"GLUTEN_ISOLATION_TOOLCHAIN=$toolchain_file"
+    [ "$isolation" = "on" ] && echo 
"GLUTEN_PROPAGATE_CMAKE_TOOLCHAIN_FILE=$toolchain_file"

Review Comment:
   `path-policy.env` is written in shell-assignment form, but some values 
(notably `GLUTEN_ISOLATION_CMAKE_FLAGS` and `GLUTEN_ISOLATION_CXXFLAGS`) 
contain spaces. As emitted, the file cannot be safely `source`d because 
unquoted spaces will be parsed as separate commands/assignments. Quote/escape 
the values (e.g. via `printf %q`) so the generated env file is sourceable and 
robust to spaces in paths.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]


Reply via email to