[VL] Unify native-build component isolation via a single resolver (macOS + Linux)

Native-build path policy was duplicated across three shell entry points
(builddeps-veloxbe.sh, build-helper-functions.sh, build-velox.sh), each
independently hardcoding `-DCMAKE_IGNORE_PREFIX_PATH=/usr/local` on macOS only.
This left Linux without first-class isolation and, importantly, left Velox's
own dependency builds (folly, bundled Arrow, ...) unprotected from /usr/local.

Introduce dev/build-isolation.sh as a single source of truth. It normalizes all
path inputs, decides isolation on/off, and emits a CMake toolchain fragment +
path-policy.env + machine-readable resolved_{trusted,ignored,runtime_ignored}_roots
under the already-gitignored ep/_ep working dir. Every build layer consumes them.

Default behavior (user-facing contract):
  * macOS and Linux both default-on (GLUTEN_BUILD_ISOLATION=auto -> on); vcpkg
    forces off; explicit on+vcpkg fails fast (only one toolchain slot).
  * macOS default: local prefix ${VELOX_HOME}/deps-install; /usr/local ignored.
  * Linux default: setup still installs to system dirs (trusted-managed,
    Docker/CI behavior and artifact locations unchanged); only ambient residue
    (stray Conda, user CMake registry) is filtered -- effectively a no-op unless
    you opt into a separate install.
  * Either platform + explicit INSTALL_PREFIX (separate install): /usr/local and
    /usr flip to ignored, with GLUTEN_ALLOW_IGNORED_ROOTS / GLUTEN_TRUST_PREFIX
    escape hatches. GLUTEN_BUILD_ISOLATION=off is a full kill-switch.

Two-level isolation:
  * CMake find policy: ignore roots + NO_SYSTEM_FROM_IMPORTED + package-registry
    off, propagated to every nested cmake (incl. Velox's own dependency setup)
    via the exported CMAKE_TOOLCHAIN_FILE. The toolchain carries only the ignore
    policy -- it does NOT prepend trusted prefixes globally, which would wrongly
    redirect Velox's/Arrow's self-contained bundled builds to deps-install.
  * Compiler include search: CMAKE_IGNORE_* doesn't govern the compiler, and on
    macOS clang searches /usr/local/include ahead of -isystem, so a stale header
    there (e.g. an old gtest/fmt) shadows the bundled copy. The resolver exports
    CFLAGS/CXXFLAGS with `-idirafter <ignored>/include` to demote those roots
    below every -I/-isystem dir; child cmake processes inherit it.

build-arrow.sh: guard the destructive download-dir removal (never wipe a
user-provided ARROW_PREFIX) and resolve a sane default install prefix for
standalone runs instead of silently targeting /usr/local.

Verified end-to-end by a complete native macOS build (arm64): valid
libgluten.dylib + libvelox.dylib with zero /usr/local linkage (otool -L). The
resolver supports GLUTEN_ISOLATION_DRYRUN=1 to emit the policy without building.
Linux is a no-op by default, preserving existing Docker/CI behavior.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: jackylee-ch

dev/build-arrow.sh

@@ -22,11 +22,30 @@ SUDO="${SUDO:-""}"
 source ${CURRENT_DIR}/build-helper-functions.sh
 VELOX_ARROW_BUILD_VERSION=15.0.0
 ARROW_PREFIX=$CURRENT_DIR/../ep/_ep/arrow_ep
+ARROW_MANAGED_PREFIX="$CURRENT_DIR/../ep/_ep/arrow_ep"
 BUILD_TYPE=Release
+# When invoked via builddeps-veloxbe.sh, INSTALL_PREFIX is already resolved and
+# exported (isolated local prefix on macOS, system on Linux) and is respected
+# here. For a standalone run, consult the isolation resolver so we do not
+# silently target /usr/local on an isolated platform.
+if [ -z "${INSTALL_PREFIX:-}" ] && [ -f "${CURRENT_DIR}/build-isolation.sh" ]; then
+  source "${CURRENT_DIR}/build-isolation.sh"
+  # Fatal on resolver rejection (e.g. isolation=on with vcpkg, or an invalid
+  # mode): falling through would silently target /usr/local and mask the
+  # misconfiguration. Consistent with the other native build entrypoints.
+  resolve_build_isolation || exit 1
+fi
 INSTALL_PREFIX=${INSTALL_PREFIX:-"/usr/local"}
 
 function prepare_arrow_build() {
-  mkdir -p ${ARROW_PREFIX}/../ && pushd ${ARROW_PREFIX}/../ && ${SUDO} rm -rf arrow_ep/
+  mkdir -p ${ARROW_PREFIX}/../ && pushd ${ARROW_PREFIX}/../
+  # Only auto-remove Gluten's managed download dir; never wipe a user-provided
+  # Arrow source tree pointed to by an overridden ARROW_PREFIX.
+  if [ "${ARROW_PREFIX}" = "${ARROW_MANAGED_PREFIX}" ]; then
+    ${SUDO} rm -rf arrow_ep/
+  else
+    echo "INFO: ARROW_PREFIX=${ARROW_PREFIX} is user-provided; not auto-removing it." >&2
+  fi
   wget_and_untar https://github.com/apache/arrow/archive/refs/tags/apache-arrow-${VELOX_ARROW_BUILD_VERSION}.tar.gz arrow_ep
   #wget_and_untar https://archive.apache.org/dist/arrow/arrow-${VELOX_ARROW_BUILD_VERSION}/apache-arrow-${VELOX_ARROW_BUILD_VERSION}.tar.gz arrow_ep
   cd arrow_ep

dev/build-helper-functions.sh

@@ -176,16 +176,18 @@ function cmake_install {
   CPU_TARGET="${CPU_TARGET:-unknown}"
   COMPILER_FLAGS=$(get_cxx_flags $CPU_TARGET)
 
-  local MACOS_ISOLATION_FLAGS=""
-  if [[ "$(uname)" == "Darwin" ]]; then
-    if [[ "${INSTALL_PREFIX:-}" == "/usr/local" || "${INSTALL_PREFIX:-}" == /usr/local/* ]]; then
-      echo "INFO: INSTALL_PREFIX=${INSTALL_PREFIX} is under /usr/local; keeping /usr/local visible to CMake." >&2
-    else
-      MACOS_ISOLATION_FLAGS="-DCMAKE_NO_SYSTEM_FROM_IMPORTED=ON \
-        -DCMAKE_IGNORE_PREFIX_PATH=/usr/local \
-        -DCMAKE_IGNORE_PATH=/usr/local;/usr/local/include;/usr/local/lib;/usr/local/lib/cmake \
-        -DCMAKE_SYSTEM_IGNORE_PATH=/usr/local;/usr/local/include;/usr/local/lib;/usr/local/lib/cmake"
-    fi
+  # Component isolation: a single resolver computes the ignore/prefix policy for
+  # both macOS and Linux (dev/build-isolation.sh). macOS default reproduces the
+  # previous /usr/local ignore flags; Linux default is a no-op; vcpkg disables it.
+  local _gi="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/build-isolation.sh"
+  local ISOLATION_FLAGS=""
+  if [ -f "$_gi" ]; then
+    source "$_gi"
+    resolve_build_isolation || exit 1
+    ISOLATION_FLAGS="${GLUTEN_ISOLATION_CMAKE_FLAGS:-}"
+    # Demote ignored roots' /include below -I/-isystem so a stale /usr/local
+    # header can't shadow bundled/deps-install headers (compiler isolation).
+    COMPILER_FLAGS="$COMPILER_FLAGS ${GLUTEN_ISOLATION_CXXFLAGS:-}"
   fi
 
   # CMAKE_POSITION_INDEPENDENT_CODE is required so that Velox can be built into dynamic libraries \
@@ -197,7 +199,7 @@ function cmake_install {
     "${INSTALL_PREFIX+-DCMAKE_INSTALL_PREFIX=}${INSTALL_PREFIX-}" \
     -DCMAKE_CXX_FLAGS="$COMPILER_FLAGS" \
     -DBUILD_TESTING=OFF \
-    $MACOS_ISOLATION_FLAGS \
+    $ISOLATION_FLAGS \
     "$@"
 
   cmake --build "${BINARY_DIR}"