@agentmeshhq/agent 0.1.11 → 0.1.13

package/src/core/sandbox.ts

@@ -0,0 +1,505 @@
+/**
+ * Docker Sandbox Runtime
+ *
+ * Provides containerized execution of agents with filesystem isolation.
+ * Each agent runs in its own container with only the allowed workspace mounted.
+ */
+
+import { type ChildProcess, execSync, spawn, spawnSync } from "node:child_process";
+import crypto from "node:crypto";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+
+export interface SandboxConfig {
+  /** Agent name (used for container naming) */
+  agentName: string;
+  /** Image to use for the container */
+  image: string;
+  /** Workspace path on host to mount */
+  workspacePath: string;
+  /** Container mount point for workspace (default: /workspace) */
+  containerWorkdir?: string;
+  /** CPU limit (e.g., "0.5" for half a CPU) */
+  cpuLimit?: string;
+  /** Memory limit (e.g., "512m", "1g") */
+  memoryLimit?: string;
+  /** Environment variables to pass to container */
+  env?: Record<string, string>;
+  /** Network mode (default: bridge) */
+  networkMode?: string;
+  /** Additional mounts (host:container format) */
+  additionalMounts?: string[];
+  /** Run opencode serve instead of TUI */
+  serveMode?: boolean;
+  /** Port for serve mode */
+  servePort?: number;
+}
+
+export interface SandboxMountPolicy {
+  /** Paths that are allowed to be mounted */
+  allowedPaths: string[];
+  /** Paths that are explicitly denied (checked first) */
+  deniedPaths: string[];
+}
+
+// Default mount policy - deny sensitive paths
+const DEFAULT_DENY_PATHS = [
+  "~/.ssh",
+  "~/.gnupg",
+  "~/.aws",
+  "~/.config/gcloud",
+  "~/.kube",
+  "~/.docker",
+  "/etc/passwd",
+  "/etc/shadow",
+  "/etc/hosts",
+  "/var/run/docker.sock",
+];
+
+export class DockerSandbox {
+  private config: SandboxConfig;
+  private containerId: string | null = null;
+  private containerName: string;
+  private process: ChildProcess | null = null;
+
+  constructor(config: SandboxConfig) {
+    this.config = {
+      containerWorkdir: "/workspace",
+      cpuLimit: "1",
+      memoryLimit: "2g",
+      networkMode: "bridge",
+      ...config,
+    };
+    // Generate unique container name
+    const suffix = crypto.randomBytes(4).toString("hex");
+    this.containerName = `agentmesh-sandbox-${config.agentName}-${suffix}`;
+  }
+
+  /**
+   * Validates that the workspace path is allowed based on policy
+   */
+  validateMountPolicy(policy?: SandboxMountPolicy): void {
+    const workspacePath = this.expandPath(this.config.workspacePath);
+
+    // Check denied paths first
+    const deniedPaths = policy?.deniedPaths || DEFAULT_DENY_PATHS;
+    for (const denied of deniedPaths) {
+      const expandedDenied = this.expandPath(denied);
+      if (workspacePath.startsWith(expandedDenied) || workspacePath === expandedDenied) {
+        throw new Error(`Mount denied: ${workspacePath} matches denied path ${denied}`);
+      }
+    }
+
+    // Check allowed paths if specified
+    if (policy?.allowedPaths && policy.allowedPaths.length > 0) {
+      const isAllowed = policy.allowedPaths.some((allowed) => {
+        const expandedAllowed = this.expandPath(allowed);
+        return workspacePath.startsWith(expandedAllowed);
+      });
+      if (!isAllowed) {
+        throw new Error(`Mount denied: ${workspacePath} is not in allowed paths`);
+      }
+    }
+
+    // Verify path exists
+    if (!fs.existsSync(workspacePath)) {
+      throw new Error(`Workspace path does not exist: ${workspacePath}`);
+    }
+  }
+
+  /**
+   * Expands ~ to home directory
+   */
+  private expandPath(p: string): string {
+    if (p.startsWith("~")) {
+      return path.join(os.homedir(), p.slice(1));
+    }
+    return path.resolve(p);
+  }
+
+  /**
+   * Checks if Docker is available
+   */
+  static checkDockerAvailable(): boolean {
+    try {
+      const result = spawnSync("docker", ["--version"], {
+        encoding: "utf-8",
+        timeout: 5000,
+      });
+      return result.status === 0;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Pulls the sandbox image if not present
+   */
+  async pullImage(): Promise<void> {
+    console.log(`Checking for image: ${this.config.image}`);
+
+    // Check if image exists locally
+    const result = spawnSync("docker", ["image", "inspect", this.config.image], {
+      encoding: "utf-8",
+    });
+
+    if (result.status === 0) {
+      console.log("Image found locally");
+      return;
+    }
+
+    console.log(`Pulling image: ${this.config.image}...`);
+    const pullResult = spawnSync("docker", ["pull", this.config.image], {
+      encoding: "utf-8",
+      stdio: "inherit",
+    });
+
+    if (pullResult.status !== 0) {
+      throw new Error(`Failed to pull image: ${this.config.image}`);
+    }
+  }
+
+  /**
+   * Creates and starts the sandbox container
+   */
+  async start(): Promise<string> {
+    // Validate mount policy
+    this.validateMountPolicy();
+
+    const workspacePath = this.expandPath(this.config.workspacePath);
+
+    // Build docker run arguments
+    const args: string[] = [
+      "run",
+      "-d", // Detached
+      "--name",
+      this.containerName,
+      "--hostname",
+      `sandbox-${this.config.agentName}`,
+
+      // Resource limits
+      "--cpus",
+      this.config.cpuLimit!,
+      "--memory",
+      this.config.memoryLimit!,
+
+      // Security: run as non-root
+      "--user",
+      "1000:1000",
+
+      // Network
+      "--network",
+      this.config.networkMode!,
+
+      // Mount workspace
+      "-v",
+      `${workspacePath}:${this.config.containerWorkdir}:rw`,
+
+      // Working directory
+      "-w",
+      this.config.containerWorkdir!,
+    ];
+
+    // Add environment variables
+    if (this.config.env) {
+      for (const [key, value] of Object.entries(this.config.env)) {
+        args.push("-e", `${key}=${value}`);
+      }
+    }
+
+    // Add additional mounts
+    if (this.config.additionalMounts) {
+      for (const mount of this.config.additionalMounts) {
+        args.push("-v", mount);
+      }
+    }
+
+    // Expose port for serve mode
+    if (this.config.serveMode && this.config.servePort) {
+      args.push("-p", `${this.config.servePort}:${this.config.servePort}`);
+    }
+
+    // Image and command
+    args.push(this.config.image);
+
+    // Command: either serve mode or keep container alive for tmux-style attach
+    if (this.config.serveMode) {
+      args.push(
+        "opencode",
+        "serve",
+        "--port",
+        String(this.config.servePort || 3001),
+        "--hostname",
+        "0.0.0.0",
+      );
+    } else {
+      // Keep container running for attach capability
+      args.push("tail", "-f", "/dev/null");
+    }
+
+    console.log(`Starting sandbox container: ${this.containerName}`);
+
+    const result = spawnSync("docker", args, {
+      encoding: "utf-8",
+    });
+
+    if (result.status !== 0) {
+      throw new Error(`Failed to start container: ${result.stderr || result.stdout}`);
+    }
+
+    this.containerId = result.stdout.trim();
+    console.log(`Container started: ${this.containerId.substring(0, 12)}`);
+
+    return this.containerId;
+  }
+
+  /**
+   * Executes a command in the running container
+   */
+  async exec(command: string[], options?: { interactive?: boolean }): Promise<string> {
+    if (!this.containerId && !this.containerName) {
+      throw new Error("Container not started");
+    }
+
+    const target = this.containerId || this.containerName;
+    const args = ["exec"];
+
+    if (options?.interactive) {
+      args.push("-it");
+    }
+
+    args.push(target, ...command);
+
+    const result = spawnSync("docker", args, {
+      encoding: "utf-8",
+      stdio: options?.interactive ? "inherit" : "pipe",
+    });
+
+    if (result.status !== 0 && !options?.interactive) {
+      throw new Error(`Exec failed: ${result.stderr || result.stdout}`);
+    }
+
+    return result.stdout || "";
+  }
+
+  /**
+   * Spawns opencode in the container (for non-serve mode)
+   */
+  async spawnOpencode(): Promise<ChildProcess> {
+    if (!this.containerId && !this.containerName) {
+      throw new Error("Container not started");
+    }
+
+    const target = this.containerId || this.containerName;
+
+    // Build environment args
+    const envArgs: string[] = [];
+    if (this.config.env) {
+      for (const [key, value] of Object.entries(this.config.env)) {
+        envArgs.push("-e", `${key}=${value}`);
+      }
+    }
+
+    this.process = spawn("docker", ["exec", "-it", ...envArgs, target, "opencode"], {
+      stdio: "inherit",
+    });
+
+    return this.process;
+  }
+
+  /**
+   * Attaches to the container's opencode process
+   */
+  attach(): void {
+    if (!this.containerId && !this.containerName) {
+      throw new Error("Container not started");
+    }
+
+    const target = this.containerId || this.containerName;
+
+    // Exec into container interactively
+    execSync(`docker exec -it ${target} opencode`, {
+      stdio: "inherit",
+    });
+  }
+
+  /**
+   * Gets container logs
+   */
+  getLogs(lines = 100): string {
+    if (!this.containerId && !this.containerName) {
+      throw new Error("Container not started");
+    }
+
+    const target = this.containerId || this.containerName;
+    const result = spawnSync("docker", ["logs", "--tail", String(lines), target], {
+      encoding: "utf-8",
+    });
+
+    return result.stdout + result.stderr;
+  }
+
+  /**
+   * Follows container logs
+   */
+  followLogs(): void {
+    if (!this.containerId && !this.containerName) {
+      throw new Error("Container not started");
+    }
+
+    const target = this.containerId || this.containerName;
+    execSync(`docker logs -f ${target}`, { stdio: "inherit" });
+  }
+
+  /**
+   * Checks if container is running
+   */
+  isRunning(): boolean {
+    if (!this.containerId && !this.containerName) {
+      return false;
+    }
+
+    const target = this.containerId || this.containerName;
+    const result = spawnSync("docker", ["inspect", "-f", "{{.State.Running}}", target], {
+      encoding: "utf-8",
+    });
+
+    return result.stdout.trim() === "true";
+  }
+
+  /**
+   * Gets container status
+   */
+  getStatus(): { running: boolean; status: string; health?: string } {
+    if (!this.containerId && !this.containerName) {
+      return { running: false, status: "not created" };
+    }
+
+    const target = this.containerId || this.containerName;
+    const result = spawnSync(
+      "docker",
+      ["inspect", "-f", "{{.State.Running}}|{{.State.Status}}|{{.State.Health.Status}}", target],
+      { encoding: "utf-8" },
+    );
+
+    if (result.status !== 0) {
+      return { running: false, status: "not found" };
+    }
+
+    const [running, status, health] = result.stdout.trim().split("|");
+    return {
+      running: running === "true",
+      status,
+      health: health || undefined,
+    };
+  }
+
+  /**
+   * Stops the container
+   */
+  async stop(): Promise<void> {
+    if (!this.containerId && !this.containerName) {
+      return;
+    }
+
+    const target = this.containerId || this.containerName;
+    console.log(`Stopping container: ${target}`);
+
+    spawnSync("docker", ["stop", "-t", "10", target], {
+      encoding: "utf-8",
+    });
+  }
+
+  /**
+   * Removes the container
+   */
+  async destroy(): Promise<void> {
+    if (!this.containerId && !this.containerName) {
+      return;
+    }
+
+    const target = this.containerId || this.containerName;
+    console.log(`Destroying container: ${target}`);
+
+    // Stop if running
+    await this.stop();
+
+    // Remove
+    spawnSync("docker", ["rm", "-f", target], {
+      encoding: "utf-8",
+    });
+
+    this.containerId = null;
+  }
+
+  /**
+   * Gets container name
+   */
+  getContainerName(): string {
+    return this.containerName;
+  }
+
+  /**
+   * Gets container ID
+   */
+  getContainerId(): string | null {
+    return this.containerId;
+  }
+
+  /**
+   * Finds existing sandbox container for an agent
+   */
+  static findExisting(agentName: string): string | null {
+    const result = spawnSync(
+      "docker",
+      [
+        "ps",
+        "-aq",
+        "--filter",
+        `name=agentmesh-sandbox-${agentName}-`,
+        "--filter",
+        "status=running",
+      ],
+      { encoding: "utf-8" },
+    );
+
+    const containerId = result.stdout.trim().split("\n")[0];
+    return containerId || null;
+  }
+
+  /**
+   * Lists all sandbox containers
+   */
+  static listAll(): Array<{
+    id: string;
+    name: string;
+    status: string;
+    image: string;
+  }> {
+    const result = spawnSync(
+      "docker",
+      [
+        "ps",
+        "-a",
+        "--filter",
+        "name=agentmesh-sandbox-",
+        "--format",
+        "{{.ID}}|{{.Names}}|{{.Status}}|{{.Image}}",
+      ],
+      { encoding: "utf-8" },
+    );
+
+    if (result.status !== 0 || !result.stdout.trim()) {
+      return [];
+    }
+
+    return result.stdout
+      .trim()
+      .split("\n")
+      .map((line) => {
+        const [id, name, status, image] = line.split("|");
+        return { id, name, status, image };
+      });
+  }
+}

package/src/core/tmux.ts

@@ -56,7 +56,8 @@ export function createSession(
 
     const fullCommand = `${envPrefix}${command}`;
 
-    const args = ["new-session", "-d", "-s", sessionName];
+    // Set reasonable terminal size for TUI applications
+    const args = ["new-session", "-d", "-s", sessionName, "-x", "200", "-y", "50"];
 
     if (workdir) {
       args.push("-c", workdir);
@@ -128,16 +129,13 @@ export function sendKeys(agentName: string, message: string): boolean {
   }
 
   try {
-    // Escape special characters for tmux
-    const escapedMessage = message
-      .replace(/\\/g, "\\\\")
-      .replace(/"/g, '\\"')
-      .replace(/\$/g, "\\$")
-      .replace(/`/g, "\\`");
-
-    // Send the message, then press Enter separately to submit to the AI
-    execSync(`tmux send-keys -t "${sessionName}" "${escapedMessage}"`);
-    execSync(`tmux send-keys -t "${sessionName}" Enter`);
+    // Replace newlines with " | " to keep message on single line (newlines would act as Enter)
+    const cleanMessage = message.replace(/\n/g, " | ");
+
+    // Use execFileSync with array args to avoid shell escaping issues
+    // The -l flag sends keys literally
+    execFileSync("tmux", ["send-keys", "-t", sessionName, "-l", cleanMessage]);
+    execFileSync("tmux", ["send-keys", "-t", sessionName, "Enter"]);
     return true;
   } catch (error) {
     console.error(`Failed to send keys: ${error}`);