@agentmeshhq/agent 0.1.12 → 0.1.13

package/src/__tests__/sandbox.test.ts

@@ -0,0 +1,435 @@
+import os from "node:os";
+import path from "node:path";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { DockerSandbox, type SandboxConfig, type SandboxMountPolicy } from "../core/sandbox.js";
+
+// Mock child_process
+vi.mock("node:child_process", () => ({
+  execSync: vi.fn(),
+  spawn: vi.fn(() => ({
+    on: vi.fn(),
+    unref: vi.fn(),
+    pid: 12345,
+  })),
+  spawnSync: vi.fn(() => ({
+    status: 0,
+    stdout: "mock-container-id\n",
+    stderr: "",
+  })),
+}));
+
+// Mock fs
+vi.mock("node:fs", () => ({
+  default: {
+    existsSync: vi.fn(() => true),
+  },
+}));
+
+describe("DockerSandbox", () => {
+  const defaultConfig: SandboxConfig = {
+    agentName: "test-agent",
+    image: "agentmesh/agent-sandbox:latest",
+    workspacePath: "/tmp/workspace",
+  };
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  describe("constructor", () => {
+    it("should create sandbox with default values", () => {
+      const sandbox = new DockerSandbox(defaultConfig);
+
+      expect(sandbox.getContainerName()).toMatch(/^agentmesh-sandbox-test-agent-[a-f0-9]{8}$/);
+    });
+
+    it("should merge config with defaults", () => {
+      const config: SandboxConfig = {
+        ...defaultConfig,
+        cpuLimit: "0.5",
+        memoryLimit: "1g",
+      };
+
+      const sandbox = new DockerSandbox(config);
+      expect(sandbox).toBeDefined();
+    });
+  });
+
+  describe("validateMountPolicy", () => {
+    it("should deny sensitive paths by default", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        workspacePath: path.join(os.homedir(), ".ssh"),
+      });
+
+      expect(() => sandbox.validateMountPolicy()).toThrow(/Mount denied.*\.ssh/);
+    });
+
+    it("should deny ~/.gnupg", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        workspacePath: path.join(os.homedir(), ".gnupg"),
+      });
+
+      expect(() => sandbox.validateMountPolicy()).toThrow(/Mount denied.*\.gnupg/);
+    });
+
+    it("should deny ~/.aws", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        workspacePath: path.join(os.homedir(), ".aws"),
+      });
+
+      expect(() => sandbox.validateMountPolicy()).toThrow(/Mount denied.*\.aws/);
+    });
+
+    it("should deny ~/.config/gcloud", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        workspacePath: path.join(os.homedir(), ".config/gcloud"),
+      });
+
+      expect(() => sandbox.validateMountPolicy()).toThrow(/Mount denied.*gcloud/);
+    });
+
+    it("should deny ~/.kube", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        workspacePath: path.join(os.homedir(), ".kube"),
+      });
+
+      expect(() => sandbox.validateMountPolicy()).toThrow(/Mount denied.*\.kube/);
+    });
+
+    it("should deny ~/.docker", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        workspacePath: path.join(os.homedir(), ".docker"),
+      });
+
+      expect(() => sandbox.validateMountPolicy()).toThrow(/Mount denied.*\.docker/);
+    });
+
+    it("should deny /var/run/docker.sock", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        workspacePath: "/var/run/docker.sock",
+      });
+
+      expect(() => sandbox.validateMountPolicy()).toThrow(/Mount denied.*docker\.sock/);
+    });
+
+    it("should allow regular workspace paths", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        workspacePath: "/tmp/workspace",
+      });
+
+      expect(() => sandbox.validateMountPolicy()).not.toThrow();
+    });
+
+    it("should enforce custom allowed paths when specified", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        workspacePath: "/home/user/random",
+      });
+
+      const policy: SandboxMountPolicy = {
+        allowedPaths: ["/home/user/allowed-only"],
+        deniedPaths: [],
+      };
+
+      expect(() => sandbox.validateMountPolicy(policy)).toThrow(/not in allowed paths/);
+    });
+
+    it("should allow path within custom allowed paths", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        workspacePath: "/home/user/projects/myrepo",
+      });
+
+      const policy: SandboxMountPolicy = {
+        allowedPaths: ["/home/user/projects"],
+        deniedPaths: [],
+      };
+
+      expect(() => sandbox.validateMountPolicy(policy)).not.toThrow();
+    });
+  });
+
+  describe("checkDockerAvailable", () => {
+    it("should return true when docker is available", async () => {
+      const { spawnSync } = await import("node:child_process");
+      vi.mocked(spawnSync).mockReturnValueOnce({
+        status: 0,
+        stdout: "Docker version 24.0.0",
+        stderr: "",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      expect(DockerSandbox.checkDockerAvailable()).toBe(true);
+    });
+
+    it("should return false when docker is not available", async () => {
+      const { spawnSync } = await import("node:child_process");
+      vi.mocked(spawnSync).mockReturnValueOnce({
+        status: 1,
+        stdout: "",
+        stderr: "docker: command not found",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      expect(DockerSandbox.checkDockerAvailable()).toBe(false);
+    });
+  });
+
+  describe("listAll", () => {
+    it("should parse docker ps output correctly", async () => {
+      const { spawnSync } = await import("node:child_process");
+      vi.mocked(spawnSync).mockReturnValueOnce({
+        status: 0,
+        stdout:
+          "abc123|agentmesh-sandbox-agent1-12345678|Up 5 minutes|agentmesh/agent-sandbox:latest\ndef456|agentmesh-sandbox-agent2-87654321|Exited (0)|agentmesh/agent-sandbox:latest",
+        stderr: "",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      const containers = DockerSandbox.listAll();
+
+      expect(containers).toHaveLength(2);
+      expect(containers[0]).toEqual({
+        id: "abc123",
+        name: "agentmesh-sandbox-agent1-12345678",
+        status: "Up 5 minutes",
+        image: "agentmesh/agent-sandbox:latest",
+      });
+    });
+
+    it("should return empty array when no containers found", async () => {
+      const { spawnSync } = await import("node:child_process");
+      vi.mocked(spawnSync).mockReturnValueOnce({
+        status: 0,
+        stdout: "",
+        stderr: "",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      const containers = DockerSandbox.listAll();
+      expect(containers).toEqual([]);
+    });
+  });
+
+  describe("findExisting", () => {
+    it("should find existing container for agent", async () => {
+      const { spawnSync } = await import("node:child_process");
+      vi.mocked(spawnSync).mockReturnValueOnce({
+        status: 0,
+        stdout: "abc123def456\n",
+        stderr: "",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      const containerId = DockerSandbox.findExisting("test-agent");
+      expect(containerId).toBe("abc123def456");
+    });
+
+    it("should return null when no container exists", async () => {
+      const { spawnSync } = await import("node:child_process");
+      vi.mocked(spawnSync).mockReturnValueOnce({
+        status: 0,
+        stdout: "\n",
+        stderr: "",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      const containerId = DockerSandbox.findExisting("nonexistent");
+      expect(containerId).toBeNull();
+    });
+  });
+
+  describe("container lifecycle", () => {
+    it("should build correct docker run arguments", async () => {
+      const { spawnSync } = await import("node:child_process");
+      const mockSpawnSync = vi.mocked(spawnSync);
+
+      // Mock image inspect (image exists)
+      mockSpawnSync.mockReturnValueOnce({
+        status: 0,
+        stdout: "{}",
+        stderr: "",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      // Mock docker run
+      mockSpawnSync.mockReturnValueOnce({
+        status: 0,
+        stdout: "container-id-12345\n",
+        stderr: "",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      const sandbox = new DockerSandbox({
+        agentName: "test",
+        image: "agentmesh/agent-sandbox:latest",
+        workspacePath: "/tmp/workspace",
+        cpuLimit: "2",
+        memoryLimit: "4g",
+        env: {
+          AGENT_TOKEN: "test-token",
+        },
+      });
+
+      await sandbox.pullImage();
+      await sandbox.start();
+
+      // Find the docker run call
+      const runCall = mockSpawnSync.mock.calls.find(
+        (call) => call[0] === "docker" && call[1]?.[0] === "run",
+      );
+
+      expect(runCall).toBeDefined();
+      const args = runCall![1] as string[];
+
+      // Check key arguments
+      expect(args).toContain("-d");
+      expect(args).toContain("--cpus");
+      expect(args).toContain("2");
+      expect(args).toContain("--memory");
+      expect(args).toContain("4g");
+      expect(args).toContain("--user");
+      expect(args).toContain("1000:1000");
+      expect(args).toContain("-e");
+      expect(args).toContain("AGENT_TOKEN=test-token");
+    });
+
+    it("should get container status", async () => {
+      const { spawnSync } = await import("node:child_process");
+      vi.mocked(spawnSync).mockReturnValueOnce({
+        status: 0,
+        stdout: "true|running|healthy",
+        stderr: "",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      const sandbox = new DockerSandbox(defaultConfig);
+      // @ts-expect-error - accessing private property for testing
+      sandbox.containerId = "test-container";
+
+      const status = sandbox.getStatus();
+
+      expect(status).toEqual({
+        running: true,
+        status: "running",
+        health: "healthy",
+      });
+    });
+
+    it("should return not found status when container not started", async () => {
+      const { spawnSync } = await import("node:child_process");
+      vi.mocked(spawnSync).mockReturnValueOnce({
+        status: 1, // docker inspect fails for non-existent container
+        stdout: "",
+        stderr: "Error: No such container",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      const sandbox = new DockerSandbox(defaultConfig);
+      const status = sandbox.getStatus();
+
+      expect(status).toEqual({
+        running: false,
+        status: "not found",
+      });
+    });
+  });
+
+  describe("resource limits", () => {
+    it("should apply default CPU limit of 1", () => {
+      const sandbox = new DockerSandbox(defaultConfig);
+      // The default is applied in constructor
+      expect(sandbox).toBeDefined();
+    });
+
+    it("should apply default memory limit of 2g", () => {
+      const sandbox = new DockerSandbox(defaultConfig);
+      expect(sandbox).toBeDefined();
+    });
+
+    it("should allow custom resource limits", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        cpuLimit: "0.5",
+        memoryLimit: "512m",
+      });
+      expect(sandbox).toBeDefined();
+    });
+  });
+
+  describe("serve mode", () => {
+    it("should configure serve mode with port", async () => {
+      const { spawnSync } = await import("node:child_process");
+      const mockSpawnSync = vi.mocked(spawnSync);
+
+      // Mock image inspect
+      mockSpawnSync.mockReturnValueOnce({
+        status: 0,
+        stdout: "{}",
+        stderr: "",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      // Mock docker run
+      mockSpawnSync.mockReturnValueOnce({
+        status: 0,
+        stdout: "container-id\n",
+        stderr: "",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        serveMode: true,
+        servePort: 3001,
+      });
+
+      await sandbox.pullImage();
+      await sandbox.start();
+
+      const runCall = mockSpawnSync.mock.calls.find(
+        (call) => call[0] === "docker" && call[1]?.[0] === "run",
+      );
+
+      expect(runCall).toBeDefined();
+      const args = runCall![1] as string[];
+
+      expect(args).toContain("-p");
+      expect(args).toContain("3001:3001");
+      expect(args).toContain("opencode");
+      expect(args).toContain("serve");
+    });
+  });
+});

package/src/cli/index.ts

@@ -10,7 +10,7 @@ import { contextCmd } from "./context.js";
 import { deploy } from "./deploy.js";
 import { init } from "./init.js";
 import { list } from "./list.js";
-import { localUp, localDown, localStatus, localLogs } from "./local.js";
+import { localDown, localLogs, localStatus, localUp } from "./local.js";
 import { logs } from "./logs.js";
 import { migrate } from "./migrate.js";
 import { nudge } from "./nudge.js";
@@ -57,6 +57,13 @@ program
   .option("--auto-setup", "Auto-clone repository for project assignments")
   .option("--serve", "Run opencode serve instead of tmux TUI (for Integration Service)")
   .option("--serve-port <port>", "Port for opencode serve (default: 3001)", "3001")
+  .option("--sandbox", "Run agent in Docker sandbox container with filesystem isolation")
+  .option(
+    "--sandbox-image <image>",
+    "Docker image for sandbox (default: agentmesh/agent-sandbox:latest)",
+  )
+  .option("--sandbox-cpu <limit>", "CPU limit for sandbox (default: 1)")
+  .option("--sandbox-memory <limit>", "Memory limit for sandbox (default: 2g)")
   .action(async (options) => {
     try {
       // Parse serve port as number

package/src/cli/start.ts

@@ -18,6 +18,14 @@ export interface StartOptions {
   serve?: boolean;
   /** Port for opencode serve (default: 3001) */
   servePort?: number;
+  /** Run agent in Docker sandbox container */
+  sandbox?: boolean;
+  /** Docker image for sandbox */
+  sandboxImage?: string;
+  /** CPU limit for sandbox */
+  sandboxCpu?: string;
+  /** Memory limit for sandbox */
+  sandboxMemory?: string;
 }
 
 export async function start(options: StartOptions): Promise<void> {
@@ -78,6 +86,12 @@ export async function start(options: StartOptions): Promise<void> {
     args.push("--serve");
     if (options.servePort) args.push("--serve-port", String(options.servePort));
   }
+  if (options.sandbox) {
+    args.push("--sandbox");
+    if (options.sandboxImage) args.push("--sandbox-image", options.sandboxImage);
+    if (options.sandboxCpu) args.push("--sandbox-cpu", options.sandboxCpu);
+    if (options.sandboxMemory) args.push("--sandbox-memory", options.sandboxMemory);
+  }
 
   // Spawn detached background process
   const child = spawn("node", [cliPath, ...args], {

package/src/core/daemon.ts

@@ -13,13 +13,14 @@ import type { AgentConfig, Config } from "../config/schema.js";
 import { loadContext, loadOrCreateContext, saveContext } from "../context/index.js";
 import { Heartbeat } from "./heartbeat.js";
 import { handleWebSocketEvent, injectRestoredContext, injectStartupMessage } from "./injector.js";
-import { checkInbox, fetchAssignments, registerAgent } from "./registry.js";
+import { checkInbox, fetchAssignments, registerAgent, type ServerContext } from "./registry.js";
 import {
   buildRunnerConfig,
   detectRunner,
   getRunnerDisplayName,
   type RunnerConfig,
 } from "./runner.js";
+import { DockerSandbox } from "./sandbox.js";
 import {
   captureSessionContext,
   createSession,
@@ -44,6 +45,14 @@ export interface DaemonOptions {
   serve?: boolean;
   /** Port for opencode serve (default: 3001) */
   servePort?: number;
+  /** Run agent in Docker sandbox container */
+  sandbox?: boolean;
+  /** Docker image for sandbox (default: agentmesh/agent-sandbox:latest) */
+  sandboxImage?: string;
+  /** CPU limit for sandbox (default: 1) */
+  sandboxCpu?: string;
+  /** Memory limit for sandbox (default: 2g) */
+  sandboxMemory?: string;
 }
 
 export class AgentDaemon {
@@ -62,6 +71,12 @@ export class AgentDaemon {
   private serveMode: boolean;
   private servePort: number;
   private serveProcess: ChildProcess | null = null;
+  private serverContext: ServerContext | undefined;
+  private sandboxMode: boolean;
+  private sandboxImage: string;
+  private sandboxCpu: string;
+  private sandboxMemory: string;
+  private sandbox: DockerSandbox | null = null;
 
   constructor(options: DaemonOptions) {
     const config = loadConfig();
@@ -94,6 +109,10 @@ export class AgentDaemon {
     this.agentConfig = agentConfig;
     this.serveMode = options.serve === true;
     this.servePort = options.servePort || 3001;
+    this.sandboxMode = options.sandbox === true;
+    this.sandboxImage = options.sandboxImage || "agentmesh/agent-sandbox:latest";
+    this.sandboxCpu = options.sandboxCpu || "1";
+    this.sandboxMemory = options.sandboxMemory || "2g";
 
     // Build runner configuration with model resolution
     this.runnerConfig = buildRunnerConfig({
@@ -128,18 +147,29 @@ export class AgentDaemon {
       agentId: existingState?.agentId || this.agentConfig.agentId,
       agentName: this.agentName,
       model: this.agentConfig.model || this.config.defaults.model,
+      restoreContext: this.shouldRestoreContext,
     });
 
     this.agentId = registration.agentId;
     this.token = registration.token;
 
-    console.log(`Registered as: ${this.agentId}`);
+    if (registration.status === "re-registered") {
+      console.log(`Re-registered as: ${this.agentId}`);
+      if (registration.context && Object.keys(registration.context).length > 0) {
+        this.serverContext = registration.context;
+        console.log(`Server context restored: ${Object.keys(registration.context).join(", ")}`);
+      }
+    } else {
+      console.log(`Registered as: ${this.agentId}`);
+    }
 
     // Check assignments and auto-setup workdir if needed (before creating tmux session)
     await this.checkAssignments();
 
-    // Serve mode: start opencode serve instead of tmux
-    if (this.serveMode) {
+    // Choose runtime mode: sandbox > serve > tmux
+    if (this.sandboxMode) {
+      await this.startSandboxMode();
+    } else if (this.serveMode) {
       await this.startServeMode();
     } else {
       // Check if session already exists
@@ -337,8 +367,12 @@ Nudge agent:
       this.ws = null;
     }
 
-    // Stop serve process or destroy tmux session
-    if (this.serveMode && this.serveProcess) {
+    // Stop sandbox, serve process, or destroy tmux session
+    if (this.sandboxMode && this.sandbox) {
+      console.log("Stopping sandbox container...");
+      await this.sandbox.destroy();
+      this.sandbox = null;
+    } else if (this.serveMode && this.serveProcess) {
       console.log("Stopping opencode serve...");
       this.serveProcess.kill("SIGTERM");
       this.serveProcess = null;
@@ -409,6 +443,80 @@ Nudge agent:
     console.log(`opencode serve started on http://0.0.0.0:${this.servePort}`);
   }
 
+  /**
+   * Starts agent in Docker sandbox mode
+   * Provides filesystem isolation with only workspace mounted
+   */
+  private async startSandboxMode(): Promise<void> {
+    console.log("Starting in Docker sandbox mode...");
+
+    // Check Docker availability
+    if (!DockerSandbox.checkDockerAvailable()) {
+      throw new Error(
+        "Docker is not available. Install Docker or use --sandbox host to run on host.",
+      );
+    }
+
+    const workdir = this.agentConfig.workdir || process.cwd();
+
+    // Check for existing sandbox container
+    const existingContainer = DockerSandbox.findExisting(this.agentName);
+    if (existingContainer) {
+      console.log(`Found existing sandbox container: ${existingContainer}`);
+      console.log("Stop it with: agentmesh stop " + this.agentName);
+      throw new Error("Sandbox container already exists");
+    }
+
+    // Create sandbox configuration
+    this.sandbox = new DockerSandbox({
+      agentName: this.agentName,
+      image: this.sandboxImage,
+      workspacePath: workdir,
+      cpuLimit: this.sandboxCpu,
+      memoryLimit: this.sandboxMemory,
+      env: {
+        ...this.runnerConfig.env,
+        AGENT_TOKEN: this.token!,
+        AGENTMESH_AGENT_ID: this.agentId!,
+      },
+      serveMode: this.serveMode,
+      servePort: this.servePort,
+      networkMode: "bridge",
+    });
+
+    // Validate mount policy (will throw if denied)
+    this.sandbox.validateMountPolicy();
+
+    // Pull image if needed
+    await this.sandbox.pullImage();
+
+    // Start container
+    await this.sandbox.start();
+
+    console.log(`
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+🐳 SANDBOX MODE ACTIVE
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+Container: ${this.sandbox.getContainerName()}
+Image:     ${this.sandboxImage}
+Workspace: ${workdir} -> /workspace
+CPU:       ${this.sandboxCpu} core(s)
+Memory:    ${this.sandboxMemory}
+
+The agent is running in an isolated Docker container.
+Only the workspace directory is accessible.
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+`);
+
+    // Start opencode in the container
+    if (!this.serveMode) {
+      console.log("Starting opencode in sandbox container...");
+      await this.sandbox.spawnOpencode();
+    }
+  }
+
   /**
    * Saves the current agent context to disk
    */