agentic-qe 2.8.0 → 2.8.2

package/dist/infrastructure/sandbox/ResourceMonitor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ResourceMonitor.d.ts","sourceRoot":"","sources":["../../../src/infrastructure/sandbox/ResourceMonitor.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,MAAM,MAAM,WAAW,CAAC;AACpC,OAAO,KAAK,EAAE,aAAa,EAAgB,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAEnF;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,6CAA6C;IAC7C,UAAU,EAAE,MAAM,CAAC;IAEnB,gDAAgD;IAChD,aAAa,EAAE,MAAM,CAAC;IAEtB,8CAA8C;IAC9C,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,eAAO,MAAM,kBAAkB,EAAE,kBAIhC,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,0CAA0C;IAC1C,UAAU,EAAE,MAAM,CAAC;IAEnB,qCAAqC;IACrC,UAAU,EAAE,kBAAkB,CAAC;IAE/B,sCAAsC;IACtC,mBAAmB,EAAE,OAAO,CAAC;IAE7B,uDAAuD;IACvD,sBAAsB,EAAE,MAAM,CAAC;CAChC;AAED;;GAEG;AACH,eAAO,MAAM,sBAAsB,EAAE,qBAKpC,CAAC;AAcF;;GAEG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,MAAM,CAAwB;IACtC,OAAO,CAAC,UAAU,CAAkC;IACpD,OAAO,CAAC,eAAe,CAA+C;IACtE,OAAO,CAAC,aAAa,CAA6B;IAClD,OAAO,CAAC,SAAS,CAAkB;gBAEvB,MAAM,EAAE,MAAM,EAAE,MAAM,GAAE,OAAO,CAAC,qBAAqB,CAAM;IAMvE;;OAEG;IACH,YAAY,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI;IAU3E;;OAEG;IACH,eAAe,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;IAI1C;;OAEG;IACH,KAAK,IAAI,IAAI;IAYb;;OAEG;IACH,IAAI,IAAI,IAAI;IAQZ;;OAEG;IACG,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAgBlE;;OAEG;IACH,cAAc,CAAC,WAAW,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI;IAIzD;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IAaxD;;OAEG;IACH,EAAE,CAAC,OAAO,EAAE,mBAAmB,GAAG,IAAI;IAItC;;OAEG;IACH,GAAG,CAAC,OAAO,EAAE,mBAAmB,GAAG,IAAI;IAOvC;;OAEG;YACW,eAAe;IAQ7B;;OAEG;YACW,wBAAwB;IAoBtC;;OAEG;YACW,qBAAqB;IAWnC;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAyCxB;;OAEG;YACW,eAAe;IAmE7B;;OAEG;YACW,SAAS;IAUvB;;OAEG;IACH,SAAS,IAAI;QACX,OAAO,EAAE,OAAO,CAAC;QACjB,cAAc,EAAE,MAAM,CAAC;QACvB,UAAU,EAAE,MAAM,CAAC;KACpB;CAOF"}

package/dist/infrastructure/sandbox/ResourceMonitor.js

@@ -0,0 +1,305 @@
+"use strict";
+/**
+ * Resource Monitor for Docker Containers
+ *
+ * Monitors CPU, memory, disk, and network usage for sandboxed agent containers.
+ * Provides real-time stats and threshold-based alerts.
+ *
+ * @module infrastructure/sandbox/ResourceMonitor
+ * @see Issue #146 - Security Hardening: Docker Sandboxing
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ResourceMonitor = exports.DEFAULT_MONITOR_CONFIG = exports.DEFAULT_THRESHOLDS = void 0;
+/**
+ * Default resource thresholds for alerts
+ */
+exports.DEFAULT_THRESHOLDS = {
+    cpuPercent: 90,
+    memoryPercent: 85,
+    diskPercent: 80,
+};
+/**
+ * Default monitor configuration
+ */
+exports.DEFAULT_MONITOR_CONFIG = {
+    intervalMs: 5000,
+    thresholds: exports.DEFAULT_THRESHOLDS,
+    enableOomPrevention: true,
+    oomPreventionThreshold: 95,
+};
+/**
+ * ResourceMonitor class for tracking container resource usage
+ */
+class ResourceMonitor {
+    constructor(docker, config = {}) {
+        this.monitorInterval = null;
+        this.eventHandlers = [];
+        this.isRunning = false;
+        this.docker = docker;
+        this.config = { ...exports.DEFAULT_MONITOR_CONFIG, ...config };
+        this.containers = new Map();
+    }
+    /**
+     * Start monitoring a container
+     */
+    addContainer(containerId, agentId, agentType) {
+        this.containers.set(containerId, {
+            containerId,
+            agentId,
+            agentType,
+            consecutiveHighMemory: 0,
+            consecutiveHighCpu: 0,
+        });
+    }
+    /**
+     * Stop monitoring a container
+     */
+    removeContainer(containerId) {
+        this.containers.delete(containerId);
+    }
+    /**
+     * Start the monitoring loop
+     */
+    start() {
+        if (this.isRunning)
+            return;
+        this.isRunning = true;
+        this.monitorInterval = setInterval(async () => {
+            await this.collectAllStats();
+        }, this.config.intervalMs);
+        // Collect initial stats immediately
+        this.collectAllStats().catch(console.error);
+    }
+    /**
+     * Stop the monitoring loop
+     */
+    stop() {
+        if (this.monitorInterval) {
+            clearInterval(this.monitorInterval);
+            this.monitorInterval = null;
+        }
+        this.isRunning = false;
+    }
+    /**
+     * Get stats for a specific container
+     */
+    async getStats(containerId) {
+        const monitored = this.containers.get(containerId);
+        if (!monitored)
+            return null;
+        try {
+            const stats = await this.collectContainerStats(containerId);
+            if (stats) {
+                monitored.lastStats = stats;
+            }
+            return stats;
+        }
+        catch (error) {
+            console.error(`Failed to get stats for ${containerId}:`, error);
+            return monitored.lastStats || null;
+        }
+    }
+    /**
+     * Get cached stats for a container (no API call)
+     */
+    getCachedStats(containerId) {
+        return this.containers.get(containerId)?.lastStats || null;
+    }
+    /**
+     * Get stats for all monitored containers
+     */
+    async getAllStats() {
+        const result = new Map();
+        for (const [containerId, monitored] of this.containers) {
+            const stats = await this.getStats(containerId);
+            if (stats) {
+                result.set(containerId, stats);
+            }
+        }
+        return result;
+    }
+    /**
+     * Add event handler
+     */
+    on(handler) {
+        this.eventHandlers.push(handler);
+    }
+    /**
+     * Remove event handler
+     */
+    off(handler) {
+        const index = this.eventHandlers.indexOf(handler);
+        if (index !== -1) {
+            this.eventHandlers.splice(index, 1);
+        }
+    }
+    /**
+     * Collect stats for all monitored containers
+     */
+    async collectAllStats() {
+        const promises = Array.from(this.containers.keys()).map((containerId) => this.collectAndCheckContainer(containerId));
+        await Promise.allSettled(promises);
+    }
+    /**
+     * Collect stats and check thresholds for a container
+     */
+    async collectAndCheckContainer(containerId) {
+        const monitored = this.containers.get(containerId);
+        if (!monitored)
+            return;
+        try {
+            const stats = await this.collectContainerStats(containerId);
+            if (!stats)
+                return;
+            monitored.lastStats = stats;
+            // Check thresholds
+            await this.checkThresholds(monitored, stats);
+        }
+        catch (error) {
+            // Container might have been removed
+            if (error.message?.includes('no such container')) {
+                this.containers.delete(containerId);
+            }
+        }
+    }
+    /**
+     * Collect resource stats for a container
+     */
+    async collectContainerStats(containerId) {
+        try {
+            const container = this.docker.getContainer(containerId);
+            const stats = await container.stats({ stream: false });
+            return this.parseDockerStats(stats);
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Parse Docker stats response into ResourceStats
+     */
+    parseDockerStats(stats) {
+        // Calculate CPU percentage
+        const cpuDelta = stats.cpu_stats.cpu_usage.total_usage - stats.precpu_stats.cpu_usage.total_usage;
+        const systemDelta = stats.cpu_stats.system_cpu_usage - stats.precpu_stats.system_cpu_usage;
+        const cpuCount = stats.cpu_stats.online_cpus || 1;
+        const cpuPercent = systemDelta > 0 ? (cpuDelta / systemDelta) * cpuCount * 100 : 0;
+        // Memory stats
+        const memoryUsage = stats.memory_stats.usage || 0;
+        const memoryLimit = stats.memory_stats.limit || 1;
+        const memoryUsageMB = memoryUsage / (1024 * 1024);
+        const memoryLimitMB = memoryLimit / (1024 * 1024);
+        const memoryPercent = (memoryUsage / memoryLimit) * 100;
+        // Network stats
+        let networkRxBytes = 0;
+        let networkTxBytes = 0;
+        if (stats.networks) {
+            for (const network of Object.values(stats.networks)) {
+                networkRxBytes += network.rx_bytes || 0;
+                networkTxBytes += network.tx_bytes || 0;
+            }
+        }
+        // PIDs
+        const pidsCount = stats.pids_stats?.current || 0;
+        return {
+            cpuPercent: Math.round(cpuPercent * 100) / 100,
+            memoryUsageMB: Math.round(memoryUsageMB * 100) / 100,
+            memoryLimitMB: Math.round(memoryLimitMB * 100) / 100,
+            memoryPercent: Math.round(memoryPercent * 100) / 100,
+            diskUsageMB: 0, // Disk stats require additional API call
+            networkRxBytes,
+            networkTxBytes,
+            pidsCount,
+            timestamp: new Date(),
+        };
+    }
+    /**
+     * Check resource thresholds and emit events
+     */
+    async checkThresholds(monitored, stats) {
+        const { thresholds } = this.config;
+        // Check CPU threshold
+        if (stats.cpuPercent > thresholds.cpuPercent) {
+            monitored.consecutiveHighCpu++;
+            if (monitored.consecutiveHighCpu >= 3) {
+                await this.emitEvent({
+                    type: 'resource_limit_exceeded',
+                    containerId: monitored.containerId,
+                    agentId: monitored.agentId,
+                    agentType: monitored.agentType,
+                    timestamp: new Date(),
+                    details: {
+                        resource: 'cpu',
+                        current: stats.cpuPercent,
+                        threshold: thresholds.cpuPercent,
+                    },
+                });
+            }
+        }
+        else {
+            monitored.consecutiveHighCpu = 0;
+        }
+        // Check memory threshold
+        if (stats.memoryPercent > thresholds.memoryPercent) {
+            monitored.consecutiveHighMemory++;
+            // OOM prevention
+            if (this.config.enableOomPrevention &&
+                stats.memoryPercent > this.config.oomPreventionThreshold) {
+                await this.emitEvent({
+                    type: 'oom_killed',
+                    containerId: monitored.containerId,
+                    agentId: monitored.agentId,
+                    agentType: monitored.agentType,
+                    timestamp: new Date(),
+                    details: {
+                        memoryPercent: stats.memoryPercent,
+                        threshold: this.config.oomPreventionThreshold,
+                        action: 'container_restart_recommended',
+                    },
+                });
+            }
+            else if (monitored.consecutiveHighMemory >= 3) {
+                await this.emitEvent({
+                    type: 'resource_limit_exceeded',
+                    containerId: monitored.containerId,
+                    agentId: monitored.agentId,
+                    agentType: monitored.agentType,
+                    timestamp: new Date(),
+                    details: {
+                        resource: 'memory',
+                        current: stats.memoryPercent,
+                        threshold: thresholds.memoryPercent,
+                    },
+                });
+            }
+        }
+        else {
+            monitored.consecutiveHighMemory = 0;
+        }
+    }
+    /**
+     * Emit event to all handlers
+     */
+    async emitEvent(event) {
+        for (const handler of this.eventHandlers) {
+            try {
+                await handler(event);
+            }
+            catch (error) {
+                console.error('Error in sandbox event handler:', error);
+            }
+        }
+    }
+    /**
+     * Get monitoring status
+     */
+    getStatus() {
+        return {
+            running: this.isRunning,
+            containerCount: this.containers.size,
+            intervalMs: this.config.intervalMs,
+        };
+    }
+}
+exports.ResourceMonitor = ResourceMonitor;
+//# sourceMappingURL=ResourceMonitor.js.map

package/dist/infrastructure/sandbox/ResourceMonitor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ResourceMonitor.js","sourceRoot":"","sources":["../../../src/infrastructure/sandbox/ResourceMonitor.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAmBH;;GAEG;AACU,QAAA,kBAAkB,GAAuB;IACpD,UAAU,EAAE,EAAE;IACd,aAAa,EAAE,EAAE;IACjB,WAAW,EAAE,EAAE;CAChB,CAAC;AAmBF;;GAEG;AACU,QAAA,sBAAsB,GAA0B;IAC3D,UAAU,EAAE,IAAI;IAChB,UAAU,EAAE,0BAAkB;IAC9B,mBAAmB,EAAE,IAAI;IACzB,sBAAsB,EAAE,EAAE;CAC3B,CAAC;AAcF;;GAEG;AACH,MAAa,eAAe;IAQ1B,YAAY,MAAc,EAAE,SAAyC,EAAE;QAJ/D,oBAAe,GAA0C,IAAI,CAAC;QAC9D,kBAAa,GAA0B,EAAE,CAAC;QAC1C,cAAS,GAAY,KAAK,CAAC;QAGjC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,8BAAsB,EAAE,GAAG,MAAM,EAAE,CAAC;QACvD,IAAI,CAAC,UAAU,GAAG,IAAI,GAAG,EAAE,CAAC;IAC9B,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,WAAmB,EAAE,OAAe,EAAE,SAAiB;QAClE,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,EAAE;YAC/B,WAAW;YACX,OAAO;YACP,SAAS;YACT,qBAAqB,EAAE,CAAC;YACxB,kBAAkB,EAAE,CAAC;SACtB,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,WAAmB;QACjC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IACtC,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,IAAI,CAAC,SAAS;YAAE,OAAO;QAE3B,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;QACtB,IAAI,CAAC,eAAe,GAAG,WAAW,CAAC,KAAK,IAAI,EAAE;YAC5C,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAC/B,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAE3B,oCAAoC;QACpC,IAAI,CAAC,eAAe,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC9C,CAAC;IAED;;OAEG;IACH,IAAI;QACF,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzB,aAAa,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACpC,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;QAC9B,CAAC;QACD,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ,CAAC,WAAmB;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QACnD,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QAE5B,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,WAAW,CAAC,CAAC;YAC5D,IAAI,KAAK,EAAE,CAAC;gBACV,SAAS,CAAC,SAAS,GAAG,KAAK,CAAC;YAC9B,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,2BAA2B,WAAW,GAAG,EAAE,KAAK,CAAC,CAAC;YAChE,OAAO,SAAS,CAAC,SAAS,IAAI,IAAI,CAAC;QACrC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,WAAmB;QAChC,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,SAAS,IAAI,IAAI,CAAC;IAC7D,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW;QACf,MAAM,MAAM,GAAG,IAAI,GAAG,EAAyB,CAAC;QAEhD,KAAK,MAAM,CAAC,WAAW,EAAE,SAAS,CAAC,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACvD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAC/C,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,EAAE,CAAC,OAA4B;QAC7B,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC;IAED;;OAEG;IACH,GAAG,CAAC,OAA4B;QAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,KAAK,KAAK,CAAC,CAAC,EAAE,CAAC;YACjB,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,eAAe;QAC3B,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE,CACtE,IAAI,CAAC,wBAAwB,CAAC,WAAW,CAAC,CAC3C,CAAC;QAEF,MAAM,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;IACrC,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,wBAAwB,CAAC,WAAmB;QACxD,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QACnD,IAAI,CAAC,SAAS;YAAE,OAAO;QAEvB,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,WAAW,CAAC,CAAC;YAC5D,IAAI,CAAC,KAAK;gBAAE,OAAO;YAEnB,SAAS,CAAC,SAAS,GAAG,KAAK,CAAC;YAE5B,mBAAmB;YACnB,MAAM,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC/C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,oCAAoC;YACpC,IAAK,KAAe,CAAC,OAAO,EAAE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;gBAC5D,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,qBAAqB,CAAC,WAAmB;QACrD,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;YACxD,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;YAEvD,OAAO,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,gBAAgB,CAAC,KAA4B;QACnD,2BAA2B;QAC3B,MAAM,QAAQ,GACZ,KAAK,CAAC,SAAS,CAAC,SAAS,CAAC,WAAW,GAAG,KAAK,CAAC,YAAY,CAAC,SAAS,CAAC,WAAW,CAAC;QACnF,MAAM,WAAW,GAAG,KAAK,CAAC,SAAS,CAAC,gBAAgB,GAAG,KAAK,CAAC,YAAY,CAAC,gBAAgB,CAAC;QAC3F,MAAM,QAAQ,GAAG,KAAK,CAAC,SAAS,CAAC,WAAW,IAAI,CAAC,CAAC;QAClD,MAAM,UAAU,GAAG,WAAW,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,GAAG,WAAW,CAAC,GAAG,QAAQ,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAEnF,eAAe;QACf,MAAM,WAAW,GAAG,KAAK,CAAC,YAAY,CAAC,KAAK,IAAI,CAAC,CAAC;QAClD,MAAM,WAAW,GAAG,KAAK,CAAC,YAAY,CAAC,KAAK,IAAI,CAAC,CAAC;QAClD,MAAM,aAAa,GAAG,WAAW,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;QAClD,MAAM,aAAa,GAAG,WAAW,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;QAClD,MAAM,aAAa,GAAG,CAAC,WAAW,GAAG,WAAW,CAAC,GAAG,GAAG,CAAC;QAExD,gBAAgB;QAChB,IAAI,cAAc,GAAG,CAAC,CAAC;QACvB,IAAI,cAAc,GAAG,CAAC,CAAC;QACvB,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YACnB,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACpD,cAAc,IAAI,OAAO,CAAC,QAAQ,IAAI,CAAC,CAAC;gBACxC,cAAc,IAAI,OAAO,CAAC,QAAQ,IAAI,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;QAED,OAAO;QACP,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU,EAAE,OAAO,IAAI,CAAC,CAAC;QAEjD,OAAO;YACL,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,GAAG,CAAC,GAAG,GAAG;YAC9C,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,aAAa,GAAG,GAAG,CAAC,GAAG,GAAG;YACpD,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,aAAa,GAAG,GAAG,CAAC,GAAG,GAAG;YACpD,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,aAAa,GAAG,GAAG,CAAC,GAAG,GAAG;YACpD,WAAW,EAAE,CAAC,EAAE,yCAAyC;YACzD,cAAc;YACd,cAAc;YACd,SAAS;YACT,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,eAAe,CAC3B,SAA6B,EAC7B,KAAoB;QAEpB,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC;QAEnC,sBAAsB;QACtB,IAAI,KAAK,CAAC,UAAU,GAAG,UAAU,CAAC,UAAU,EAAE,CAAC;YAC7C,SAAS,CAAC,kBAAkB,EAAE,CAAC;YAC/B,IAAI,SAAS,CAAC,kBAAkB,IAAI,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,CAAC,SAAS,CAAC;oBACnB,IAAI,EAAE,yBAAyB;oBAC/B,WAAW,EAAE,SAAS,CAAC,WAAW;oBAClC,OAAO,EAAE,SAAS,CAAC,OAAO;oBAC1B,SAAS,EAAE,SAAS,CAAC,SAAS;oBAC9B,SAAS,EAAE,IAAI,IAAI,EAAE;oBACrB,OAAO,EAAE;wBACP,QAAQ,EAAE,KAAK;wBACf,OAAO,EAAE,KAAK,CAAC,UAAU;wBACzB,SAAS,EAAE,UAAU,CAAC,UAAU;qBACjC;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;aAAM,CAAC;YACN,SAAS,CAAC,kBAAkB,GAAG,CAAC,CAAC;QACnC,CAAC;QAED,yBAAyB;QACzB,IAAI,KAAK,CAAC,aAAa,GAAG,UAAU,CAAC,aAAa,EAAE,CAAC;YACnD,SAAS,CAAC,qBAAqB,EAAE,CAAC;YAElC,iBAAiB;YACjB,IACE,IAAI,CAAC,MAAM,CAAC,mBAAmB;gBAC/B,KAAK,CAAC,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,sBAAsB,EACxD,CAAC;gBACD,MAAM,IAAI,CAAC,SAAS,CAAC;oBACnB,IAAI,EAAE,YAAY;oBAClB,WAAW,EAAE,SAAS,CAAC,WAAW;oBAClC,OAAO,EAAE,SAAS,CAAC,OAAO;oBAC1B,SAAS,EAAE,SAAS,CAAC,SAAS;oBAC9B,SAAS,EAAE,IAAI,IAAI,EAAE;oBACrB,OAAO,EAAE;wBACP,aAAa,EAAE,KAAK,CAAC,aAAa;wBAClC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,sBAAsB;wBAC7C,MAAM,EAAE,+BAA+B;qBACxC;iBACF,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,SAAS,CAAC,qBAAqB,IAAI,CAAC,EAAE,CAAC;gBAChD,MAAM,IAAI,CAAC,SAAS,CAAC;oBACnB,IAAI,EAAE,yBAAyB;oBAC/B,WAAW,EAAE,SAAS,CAAC,WAAW;oBAClC,OAAO,EAAE,SAAS,CAAC,OAAO;oBAC1B,SAAS,EAAE,SAAS,CAAC,SAAS;oBAC9B,SAAS,EAAE,IAAI,IAAI,EAAE;oBACrB,OAAO,EAAE;wBACP,QAAQ,EAAE,QAAQ;wBAClB,OAAO,EAAE,KAAK,CAAC,aAAa;wBAC5B,SAAS,EAAE,UAAU,CAAC,aAAa;qBACpC;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;aAAM,CAAC;YACN,SAAS,CAAC,qBAAqB,GAAG,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,SAAS,CAAC,KAAmB;QACzC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACzC,IAAI,CAAC;gBACH,MAAM,OAAO,CAAC,KAAK,CAAC,CAAC;YACvB,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,KAAK,CAAC,CAAC;YAC1D,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,SAAS;QAKP,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,SAAS;YACvB,cAAc,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI;YACpC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU;SACnC,CAAC;IACJ,CAAC;CACF;AApTD,0CAoTC"}

package/dist/infrastructure/sandbox/SandboxManager.d.ts

@@ -0,0 +1,122 @@
+/**
+ * Sandbox Manager for Docker-Based Agent Isolation
+ *
+ * Manages the lifecycle of sandboxed agent containers with resource limits
+ * enforced by cgroups. Provides secure, isolated execution environments
+ * for QE agents.
+ *
+ * @module infrastructure/sandbox/SandboxManager
+ * @see Issue #146 - Security Hardening: Docker Sandboxing
+ */
+import type { SandboxConfig, SandboxManagerConfig, ContainerInfo, ResourceStats, SandboxCreateResult, SandboxDestroyResult, HealthCheckResult, SandboxEventHandler } from './types.js';
+/**
+ * SandboxManager manages Docker containers for secure agent execution
+ */
+export declare class SandboxManager {
+    private docker;
+    private config;
+    private containers;
+    private resourceMonitor;
+    private eventHandlers;
+    private isInitialized;
+    private networkId;
+    constructor(config?: Partial<SandboxManagerConfig>);
+    /**
+     * Initialize the sandbox manager
+     * Creates network if needed and validates Docker connection
+     */
+    initialize(): Promise<void>;
+    /**
+     * Shutdown the sandbox manager
+     * Optionally cleans up all containers
+     */
+    shutdown(): Promise<void>;
+    /**
+     * Create a sandboxed container for an agent
+     */
+    createSandbox(agentId: string, agentType: string, customConfig?: Partial<SandboxConfig>): Promise<SandboxCreateResult>;
+    /**
+     * Destroy a sandboxed container
+     */
+    destroySandbox(containerId: string, force?: boolean): Promise<SandboxDestroyResult>;
+    /**
+     * Destroy all sandboxed containers
+     */
+    destroyAll(): Promise<SandboxDestroyResult[]>;
+    /**
+     * Get resource usage for a container
+     */
+    getResourceUsage(containerId: string): Promise<ResourceStats | null>;
+    /**
+     * List all sandboxed containers
+     */
+    listSandboxes(): ContainerInfo[];
+    /**
+     * Get container info by ID
+     */
+    getContainer(containerId: string): ContainerInfo | undefined;
+    /**
+     * Get container by agent ID
+     */
+    getContainerByAgentId(agentId: string): ContainerInfo | undefined;
+    /**
+     * Check container health
+     */
+    healthCheck(containerId: string): Promise<HealthCheckResult>;
+    /**
+     * Execute a command in a container
+     */
+    exec(containerId: string, command: string[]): Promise<{
+        exitCode: number;
+        output: string;
+    }>;
+    /**
+     * Get container logs
+     */
+    getLogs(containerId: string, options?: {
+        tail?: number;
+        since?: number;
+    }): Promise<string>;
+    /**
+     * Add event handler
+     */
+    on(handler: SandboxEventHandler): void;
+    /**
+     * Remove event handler
+     */
+    off(handler: SandboxEventHandler): void;
+    /**
+     * Check if Docker is available
+     */
+    isDockerAvailable(): Promise<boolean>;
+    /**
+     * Get manager status
+     */
+    getStatus(): {
+        initialized: boolean;
+        dockerAvailable: boolean;
+        containerCount: number;
+        networkId: string | null;
+    };
+    /**
+     * Build Docker container create options
+     */
+    private buildContainerOptions;
+    /**
+     * Ensure sandbox network exists
+     */
+    private ensureNetwork;
+    /**
+     * Parse memory string to bytes
+     */
+    private parseMemory;
+    /**
+     * Emit event to all handlers
+     */
+    private emitEvent;
+}
+/**
+ * Create a new SandboxManager instance
+ */
+export declare function createSandboxManager(config?: Partial<SandboxManagerConfig>): SandboxManager;
+//# sourceMappingURL=SandboxManager.d.ts.map

package/dist/infrastructure/sandbox/SandboxManager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SandboxManager.d.ts","sourceRoot":"","sources":["../../../src/infrastructure/sandbox/SandboxManager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,KAAK,EACV,aAAa,EACb,oBAAoB,EACpB,aAAa,EACb,aAAa,EACb,mBAAmB,EACnB,oBAAoB,EACpB,iBAAiB,EAEjB,mBAAmB,EAEpB,MAAM,YAAY,CAAC;AAoBpB;;GAEG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,UAAU,CAA6B;IAC/C,OAAO,CAAC,eAAe,CAAkB;IACzC,OAAO,CAAC,aAAa,CAA6B;IAClD,OAAO,CAAC,aAAa,CAAkB;IACvC,OAAO,CAAC,SAAS,CAAuB;gBAE5B,MAAM,GAAE,OAAO,CAAC,oBAAoB,CAAM;IAsBtD;;;OAGG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAqBjC;;;OAGG;IACG,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;IAU/B;;OAEG;IACG,aAAa,CACjB,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,YAAY,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,GACpC,OAAO,CAAC,mBAAmB,CAAC;IAwE/B;;OAEG;IACG,cAAc,CAAC,WAAW,EAAE,MAAM,EAAE,KAAK,GAAE,OAAe,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAwDhG;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;IAWnD;;OAEG;IACG,gBAAgB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAI1E;;OAEG;IACH,aAAa,IAAI,aAAa,EAAE;IAIhC;;OAEG;IACH,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAI5D;;OAEG;IACH,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IASjE;;OAEG;IACG,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAqClE;;OAEG;IACG,IAAI,CACR,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,EAAE,GAChB,OAAO,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IAmChD;;OAEG;IACG,OAAO,CACX,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAO,GAC9C,OAAO,CAAC,MAAM,CAAC;IAalB;;OAEG;IACH,EAAE,CAAC,OAAO,EAAE,mBAAmB,GAAG,IAAI;IAItC;;OAEG;IACH,GAAG,CAAC,OAAO,EAAE,mBAAmB,GAAG,IAAI;IAOvC;;OAEG;IACG,iBAAiB,IAAI,OAAO,CAAC,OAAO,CAAC;IAS3C;;OAEG;IACH,SAAS,IAAI;QACX,WAAW,EAAE,OAAO,CAAC;QACrB,eAAe,EAAE,OAAO,CAAC;QACzB,cAAc,EAAE,MAAM,CAAC;QACvB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;KAC1B;IAaD;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAsG7B;;OAEG;YACW,aAAa;IA8B3B;;OAEG;IACH,OAAO,CAAC,WAAW;IAoBnB;;OAEG;YACW,SAAS;CASxB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,oBAAoB,CAAC,GAAG,cAAc,CAE3F"}