agentic-qe 2.8.0 → 2.8.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +148 -0
- package/README.md +1 -1
- package/dist/agents/BaseAgent.d.ts +329 -0
- package/dist/agents/BaseAgent.d.ts.map +1 -1
- package/dist/agents/BaseAgent.js +657 -0
- package/dist/agents/BaseAgent.js.map +1 -1
- package/dist/cli/commands/supabase/index.d.ts +20 -0
- package/dist/cli/commands/supabase/index.d.ts.map +1 -0
- package/dist/cli/commands/supabase/index.js +632 -0
- package/dist/cli/commands/supabase/index.js.map +1 -0
- package/dist/cli/index.js +3 -0
- package/dist/cli/index.js.map +1 -1
- package/dist/code-intelligence/embeddings/EmbeddingCacheFactory.d.ts +135 -0
- package/dist/code-intelligence/embeddings/EmbeddingCacheFactory.d.ts.map +1 -0
- package/dist/code-intelligence/embeddings/EmbeddingCacheFactory.js +301 -0
- package/dist/code-intelligence/embeddings/EmbeddingCacheFactory.js.map +1 -0
- package/dist/code-intelligence/embeddings/NomicEmbedder.d.ts +78 -6
- package/dist/code-intelligence/embeddings/NomicEmbedder.d.ts.map +1 -1
- package/dist/code-intelligence/embeddings/NomicEmbedder.js +162 -21
- package/dist/code-intelligence/embeddings/NomicEmbedder.js.map +1 -1
- package/dist/code-intelligence/embeddings/backends/MemoryBackend.d.ts +59 -0
- package/dist/code-intelligence/embeddings/backends/MemoryBackend.d.ts.map +1 -0
- package/dist/code-intelligence/embeddings/backends/MemoryBackend.js +173 -0
- package/dist/code-intelligence/embeddings/backends/MemoryBackend.js.map +1 -0
- package/dist/code-intelligence/embeddings/backends/RedisBackend.d.ts +50 -0
- package/dist/code-intelligence/embeddings/backends/RedisBackend.d.ts.map +1 -0
- package/dist/code-intelligence/embeddings/backends/RedisBackend.js +279 -0
- package/dist/code-intelligence/embeddings/backends/RedisBackend.js.map +1 -0
- package/dist/code-intelligence/embeddings/backends/SQLiteBackend.d.ts +64 -0
- package/dist/code-intelligence/embeddings/backends/SQLiteBackend.d.ts.map +1 -0
- package/dist/code-intelligence/embeddings/backends/SQLiteBackend.js +314 -0
- package/dist/code-intelligence/embeddings/backends/SQLiteBackend.js.map +1 -0
- package/dist/code-intelligence/embeddings/backends/index.d.ts +16 -0
- package/dist/code-intelligence/embeddings/backends/index.d.ts.map +1 -0
- package/dist/code-intelligence/embeddings/backends/index.js +28 -0
- package/dist/code-intelligence/embeddings/backends/index.js.map +1 -0
- package/dist/code-intelligence/embeddings/backends/types.d.ts +177 -0
- package/dist/code-intelligence/embeddings/backends/types.d.ts.map +1 -0
- package/dist/code-intelligence/embeddings/backends/types.js +30 -0
- package/dist/code-intelligence/embeddings/backends/types.js.map +1 -0
- package/dist/code-intelligence/embeddings/index.d.ts +7 -0
- package/dist/code-intelligence/embeddings/index.d.ts.map +1 -1
- package/dist/code-intelligence/embeddings/index.js +16 -1
- package/dist/code-intelligence/embeddings/index.js.map +1 -1
- package/dist/core/memory/HNSWVectorMemory.js +1 -1
- package/dist/infrastructure/index.d.ts +15 -0
- package/dist/infrastructure/index.d.ts.map +1 -0
- package/dist/infrastructure/index.js +44 -0
- package/dist/infrastructure/index.js.map +1 -0
- package/dist/infrastructure/network/AgentRateLimiter.d.ts +59 -0
- package/dist/infrastructure/network/AgentRateLimiter.d.ts.map +1 -0
- package/dist/infrastructure/network/AgentRateLimiter.js +186 -0
- package/dist/infrastructure/network/AgentRateLimiter.js.map +1 -0
- package/dist/infrastructure/network/AuditLogger.d.ts +102 -0
- package/dist/infrastructure/network/AuditLogger.d.ts.map +1 -0
- package/dist/infrastructure/network/AuditLogger.js +284 -0
- package/dist/infrastructure/network/AuditLogger.js.map +1 -0
- package/dist/infrastructure/network/DomainWhitelist.d.ts +111 -0
- package/dist/infrastructure/network/DomainWhitelist.d.ts.map +1 -0
- package/dist/infrastructure/network/DomainWhitelist.js +216 -0
- package/dist/infrastructure/network/DomainWhitelist.js.map +1 -0
- package/dist/infrastructure/network/NetworkPolicyManager.d.ts +97 -0
- package/dist/infrastructure/network/NetworkPolicyManager.d.ts.map +1 -0
- package/dist/infrastructure/network/NetworkPolicyManager.js +309 -0
- package/dist/infrastructure/network/NetworkPolicyManager.js.map +1 -0
- package/dist/infrastructure/network/index.d.ts +19 -0
- package/dist/infrastructure/network/index.d.ts.map +1 -0
- package/dist/infrastructure/network/index.js +46 -0
- package/dist/infrastructure/network/index.js.map +1 -0
- package/dist/infrastructure/network/policies/default-policies.d.ts +78 -0
- package/dist/infrastructure/network/policies/default-policies.d.ts.map +1 -0
- package/dist/infrastructure/network/policies/default-policies.js +312 -0
- package/dist/infrastructure/network/policies/default-policies.js.map +1 -0
- package/dist/infrastructure/network/types.d.ts +214 -0
- package/dist/infrastructure/network/types.d.ts.map +1 -0
- package/dist/infrastructure/network/types.js +25 -0
- package/dist/infrastructure/network/types.js.map +1 -0
- package/dist/infrastructure/sandbox/ResourceMonitor.d.ts +124 -0
- package/dist/infrastructure/sandbox/ResourceMonitor.d.ts.map +1 -0
- package/dist/infrastructure/sandbox/ResourceMonitor.js +305 -0
- package/dist/infrastructure/sandbox/ResourceMonitor.js.map +1 -0
- package/dist/infrastructure/sandbox/SandboxManager.d.ts +122 -0
- package/dist/infrastructure/sandbox/SandboxManager.d.ts.map +1 -0
- package/dist/infrastructure/sandbox/SandboxManager.js +527 -0
- package/dist/infrastructure/sandbox/SandboxManager.js.map +1 -0
- package/dist/infrastructure/sandbox/index.d.ts +18 -0
- package/dist/infrastructure/sandbox/index.d.ts.map +1 -0
- package/dist/infrastructure/sandbox/index.js +38 -0
- package/dist/infrastructure/sandbox/index.js.map +1 -0
- package/dist/infrastructure/sandbox/profiles/agent-profiles.d.ts +53 -0
- package/dist/infrastructure/sandbox/profiles/agent-profiles.d.ts.map +1 -0
- package/dist/infrastructure/sandbox/profiles/agent-profiles.js +433 -0
- package/dist/infrastructure/sandbox/profiles/agent-profiles.js.map +1 -0
- package/dist/infrastructure/sandbox/types.d.ts +227 -0
- package/dist/infrastructure/sandbox/types.d.ts.map +1 -0
- package/dist/infrastructure/sandbox/types.js +63 -0
- package/dist/infrastructure/sandbox/types.js.map +1 -0
- package/dist/mcp/handlers/NewDomainToolsHandler.d.ts +8 -8
- package/dist/mcp/handlers/NewDomainToolsHandler.d.ts.map +1 -1
- package/dist/mcp/handlers/NewDomainToolsHandler.js.map +1 -1
- package/dist/mcp/handlers/ruvector/RuVectorHandler.d.ts +54 -0
- package/dist/mcp/handlers/ruvector/RuVectorHandler.d.ts.map +1 -0
- package/dist/mcp/handlers/ruvector/RuVectorHandler.js +325 -0
- package/dist/mcp/handlers/ruvector/RuVectorHandler.js.map +1 -0
- package/dist/mcp/handlers/ruvector/index.d.ts +5 -0
- package/dist/mcp/handlers/ruvector/index.d.ts.map +1 -0
- package/dist/mcp/handlers/ruvector/index.js +9 -0
- package/dist/mcp/handlers/ruvector/index.js.map +1 -0
- package/dist/mcp/server-instructions.d.ts +1 -1
- package/dist/mcp/server-instructions.js +1 -1
- package/dist/mcp/server.d.ts.map +1 -1
- package/dist/mcp/server.js +100 -22
- package/dist/mcp/server.js.map +1 -1
- package/dist/nervous-system/adapters/BTSPAdapter.d.ts +342 -0
- package/dist/nervous-system/adapters/BTSPAdapter.d.ts.map +1 -0
- package/dist/nervous-system/adapters/BTSPAdapter.js +494 -0
- package/dist/nervous-system/adapters/BTSPAdapter.js.map +1 -0
- package/dist/nervous-system/adapters/CircadianController.d.ts +560 -0
- package/dist/nervous-system/adapters/CircadianController.d.ts.map +1 -0
- package/dist/nervous-system/adapters/CircadianController.js +882 -0
- package/dist/nervous-system/adapters/CircadianController.js.map +1 -0
- package/dist/nervous-system/adapters/GlobalWorkspaceAdapter.d.ts +337 -0
- package/dist/nervous-system/adapters/GlobalWorkspaceAdapter.d.ts.map +1 -0
- package/dist/nervous-system/adapters/GlobalWorkspaceAdapter.js +532 -0
- package/dist/nervous-system/adapters/GlobalWorkspaceAdapter.js.map +1 -0
- package/dist/nervous-system/adapters/HdcMemoryAdapter.d.ts +444 -0
- package/dist/nervous-system/adapters/HdcMemoryAdapter.d.ts.map +1 -0
- package/dist/nervous-system/adapters/HdcMemoryAdapter.js +715 -0
- package/dist/nervous-system/adapters/HdcMemoryAdapter.js.map +1 -0
- package/dist/nervous-system/adapters/ReflexLayer.d.ts +231 -0
- package/dist/nervous-system/adapters/ReflexLayer.d.ts.map +1 -0
- package/dist/nervous-system/adapters/ReflexLayer.js +309 -0
- package/dist/nervous-system/adapters/ReflexLayer.js.map +1 -0
- package/dist/nervous-system/index.d.ts +25 -0
- package/dist/nervous-system/index.d.ts.map +1 -0
- package/dist/nervous-system/index.js +80 -0
- package/dist/nervous-system/index.js.map +1 -0
- package/dist/nervous-system/integration/BTSPLearningEngine.d.ts +266 -0
- package/dist/nervous-system/integration/BTSPLearningEngine.d.ts.map +1 -0
- package/dist/nervous-system/integration/BTSPLearningEngine.js +587 -0
- package/dist/nervous-system/integration/BTSPLearningEngine.js.map +1 -0
- package/dist/nervous-system/integration/CircadianAgent.d.ts +389 -0
- package/dist/nervous-system/integration/CircadianAgent.d.ts.map +1 -0
- package/dist/nervous-system/integration/CircadianAgent.js +696 -0
- package/dist/nervous-system/integration/CircadianAgent.js.map +1 -0
- package/dist/nervous-system/integration/HybridPatternStore.d.ts +244 -0
- package/dist/nervous-system/integration/HybridPatternStore.d.ts.map +1 -0
- package/dist/nervous-system/integration/HybridPatternStore.js +622 -0
- package/dist/nervous-system/integration/HybridPatternStore.js.map +1 -0
- package/dist/nervous-system/integration/NervousSystemEnhancement.d.ts +459 -0
- package/dist/nervous-system/integration/NervousSystemEnhancement.d.ts.map +1 -0
- package/dist/nervous-system/integration/NervousSystemEnhancement.js +921 -0
- package/dist/nervous-system/integration/NervousSystemEnhancement.js.map +1 -0
- package/dist/nervous-system/integration/WorkspaceAgent.d.ts +398 -0
- package/dist/nervous-system/integration/WorkspaceAgent.d.ts.map +1 -0
- package/dist/nervous-system/integration/WorkspaceAgent.js +722 -0
- package/dist/nervous-system/integration/WorkspaceAgent.js.map +1 -0
- package/dist/nervous-system/integration/index.d.ts +22 -0
- package/dist/nervous-system/integration/index.d.ts.map +1 -0
- package/dist/nervous-system/integration/index.js +44 -0
- package/dist/nervous-system/integration/index.js.map +1 -0
- package/dist/nervous-system/persistence/BTSPSerializer.d.ts +96 -0
- package/dist/nervous-system/persistence/BTSPSerializer.d.ts.map +1 -0
- package/dist/nervous-system/persistence/BTSPSerializer.js +223 -0
- package/dist/nervous-system/persistence/BTSPSerializer.js.map +1 -0
- package/dist/nervous-system/persistence/CircadianSerializer.d.ts +90 -0
- package/dist/nervous-system/persistence/CircadianSerializer.d.ts.map +1 -0
- package/dist/nervous-system/persistence/CircadianSerializer.js +239 -0
- package/dist/nervous-system/persistence/CircadianSerializer.js.map +1 -0
- package/dist/nervous-system/persistence/HdcSerializer.d.ts +100 -0
- package/dist/nervous-system/persistence/HdcSerializer.d.ts.map +1 -0
- package/dist/nervous-system/persistence/HdcSerializer.js +259 -0
- package/dist/nervous-system/persistence/HdcSerializer.js.map +1 -0
- package/dist/nervous-system/persistence/INervousSystemStore.d.ts +208 -0
- package/dist/nervous-system/persistence/INervousSystemStore.d.ts.map +1 -0
- package/dist/nervous-system/persistence/INervousSystemStore.js +11 -0
- package/dist/nervous-system/persistence/INervousSystemStore.js.map +1 -0
- package/dist/nervous-system/persistence/NervousSystemPersistenceManager.d.ts +187 -0
- package/dist/nervous-system/persistence/NervousSystemPersistenceManager.d.ts.map +1 -0
- package/dist/nervous-system/persistence/NervousSystemPersistenceManager.js +411 -0
- package/dist/nervous-system/persistence/NervousSystemPersistenceManager.js.map +1 -0
- package/dist/nervous-system/persistence/SQLiteNervousSystemStore.d.ts +98 -0
- package/dist/nervous-system/persistence/SQLiteNervousSystemStore.d.ts.map +1 -0
- package/dist/nervous-system/persistence/SQLiteNervousSystemStore.js +510 -0
- package/dist/nervous-system/persistence/SQLiteNervousSystemStore.js.map +1 -0
- package/dist/nervous-system/persistence/index.d.ts +22 -0
- package/dist/nervous-system/persistence/index.d.ts.map +1 -0
- package/dist/nervous-system/persistence/index.js +45 -0
- package/dist/nervous-system/persistence/index.js.map +1 -0
- package/dist/nervous-system/wasm-loader.d.ts +52 -0
- package/dist/nervous-system/wasm-loader.d.ts.map +1 -0
- package/dist/nervous-system/wasm-loader.js +188 -0
- package/dist/nervous-system/wasm-loader.js.map +1 -0
- package/dist/persistence/HybridPersistenceProvider.d.ts +184 -0
- package/dist/persistence/HybridPersistenceProvider.d.ts.map +1 -0
- package/dist/persistence/HybridPersistenceProvider.js +1086 -0
- package/dist/persistence/HybridPersistenceProvider.js.map +1 -0
- package/dist/persistence/IPersistenceProvider.d.ts +657 -0
- package/dist/persistence/IPersistenceProvider.d.ts.map +1 -0
- package/dist/persistence/IPersistenceProvider.js +11 -0
- package/dist/persistence/IPersistenceProvider.js.map +1 -0
- package/dist/persistence/SupabaseConfig.d.ts +176 -0
- package/dist/persistence/SupabaseConfig.d.ts.map +1 -0
- package/dist/persistence/SupabaseConfig.js +277 -0
- package/dist/persistence/SupabaseConfig.js.map +1 -0
- package/dist/persistence/SupabasePersistenceProvider.d.ts +143 -0
- package/dist/persistence/SupabasePersistenceProvider.d.ts.map +1 -0
- package/dist/persistence/SupabasePersistenceProvider.js +959 -0
- package/dist/persistence/SupabasePersistenceProvider.js.map +1 -0
- package/dist/persistence/adapters/CodeIntelligenceSyncAdapter.d.ts +213 -0
- package/dist/persistence/adapters/CodeIntelligenceSyncAdapter.d.ts.map +1 -0
- package/dist/persistence/adapters/CodeIntelligenceSyncAdapter.js +468 -0
- package/dist/persistence/adapters/CodeIntelligenceSyncAdapter.js.map +1 -0
- package/dist/persistence/adapters/MemorySyncAdapter.d.ts +115 -0
- package/dist/persistence/adapters/MemorySyncAdapter.d.ts.map +1 -0
- package/dist/persistence/adapters/MemorySyncAdapter.js +291 -0
- package/dist/persistence/adapters/MemorySyncAdapter.js.map +1 -0
- package/dist/persistence/adapters/index.d.ts +11 -0
- package/dist/persistence/adapters/index.d.ts.map +1 -0
- package/dist/persistence/adapters/index.js +20 -0
- package/dist/persistence/adapters/index.js.map +1 -0
- package/dist/persistence/index.d.ts +14 -0
- package/dist/persistence/index.d.ts.map +1 -1
- package/dist/persistence/index.js +36 -1
- package/dist/persistence/index.js.map +1 -1
- package/package.json +7 -1
|
@@ -0,0 +1,527 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Sandbox Manager for Docker-Based Agent Isolation
|
|
4
|
+
*
|
|
5
|
+
* Manages the lifecycle of sandboxed agent containers with resource limits
|
|
6
|
+
* enforced by cgroups. Provides secure, isolated execution environments
|
|
7
|
+
* for QE agents.
|
|
8
|
+
*
|
|
9
|
+
* @module infrastructure/sandbox/SandboxManager
|
|
10
|
+
* @see Issue #146 - Security Hardening: Docker Sandboxing
|
|
11
|
+
*/
|
|
12
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
13
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
14
|
+
};
|
|
15
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
16
|
+
exports.SandboxManager = void 0;
|
|
17
|
+
exports.createSandboxManager = createSandboxManager;
|
|
18
|
+
const dockerode_1 = __importDefault(require("dockerode"));
|
|
19
|
+
const types_js_1 = require("./types.js");
|
|
20
|
+
const agent_profiles_js_1 = require("./profiles/agent-profiles.js");
|
|
21
|
+
const ResourceMonitor_js_1 = require("./ResourceMonitor.js");
|
|
22
|
+
/**
|
|
23
|
+
* Default manager configuration
|
|
24
|
+
*/
|
|
25
|
+
const DEFAULT_MANAGER_CONFIG = {
|
|
26
|
+
agentImage: 'agentic-qe-agent',
|
|
27
|
+
imageTag: 'latest',
|
|
28
|
+
networkName: 'agentic-qe-sandbox',
|
|
29
|
+
enableLogging: true,
|
|
30
|
+
logDriver: 'json-file',
|
|
31
|
+
logMaxSize: '10m',
|
|
32
|
+
logMaxFiles: 3,
|
|
33
|
+
cleanupOnShutdown: true,
|
|
34
|
+
healthCheckIntervalMs: 30000,
|
|
35
|
+
};
|
|
36
|
+
/**
|
|
37
|
+
* SandboxManager manages Docker containers for secure agent execution
|
|
38
|
+
*/
|
|
39
|
+
class SandboxManager {
|
|
40
|
+
constructor(config = {}) {
|
|
41
|
+
this.eventHandlers = [];
|
|
42
|
+
this.isInitialized = false;
|
|
43
|
+
this.networkId = null;
|
|
44
|
+
this.config = { ...DEFAULT_MANAGER_CONFIG, ...config };
|
|
45
|
+
// Initialize Docker client
|
|
46
|
+
const dockerOptions = {};
|
|
47
|
+
if (this.config.dockerSocketPath) {
|
|
48
|
+
dockerOptions.socketPath = this.config.dockerSocketPath;
|
|
49
|
+
}
|
|
50
|
+
else if (this.config.dockerHost) {
|
|
51
|
+
dockerOptions.host = this.config.dockerHost;
|
|
52
|
+
}
|
|
53
|
+
if (this.config.dockerVersion) {
|
|
54
|
+
dockerOptions.version = this.config.dockerVersion;
|
|
55
|
+
}
|
|
56
|
+
this.docker = new dockerode_1.default(dockerOptions);
|
|
57
|
+
this.containers = new Map();
|
|
58
|
+
this.resourceMonitor = new ResourceMonitor_js_1.ResourceMonitor(this.docker);
|
|
59
|
+
// Forward resource monitor events
|
|
60
|
+
this.resourceMonitor.on((event) => this.emitEvent(event));
|
|
61
|
+
}
|
|
62
|
+
/**
|
|
63
|
+
* Initialize the sandbox manager
|
|
64
|
+
* Creates network if needed and validates Docker connection
|
|
65
|
+
*/
|
|
66
|
+
async initialize() {
|
|
67
|
+
if (this.isInitialized)
|
|
68
|
+
return;
|
|
69
|
+
try {
|
|
70
|
+
// Verify Docker connection
|
|
71
|
+
await this.docker.ping();
|
|
72
|
+
// Create sandbox network if needed
|
|
73
|
+
if (this.config.networkName) {
|
|
74
|
+
await this.ensureNetwork();
|
|
75
|
+
}
|
|
76
|
+
// Start resource monitoring
|
|
77
|
+
this.resourceMonitor.start();
|
|
78
|
+
this.isInitialized = true;
|
|
79
|
+
}
|
|
80
|
+
catch (error) {
|
|
81
|
+
throw new Error(`Failed to initialize SandboxManager: ${error.message}`);
|
|
82
|
+
}
|
|
83
|
+
}
|
|
84
|
+
/**
|
|
85
|
+
* Shutdown the sandbox manager
|
|
86
|
+
* Optionally cleans up all containers
|
|
87
|
+
*/
|
|
88
|
+
async shutdown() {
|
|
89
|
+
this.resourceMonitor.stop();
|
|
90
|
+
if (this.config.cleanupOnShutdown) {
|
|
91
|
+
await this.destroyAll();
|
|
92
|
+
}
|
|
93
|
+
this.isInitialized = false;
|
|
94
|
+
}
|
|
95
|
+
/**
|
|
96
|
+
* Create a sandboxed container for an agent
|
|
97
|
+
*/
|
|
98
|
+
async createSandbox(agentId, agentType, customConfig) {
|
|
99
|
+
if (!this.isInitialized) {
|
|
100
|
+
await this.initialize();
|
|
101
|
+
}
|
|
102
|
+
try {
|
|
103
|
+
// Get profile config and merge with custom config
|
|
104
|
+
const profileConfig = (0, agent_profiles_js_1.getAgentSandboxConfig)(agentType);
|
|
105
|
+
const sandboxConfig = {
|
|
106
|
+
...types_js_1.DEFAULT_SANDBOX_CONFIG,
|
|
107
|
+
...profileConfig,
|
|
108
|
+
...customConfig,
|
|
109
|
+
};
|
|
110
|
+
// Build container create options
|
|
111
|
+
const createOptions = this.buildContainerOptions(agentId, agentType, sandboxConfig);
|
|
112
|
+
// Create container
|
|
113
|
+
const container = await this.docker.createContainer(createOptions);
|
|
114
|
+
const containerId = container.id;
|
|
115
|
+
// Build container info
|
|
116
|
+
const containerInfo = {
|
|
117
|
+
containerId,
|
|
118
|
+
agentId,
|
|
119
|
+
agentType,
|
|
120
|
+
status: 'creating',
|
|
121
|
+
createdAt: new Date(),
|
|
122
|
+
labels: createOptions.Labels,
|
|
123
|
+
};
|
|
124
|
+
this.containers.set(containerId, containerInfo);
|
|
125
|
+
// Start container
|
|
126
|
+
await container.start();
|
|
127
|
+
containerInfo.status = 'running';
|
|
128
|
+
containerInfo.startedAt = new Date();
|
|
129
|
+
// Add to resource monitoring
|
|
130
|
+
this.resourceMonitor.addContainer(containerId, agentId, agentType);
|
|
131
|
+
// Emit event
|
|
132
|
+
await this.emitEvent({
|
|
133
|
+
type: 'created',
|
|
134
|
+
containerId,
|
|
135
|
+
agentId,
|
|
136
|
+
agentType,
|
|
137
|
+
timestamp: new Date(),
|
|
138
|
+
details: { config: sandboxConfig },
|
|
139
|
+
});
|
|
140
|
+
await this.emitEvent({
|
|
141
|
+
type: 'started',
|
|
142
|
+
containerId,
|
|
143
|
+
agentId,
|
|
144
|
+
agentType,
|
|
145
|
+
timestamp: new Date(),
|
|
146
|
+
});
|
|
147
|
+
return {
|
|
148
|
+
success: true,
|
|
149
|
+
container: containerInfo,
|
|
150
|
+
};
|
|
151
|
+
}
|
|
152
|
+
catch (error) {
|
|
153
|
+
const errorMessage = error.message;
|
|
154
|
+
return {
|
|
155
|
+
success: false,
|
|
156
|
+
error: `Failed to create sandbox: ${errorMessage}`,
|
|
157
|
+
};
|
|
158
|
+
}
|
|
159
|
+
}
|
|
160
|
+
/**
|
|
161
|
+
* Destroy a sandboxed container
|
|
162
|
+
*/
|
|
163
|
+
async destroySandbox(containerId, force = false) {
|
|
164
|
+
try {
|
|
165
|
+
const containerInfo = this.containers.get(containerId);
|
|
166
|
+
if (!containerInfo) {
|
|
167
|
+
return {
|
|
168
|
+
success: false,
|
|
169
|
+
containerId,
|
|
170
|
+
error: 'Container not found',
|
|
171
|
+
};
|
|
172
|
+
}
|
|
173
|
+
const container = this.docker.getContainer(containerId);
|
|
174
|
+
// Update status
|
|
175
|
+
containerInfo.status = 'removing';
|
|
176
|
+
// Stop container
|
|
177
|
+
try {
|
|
178
|
+
await container.stop({ t: force ? 0 : 10 });
|
|
179
|
+
}
|
|
180
|
+
catch (error) {
|
|
181
|
+
// Container might already be stopped
|
|
182
|
+
if (!error.message?.includes('is not running')) {
|
|
183
|
+
throw error;
|
|
184
|
+
}
|
|
185
|
+
}
|
|
186
|
+
// Remove container
|
|
187
|
+
await container.remove({ force });
|
|
188
|
+
// Remove from tracking
|
|
189
|
+
this.containers.delete(containerId);
|
|
190
|
+
this.resourceMonitor.removeContainer(containerId);
|
|
191
|
+
// Emit event
|
|
192
|
+
await this.emitEvent({
|
|
193
|
+
type: 'destroyed',
|
|
194
|
+
containerId,
|
|
195
|
+
agentId: containerInfo.agentId,
|
|
196
|
+
agentType: containerInfo.agentType,
|
|
197
|
+
timestamp: new Date(),
|
|
198
|
+
});
|
|
199
|
+
return {
|
|
200
|
+
success: true,
|
|
201
|
+
containerId,
|
|
202
|
+
forced: force,
|
|
203
|
+
};
|
|
204
|
+
}
|
|
205
|
+
catch (error) {
|
|
206
|
+
return {
|
|
207
|
+
success: false,
|
|
208
|
+
containerId,
|
|
209
|
+
error: `Failed to destroy sandbox: ${error.message}`,
|
|
210
|
+
};
|
|
211
|
+
}
|
|
212
|
+
}
|
|
213
|
+
/**
|
|
214
|
+
* Destroy all sandboxed containers
|
|
215
|
+
*/
|
|
216
|
+
async destroyAll() {
|
|
217
|
+
const results = [];
|
|
218
|
+
for (const containerId of this.containers.keys()) {
|
|
219
|
+
const result = await this.destroySandbox(containerId, true);
|
|
220
|
+
results.push(result);
|
|
221
|
+
}
|
|
222
|
+
return results;
|
|
223
|
+
}
|
|
224
|
+
/**
|
|
225
|
+
* Get resource usage for a container
|
|
226
|
+
*/
|
|
227
|
+
async getResourceUsage(containerId) {
|
|
228
|
+
return this.resourceMonitor.getStats(containerId);
|
|
229
|
+
}
|
|
230
|
+
/**
|
|
231
|
+
* List all sandboxed containers
|
|
232
|
+
*/
|
|
233
|
+
listSandboxes() {
|
|
234
|
+
return Array.from(this.containers.values());
|
|
235
|
+
}
|
|
236
|
+
/**
|
|
237
|
+
* Get container info by ID
|
|
238
|
+
*/
|
|
239
|
+
getContainer(containerId) {
|
|
240
|
+
return this.containers.get(containerId);
|
|
241
|
+
}
|
|
242
|
+
/**
|
|
243
|
+
* Get container by agent ID
|
|
244
|
+
*/
|
|
245
|
+
getContainerByAgentId(agentId) {
|
|
246
|
+
for (const container of this.containers.values()) {
|
|
247
|
+
if (container.agentId === agentId) {
|
|
248
|
+
return container;
|
|
249
|
+
}
|
|
250
|
+
}
|
|
251
|
+
return undefined;
|
|
252
|
+
}
|
|
253
|
+
/**
|
|
254
|
+
* Check container health
|
|
255
|
+
*/
|
|
256
|
+
async healthCheck(containerId) {
|
|
257
|
+
const startTime = Date.now();
|
|
258
|
+
try {
|
|
259
|
+
const container = this.docker.getContainer(containerId);
|
|
260
|
+
const inspection = await container.inspect();
|
|
261
|
+
const healthy = inspection.State.Running && !inspection.State.OOMKilled;
|
|
262
|
+
return {
|
|
263
|
+
healthy,
|
|
264
|
+
containerId,
|
|
265
|
+
status: inspection.State.Status,
|
|
266
|
+
responseTimeMs: Date.now() - startTime,
|
|
267
|
+
checkedAt: new Date(),
|
|
268
|
+
};
|
|
269
|
+
}
|
|
270
|
+
catch (error) {
|
|
271
|
+
const containerInfo = this.containers.get(containerId);
|
|
272
|
+
await this.emitEvent({
|
|
273
|
+
type: 'health_check_failed',
|
|
274
|
+
containerId,
|
|
275
|
+
agentId: containerInfo?.agentId || 'unknown',
|
|
276
|
+
agentType: containerInfo?.agentType || 'unknown',
|
|
277
|
+
timestamp: new Date(),
|
|
278
|
+
error: error.message,
|
|
279
|
+
});
|
|
280
|
+
return {
|
|
281
|
+
healthy: false,
|
|
282
|
+
containerId,
|
|
283
|
+
status: 'error',
|
|
284
|
+
checkedAt: new Date(),
|
|
285
|
+
};
|
|
286
|
+
}
|
|
287
|
+
}
|
|
288
|
+
/**
|
|
289
|
+
* Execute a command in a container
|
|
290
|
+
*/
|
|
291
|
+
async exec(containerId, command) {
|
|
292
|
+
const container = this.docker.getContainer(containerId);
|
|
293
|
+
const exec = await container.exec({
|
|
294
|
+
Cmd: command,
|
|
295
|
+
AttachStdout: true,
|
|
296
|
+
AttachStderr: true,
|
|
297
|
+
});
|
|
298
|
+
const stream = await exec.start({ hijack: true, stdin: false });
|
|
299
|
+
return new Promise((resolve, reject) => {
|
|
300
|
+
let output = '';
|
|
301
|
+
stream.on('data', (chunk) => {
|
|
302
|
+
// Docker multiplexes stdout/stderr, skip the 8-byte header
|
|
303
|
+
output += chunk.slice(8).toString();
|
|
304
|
+
});
|
|
305
|
+
stream.on('end', async () => {
|
|
306
|
+
try {
|
|
307
|
+
const inspection = await exec.inspect();
|
|
308
|
+
resolve({
|
|
309
|
+
exitCode: inspection.ExitCode || 0,
|
|
310
|
+
output,
|
|
311
|
+
});
|
|
312
|
+
}
|
|
313
|
+
catch (error) {
|
|
314
|
+
reject(error);
|
|
315
|
+
}
|
|
316
|
+
});
|
|
317
|
+
stream.on('error', reject);
|
|
318
|
+
});
|
|
319
|
+
}
|
|
320
|
+
/**
|
|
321
|
+
* Get container logs
|
|
322
|
+
*/
|
|
323
|
+
async getLogs(containerId, options = {}) {
|
|
324
|
+
const container = this.docker.getContainer(containerId);
|
|
325
|
+
const logs = await container.logs({
|
|
326
|
+
stdout: true,
|
|
327
|
+
stderr: true,
|
|
328
|
+
tail: options.tail || 100,
|
|
329
|
+
since: options.since,
|
|
330
|
+
});
|
|
331
|
+
return logs.toString();
|
|
332
|
+
}
|
|
333
|
+
/**
|
|
334
|
+
* Add event handler
|
|
335
|
+
*/
|
|
336
|
+
on(handler) {
|
|
337
|
+
this.eventHandlers.push(handler);
|
|
338
|
+
}
|
|
339
|
+
/**
|
|
340
|
+
* Remove event handler
|
|
341
|
+
*/
|
|
342
|
+
off(handler) {
|
|
343
|
+
const index = this.eventHandlers.indexOf(handler);
|
|
344
|
+
if (index !== -1) {
|
|
345
|
+
this.eventHandlers.splice(index, 1);
|
|
346
|
+
}
|
|
347
|
+
}
|
|
348
|
+
/**
|
|
349
|
+
* Check if Docker is available
|
|
350
|
+
*/
|
|
351
|
+
async isDockerAvailable() {
|
|
352
|
+
try {
|
|
353
|
+
await this.docker.ping();
|
|
354
|
+
return true;
|
|
355
|
+
}
|
|
356
|
+
catch {
|
|
357
|
+
return false;
|
|
358
|
+
}
|
|
359
|
+
}
|
|
360
|
+
/**
|
|
361
|
+
* Get manager status
|
|
362
|
+
*/
|
|
363
|
+
getStatus() {
|
|
364
|
+
return {
|
|
365
|
+
initialized: this.isInitialized,
|
|
366
|
+
dockerAvailable: this.isInitialized,
|
|
367
|
+
containerCount: this.containers.size,
|
|
368
|
+
networkId: this.networkId,
|
|
369
|
+
};
|
|
370
|
+
}
|
|
371
|
+
// ============================================
|
|
372
|
+
// Private Methods
|
|
373
|
+
// ============================================
|
|
374
|
+
/**
|
|
375
|
+
* Build Docker container create options
|
|
376
|
+
*/
|
|
377
|
+
buildContainerOptions(agentId, agentType, config) {
|
|
378
|
+
const image = `${this.config.agentImage}:${this.config.imageTag || 'latest'}`;
|
|
379
|
+
// Parse memory limits
|
|
380
|
+
const memoryBytes = this.parseMemory(config.memoryLimit);
|
|
381
|
+
const memorySwapBytes = this.parseMemory(config.memorySwapLimit);
|
|
382
|
+
// Build labels
|
|
383
|
+
const labels = {
|
|
384
|
+
'agentic-qe.agent-id': agentId,
|
|
385
|
+
'agentic-qe.agent-type': agentType,
|
|
386
|
+
'agentic-qe.sandbox': 'true',
|
|
387
|
+
'agentic-qe.created-at': new Date().toISOString(),
|
|
388
|
+
...config.labels,
|
|
389
|
+
};
|
|
390
|
+
// Build environment
|
|
391
|
+
const env = Object.entries(config.environment || {}).map(([k, v]) => `${k}=${v}`);
|
|
392
|
+
env.push(`AGENT_ID=${agentId}`);
|
|
393
|
+
env.push(`AGENT_TYPE=${agentType}`);
|
|
394
|
+
// Build host config
|
|
395
|
+
const hostConfig = {
|
|
396
|
+
// CPU limits
|
|
397
|
+
CpuQuota: config.cpuLimit * 100000, // 100000 = 1 CPU
|
|
398
|
+
CpuPeriod: 100000,
|
|
399
|
+
// Memory limits
|
|
400
|
+
Memory: memoryBytes,
|
|
401
|
+
MemorySwap: memorySwapBytes,
|
|
402
|
+
// Security
|
|
403
|
+
ReadonlyRootfs: config.readOnlyRootFs,
|
|
404
|
+
SecurityOpt: ['no-new-privileges:true'],
|
|
405
|
+
CapDrop: ['ALL'],
|
|
406
|
+
// Logging
|
|
407
|
+
LogConfig: this.config.enableLogging
|
|
408
|
+
? {
|
|
409
|
+
Type: this.config.logDriver,
|
|
410
|
+
Config: {
|
|
411
|
+
'max-size': this.config.logMaxSize || '10m',
|
|
412
|
+
'max-file': String(this.config.logMaxFiles || 3),
|
|
413
|
+
},
|
|
414
|
+
}
|
|
415
|
+
: { Type: 'none', Config: {} },
|
|
416
|
+
// Tmpfs for writable directories
|
|
417
|
+
Tmpfs: {
|
|
418
|
+
'/tmp': 'size=100m',
|
|
419
|
+
'/app/tmp': 'size=50m',
|
|
420
|
+
},
|
|
421
|
+
// Network
|
|
422
|
+
NetworkMode: config.networkMode === 'host'
|
|
423
|
+
? 'host'
|
|
424
|
+
: config.networkMode === 'isolated'
|
|
425
|
+
? 'none'
|
|
426
|
+
: this.config.networkName || 'bridge',
|
|
427
|
+
// Restart policy
|
|
428
|
+
RestartPolicy: {
|
|
429
|
+
Name: 'on-failure',
|
|
430
|
+
MaximumRetryCount: 3,
|
|
431
|
+
},
|
|
432
|
+
};
|
|
433
|
+
// Add seccomp profile if specified
|
|
434
|
+
if (config.seccompProfile) {
|
|
435
|
+
hostConfig.SecurityOpt?.push(`seccomp=${config.seccompProfile}`);
|
|
436
|
+
}
|
|
437
|
+
// Add volumes
|
|
438
|
+
if (config.volumes) {
|
|
439
|
+
hostConfig.Binds = config.volumes.map((v) => `${v.source}:${v.target}${v.readOnly ? ':ro' : ''}`);
|
|
440
|
+
}
|
|
441
|
+
return {
|
|
442
|
+
Image: image,
|
|
443
|
+
name: `agentic-qe-${agentType}-${agentId.substring(0, 8)}`,
|
|
444
|
+
Labels: labels,
|
|
445
|
+
Env: env,
|
|
446
|
+
User: config.user,
|
|
447
|
+
WorkingDir: config.workingDir || '/app',
|
|
448
|
+
HostConfig: hostConfig,
|
|
449
|
+
Healthcheck: {
|
|
450
|
+
Test: ['CMD', 'node', '-e', 'process.exit(0)'],
|
|
451
|
+
Interval: this.config.healthCheckIntervalMs * 1000000, // nanoseconds
|
|
452
|
+
Timeout: 10000000000, // 10 seconds
|
|
453
|
+
Retries: 3,
|
|
454
|
+
StartPeriod: 5000000000, // 5 seconds
|
|
455
|
+
},
|
|
456
|
+
};
|
|
457
|
+
}
|
|
458
|
+
/**
|
|
459
|
+
* Ensure sandbox network exists
|
|
460
|
+
*/
|
|
461
|
+
async ensureNetwork() {
|
|
462
|
+
const networkName = this.config.networkName;
|
|
463
|
+
try {
|
|
464
|
+
// Check if network exists
|
|
465
|
+
const networks = await this.docker.listNetworks({
|
|
466
|
+
filters: { name: [networkName] },
|
|
467
|
+
});
|
|
468
|
+
if (networks.length > 0) {
|
|
469
|
+
this.networkId = networks[0].Id;
|
|
470
|
+
return;
|
|
471
|
+
}
|
|
472
|
+
// Create network
|
|
473
|
+
const network = await this.docker.createNetwork({
|
|
474
|
+
Name: networkName,
|
|
475
|
+
Driver: 'bridge',
|
|
476
|
+
Internal: true, // Isolated from external network
|
|
477
|
+
Labels: {
|
|
478
|
+
'agentic-qe.sandbox-network': 'true',
|
|
479
|
+
},
|
|
480
|
+
});
|
|
481
|
+
this.networkId = network.id;
|
|
482
|
+
}
|
|
483
|
+
catch (error) {
|
|
484
|
+
console.warn(`Failed to ensure network ${networkName}:`, error);
|
|
485
|
+
}
|
|
486
|
+
}
|
|
487
|
+
/**
|
|
488
|
+
* Parse memory string to bytes
|
|
489
|
+
*/
|
|
490
|
+
parseMemory(memStr) {
|
|
491
|
+
const match = memStr.toLowerCase().match(/^(\d+(?:\.\d+)?)\s*([kmgt]?)$/);
|
|
492
|
+
if (!match) {
|
|
493
|
+
throw new Error(`Invalid memory string: ${memStr}`);
|
|
494
|
+
}
|
|
495
|
+
const value = parseFloat(match[1]);
|
|
496
|
+
const unit = match[2] || '';
|
|
497
|
+
const multipliers = {
|
|
498
|
+
'': 1,
|
|
499
|
+
k: 1024,
|
|
500
|
+
m: 1024 * 1024,
|
|
501
|
+
g: 1024 * 1024 * 1024,
|
|
502
|
+
t: 1024 * 1024 * 1024 * 1024,
|
|
503
|
+
};
|
|
504
|
+
return Math.floor(value * multipliers[unit]);
|
|
505
|
+
}
|
|
506
|
+
/**
|
|
507
|
+
* Emit event to all handlers
|
|
508
|
+
*/
|
|
509
|
+
async emitEvent(event) {
|
|
510
|
+
for (const handler of this.eventHandlers) {
|
|
511
|
+
try {
|
|
512
|
+
await handler(event);
|
|
513
|
+
}
|
|
514
|
+
catch (error) {
|
|
515
|
+
console.error('Error in sandbox event handler:', error);
|
|
516
|
+
}
|
|
517
|
+
}
|
|
518
|
+
}
|
|
519
|
+
}
|
|
520
|
+
exports.SandboxManager = SandboxManager;
|
|
521
|
+
/**
|
|
522
|
+
* Create a new SandboxManager instance
|
|
523
|
+
*/
|
|
524
|
+
function createSandboxManager(config) {
|
|
525
|
+
return new SandboxManager(config);
|
|
526
|
+
}
|
|
527
|
+
//# sourceMappingURL=SandboxManager.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"SandboxManager.js","sourceRoot":"","sources":["../../../src/infrastructure/sandbox/SandboxManager.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;;;;AA4mBH,oDAEC;AA5mBD,0DAA+B;AAa/B,yCAAoD;AACpD,oEAAqE;AACrE,6DAAuD;AAEvD;;GAEG;AACH,MAAM,sBAAsB,GAAyB;IACnD,UAAU,EAAE,kBAAkB;IAC9B,QAAQ,EAAE,QAAQ;IAClB,WAAW,EAAE,oBAAoB;IACjC,aAAa,EAAE,IAAI;IACnB,SAAS,EAAE,WAAW;IACtB,UAAU,EAAE,KAAK;IACjB,WAAW,EAAE,CAAC;IACd,iBAAiB,EAAE,IAAI;IACvB,qBAAqB,EAAE,KAAK;CAC7B,CAAC;AAEF;;GAEG;AACH,MAAa,cAAc;IASzB,YAAY,SAAwC,EAAE;QAJ9C,kBAAa,GAA0B,EAAE,CAAC;QAC1C,kBAAa,GAAY,KAAK,CAAC;QAC/B,cAAS,GAAkB,IAAI,CAAC;QAGtC,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,sBAAsB,EAAE,GAAG,MAAM,EAAE,CAAC;QAEvD,2BAA2B;QAC3B,MAAM,aAAa,GAAyB,EAAE,CAAC;QAC/C,IAAI,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE,CAAC;YACjC,aAAa,CAAC,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC;QAC1D,CAAC;aAAM,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;YAClC,aAAa,CAAC,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC;QAC9C,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAC9B,aAAa,CAAC,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;QACpD,CAAC;QAED,IAAI,CAAC,MAAM,GAAG,IAAI,mBAAM,CAAC,aAAa,CAAC,CAAC;QACxC,IAAI,CAAC,UAAU,GAAG,IAAI,GAAG,EAAE,CAAC;QAC5B,IAAI,CAAC,eAAe,GAAG,IAAI,oCAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAExD,kCAAkC;QAClC,IAAI,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,UAAU;QACd,IAAI,IAAI,CAAC,aAAa;YAAE,OAAO;QAE/B,IAAI,CAAC;YACH,2BAA2B;YAC3B,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAEzB,mCAAmC;YACnC,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;gBAC5B,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;YAC7B,CAAC;YAED,4BAA4B;YAC5B,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;YAE7B,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;QAC5B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,wCAAyC,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;QACtF,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,QAAQ;QACZ,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC;QAE5B,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE,CAAC;YAClC,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QAC1B,CAAC;QAED,IAAI,CAAC,aAAa,GAAG,KAAK,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CACjB,OAAe,EACf,SAAiB,EACjB,YAAqC;QAErC,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QAC1B,CAAC;QAED,IAAI,CAAC;YACH,kDAAkD;YAClD,MAAM,aAAa,GAAG,IAAA,yCAAqB,EAAC,SAAS,CAAC,CAAC;YACvD,MAAM,aAAa,GAAkB;gBACnC,GAAG,iCAAsB;gBACzB,GAAG,aAAa;gBAChB,GAAG,YAAY;aAChB,CAAC;YAEF,iCAAiC;YACjC,MAAM,aAAa,GAAG,IAAI,CAAC,qBAAqB,CAAC,OAAO,EAAE,SAAS,EAAE,aAAa,CAAC,CAAC;YAEpF,mBAAmB;YACnB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC;YACnE,MAAM,WAAW,GAAG,SAAS,CAAC,EAAE,CAAC;YAEjC,uBAAuB;YACvB,MAAM,aAAa,GAAkB;gBACnC,WAAW;gBACX,OAAO;gBACP,SAAS;gBACT,MAAM,EAAE,UAAU;gBAClB,SAAS,EAAE,IAAI,IAAI,EAAE;gBACrB,MAAM,EAAE,aAAa,CAAC,MAAM;aAC7B,CAAC;YAEF,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;YAEhD,kBAAkB;YAClB,MAAM,SAAS,CAAC,KAAK,EAAE,CAAC;YACxB,aAAa,CAAC,MAAM,GAAG,SAAS,CAAC;YACjC,aAAa,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;YAErC,6BAA6B;YAC7B,IAAI,CAAC,eAAe,CAAC,YAAY,CAAC,WAAW,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;YAEnE,aAAa;YACb,MAAM,IAAI,CAAC,SAAS,CAAC;gBACnB,IAAI,EAAE,SAAS;gBACf,WAAW;gBACX,OAAO;gBACP,SAAS;gBACT,SAAS,EAAE,IAAI,IAAI,EAAE;gBACrB,OAAO,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE;aACnC,CAAC,CAAC;YAEH,MAAM,IAAI,CAAC,SAAS,CAAC;gBACnB,IAAI,EAAE,SAAS;gBACf,WAAW;gBACX,OAAO;gBACP,SAAS;gBACT,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAC,CAAC;YAEH,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,aAAa;aACzB,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,YAAY,GAAI,KAAe,CAAC,OAAO,CAAC;YAC9C,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,6BAA6B,YAAY,EAAE;aACnD,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAAC,WAAmB,EAAE,QAAiB,KAAK;QAC9D,IAAI,CAAC;YACH,MAAM,aAAa,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;YACvD,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,WAAW;oBACX,KAAK,EAAE,qBAAqB;iBAC7B,CAAC;YACJ,CAAC;YAED,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;YAExD,gBAAgB;YAChB,aAAa,CAAC,MAAM,GAAG,UAAU,CAAC;YAElC,iBAAiB;YACjB,IAAI,CAAC;gBACH,MAAM,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC9C,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,qCAAqC;gBACrC,IAAI,CAAE,KAAe,CAAC,OAAO,EAAE,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;oBAC1D,MAAM,KAAK,CAAC;gBACd,CAAC;YACH,CAAC;YAED,mBAAmB;YACnB,MAAM,SAAS,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;YAElC,uBAAuB;YACvB,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YACpC,IAAI,CAAC,eAAe,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;YAElD,aAAa;YACb,MAAM,IAAI,CAAC,SAAS,CAAC;gBACnB,IAAI,EAAE,WAAW;gBACjB,WAAW;gBACX,OAAO,EAAE,aAAa,CAAC,OAAO;gBAC9B,SAAS,EAAE,aAAa,CAAC,SAAS;gBAClC,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAC,CAAC;YAEH,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,WAAW;gBACX,MAAM,EAAE,KAAK;aACd,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,WAAW;gBACX,KAAK,EAAE,8BAA+B,KAAe,CAAC,OAAO,EAAE;aAChE,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU;QACd,MAAM,OAAO,GAA2B,EAAE,CAAC;QAE3C,KAAK,MAAM,WAAW,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,EAAE,CAAC;YACjD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;YAC5D,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,gBAAgB,CAAC,WAAmB;QACxC,OAAO,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACpD,CAAC;IAED;;OAEG;IACH,aAAa;QACX,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,WAAmB;QAC9B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC1C,CAAC;IAED;;OAEG;IACH,qBAAqB,CAAC,OAAe;QACnC,KAAK,MAAM,SAAS,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,EAAE,CAAC;YACjD,IAAI,SAAS,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;gBAClC,OAAO,SAAS,CAAC;YACnB,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW,CAAC,WAAmB;QACnC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;YACxD,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,OAAO,EAAE,CAAC;YAE7C,MAAM,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,SAAS,CAAC;YAExE,OAAO;gBACL,OAAO;gBACP,WAAW;gBACX,MAAM,EAAE,UAAU,CAAC,KAAK,CAAC,MAAM;gBAC/B,cAAc,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;gBACtC,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,aAAa,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;YAEvD,MAAM,IAAI,CAAC,SAAS,CAAC;gBACnB,IAAI,EAAE,qBAAqB;gBAC3B,WAAW;gBACX,OAAO,EAAE,aAAa,EAAE,OAAO,IAAI,SAAS;gBAC5C,SAAS,EAAE,aAAa,EAAE,SAAS,IAAI,SAAS;gBAChD,SAAS,EAAE,IAAI,IAAI,EAAE;gBACrB,KAAK,EAAG,KAAe,CAAC,OAAO;aAChC,CAAC,CAAC;YAEH,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,WAAW;gBACX,MAAM,EAAE,OAAO;gBACf,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,IAAI,CACR,WAAmB,EACnB,OAAiB;QAEjB,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QAExD,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC;YAChC,GAAG,EAAE,OAAO;YACZ,YAAY,EAAE,IAAI;YAClB,YAAY,EAAE,IAAI;SACnB,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QAEhE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,IAAI,MAAM,GAAG,EAAE,CAAC;YAEhB,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;gBAClC,2DAA2D;gBAC3D,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;YACtC,CAAC,CAAC,CAAC;YAEH,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,IAAI,EAAE;gBAC1B,IAAI,CAAC;oBACH,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;oBACxC,OAAO,CAAC;wBACN,QAAQ,EAAE,UAAU,CAAC,QAAQ,IAAI,CAAC;wBAClC,MAAM;qBACP,CAAC,CAAC;gBACL,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,MAAM,CAAC,KAAK,CAAC,CAAC;gBAChB,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO,CACX,WAAmB,EACnB,UAA6C,EAAE;QAE/C,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QAExD,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC;YAChC,MAAM,EAAE,IAAI;YACZ,MAAM,EAAE,IAAI;YACZ,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,GAAG;YACzB,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC,QAAQ,EAAE,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,EAAE,CAAC,OAA4B;QAC7B,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC;IAED;;OAEG;IACH,GAAG,CAAC,OAA4B;QAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,KAAK,KAAK,CAAC,CAAC,EAAE,CAAC;YACjB,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,iBAAiB;QACrB,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;OAEG;IACH,SAAS;QAMP,OAAO;YACL,WAAW,EAAE,IAAI,CAAC,aAAa;YAC/B,eAAe,EAAE,IAAI,CAAC,aAAa;YACnC,cAAc,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI;YACpC,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC;IACJ,CAAC;IAED,+CAA+C;IAC/C,kBAAkB;IAClB,+CAA+C;IAE/C;;OAEG;IACK,qBAAqB,CAC3B,OAAe,EACf,SAAiB,EACjB,MAAqB;QAErB,MAAM,KAAK,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,QAAQ,EAAE,CAAC;QAE9E,sBAAsB;QACtB,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACzD,MAAM,eAAe,GAAG,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QAEjE,eAAe;QACf,MAAM,MAAM,GAA2B;YACrC,qBAAqB,EAAE,OAAO;YAC9B,uBAAuB,EAAE,SAAS;YAClC,oBAAoB,EAAE,MAAM;YAC5B,uBAAuB,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACjD,GAAG,MAAM,CAAC,MAAM;SACjB,CAAC;QAEF,oBAAoB;QACpB,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAClF,GAAG,CAAC,IAAI,CAAC,YAAY,OAAO,EAAE,CAAC,CAAC;QAChC,GAAG,CAAC,IAAI,CAAC,cAAc,SAAS,EAAE,CAAC,CAAC;QAEpC,oBAAoB;QACpB,MAAM,UAAU,GAAsB;YACpC,aAAa;YACb,QAAQ,EAAE,MAAM,CAAC,QAAQ,GAAG,MAAM,EAAE,iBAAiB;YACrD,SAAS,EAAE,MAAM;YAEjB,gBAAgB;YAChB,MAAM,EAAE,WAAW;YACnB,UAAU,EAAE,eAAe;YAE3B,WAAW;YACX,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,WAAW,EAAE,CAAC,wBAAwB,CAAC;YACvC,OAAO,EAAE,CAAC,KAAK,CAAC;YAEhB,UAAU;YACV,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;gBAClC,CAAC,CAAC;oBACE,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,SAAwB;oBAC1C,MAAM,EAAE;wBACN,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,KAAK;wBAC3C,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,CAAC,CAAC;qBACjD;iBACF;gBACH,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE;YAEhC,iCAAiC;YACjC,KAAK,EAAE;gBACL,MAAM,EAAE,WAAW;gBACnB,UAAU,EAAE,UAAU;aACvB;YAED,UAAU;YACV,WAAW,EACT,MAAM,CAAC,WAAW,KAAK,MAAM;gBAC3B,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,MAAM,CAAC,WAAW,KAAK,UAAU;oBACjC,CAAC,CAAC,MAAM;oBACR,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,QAAQ;YAE3C,iBAAiB;YACjB,aAAa,EAAE;gBACb,IAAI,EAAE,YAAY;gBAClB,iBAAiB,EAAE,CAAC;aACrB;SACF,CAAC;QAEF,mCAAmC;QACnC,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;YAC1B,UAAU,CAAC,WAAW,EAAE,IAAI,CAAC,WAAW,MAAM,CAAC,cAAc,EAAE,CAAC,CAAC;QACnE,CAAC;QAED,cAAc;QACd,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,UAAU,CAAC,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CACnC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAC3D,CAAC;QACJ,CAAC;QAED,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,IAAI,EAAE,cAAc,SAAS,IAAI,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE;YAC1D,MAAM,EAAE,MAAM;YACd,GAAG,EAAE,GAAG;YACR,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,MAAM;YACvC,UAAU,EAAE,UAAU;YACtB,WAAW,EAAE;gBACX,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,CAAC;gBAC9C,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,qBAAsB,GAAG,OAAO,EAAE,cAAc;gBACtE,OAAO,EAAE,WAAW,EAAE,aAAa;gBACnC,OAAO,EAAE,CAAC;gBACV,WAAW,EAAE,UAAU,EAAE,YAAY;aACtC;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,aAAa;QACzB,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,WAAY,CAAC;QAE7C,IAAI,CAAC;YACH,0BAA0B;YAC1B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;gBAC9C,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,WAAW,CAAC,EAAE;aACjC,CAAC,CAAC;YAEH,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAChC,OAAO;YACT,CAAC;YAED,iBAAiB;YACjB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;gBAC9C,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,QAAQ;gBAChB,QAAQ,EAAE,IAAI,EAAE,iCAAiC;gBACjD,MAAM,EAAE;oBACN,4BAA4B,EAAE,MAAM;iBACrC;aACF,CAAC,CAAC;YAEH,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,EAAE,CAAC;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,IAAI,CAAC,4BAA4B,WAAW,GAAG,EAAE,KAAK,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,MAAc;QAChC,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;QAC1E,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,0BAA0B,MAAM,EAAE,CAAC,CAAC;QACtD,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAE5B,MAAM,WAAW,GAA2B;YAC1C,EAAE,EAAE,CAAC;YACL,CAAC,EAAE,IAAI;YACP,CAAC,EAAE,IAAI,GAAG,IAAI;YACd,CAAC,EAAE,IAAI,GAAG,IAAI,GAAG,IAAI;YACrB,CAAC,EAAE,IAAI,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI;SAC7B,CAAC;QAEF,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC;IAC/C,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,SAAS,CAAC,KAAmB;QACzC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACzC,IAAI,CAAC;gBACH,MAAM,OAAO,CAAC,KAAK,CAAC,CAAC;YACvB,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,KAAK,CAAC,CAAC;YAC1D,CAAC;QACH,CAAC;IACH,CAAC;CACF;AAlkBD,wCAkkBC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAAC,MAAsC;IACzE,OAAO,IAAI,cAAc,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC"}
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Docker-Based Agent Sandboxing Infrastructure
|
|
3
|
+
*
|
|
4
|
+
* Provides secure, isolated execution environments for QE agents with:
|
|
5
|
+
* - Resource limits enforced by cgroups
|
|
6
|
+
* - Network isolation and domain whitelisting
|
|
7
|
+
* - Read-only root filesystem
|
|
8
|
+
* - Non-root user execution
|
|
9
|
+
* - Resource monitoring and OOM prevention
|
|
10
|
+
*
|
|
11
|
+
* @module infrastructure/sandbox
|
|
12
|
+
* @see Issue #146 - Security Hardening: Docker Sandboxing
|
|
13
|
+
*/
|
|
14
|
+
export { type SandboxConfig, type SandboxManagerConfig, type ContainerInfo, type ContainerStatus, type ResourceStats, type SandboxCreateResult, type SandboxDestroyResult, type HealthCheckResult, type SandboxEvent, type SandboxEventType, type SandboxEventHandler, type NetworkMode, type VolumeMount, DEFAULT_SANDBOX_CONFIG, parseMemoryString, formatBytes, } from './types.js';
|
|
15
|
+
export { SandboxManager, createSandboxManager } from './SandboxManager.js';
|
|
16
|
+
export { ResourceMonitor, type ResourceMonitorConfig, type ResourceThresholds, DEFAULT_THRESHOLDS, DEFAULT_MONITOR_CONFIG, } from './ResourceMonitor.js';
|
|
17
|
+
export { AGENT_PROFILES, type AgentProfile, getAgentProfile, getAgentSandboxConfig, listAgentProfiles, validateConfigAgainstProfile, } from './profiles/agent-profiles.js';
|
|
18
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/infrastructure/sandbox/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,oBAAoB,EACzB,KAAK,aAAa,EAClB,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,EACtB,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,mBAAmB,EACxB,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,sBAAsB,EACtB,iBAAiB,EACjB,WAAW,GACZ,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAG3E,OAAO,EACL,eAAe,EACf,KAAK,qBAAqB,EAC1B,KAAK,kBAAkB,EACvB,kBAAkB,EAClB,sBAAsB,GACvB,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EACL,cAAc,EACd,KAAK,YAAY,EACjB,eAAe,EACf,qBAAqB,EACrB,iBAAiB,EACjB,4BAA4B,GAC7B,MAAM,8BAA8B,CAAC"}
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Docker-Based Agent Sandboxing Infrastructure
|
|
4
|
+
*
|
|
5
|
+
* Provides secure, isolated execution environments for QE agents with:
|
|
6
|
+
* - Resource limits enforced by cgroups
|
|
7
|
+
* - Network isolation and domain whitelisting
|
|
8
|
+
* - Read-only root filesystem
|
|
9
|
+
* - Non-root user execution
|
|
10
|
+
* - Resource monitoring and OOM prevention
|
|
11
|
+
*
|
|
12
|
+
* @module infrastructure/sandbox
|
|
13
|
+
* @see Issue #146 - Security Hardening: Docker Sandboxing
|
|
14
|
+
*/
|
|
15
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
16
|
+
exports.validateConfigAgainstProfile = exports.listAgentProfiles = exports.getAgentSandboxConfig = exports.getAgentProfile = exports.AGENT_PROFILES = exports.DEFAULT_MONITOR_CONFIG = exports.DEFAULT_THRESHOLDS = exports.ResourceMonitor = exports.createSandboxManager = exports.SandboxManager = exports.formatBytes = exports.parseMemoryString = exports.DEFAULT_SANDBOX_CONFIG = void 0;
|
|
17
|
+
// Types
|
|
18
|
+
var types_js_1 = require("./types.js");
|
|
19
|
+
Object.defineProperty(exports, "DEFAULT_SANDBOX_CONFIG", { enumerable: true, get: function () { return types_js_1.DEFAULT_SANDBOX_CONFIG; } });
|
|
20
|
+
Object.defineProperty(exports, "parseMemoryString", { enumerable: true, get: function () { return types_js_1.parseMemoryString; } });
|
|
21
|
+
Object.defineProperty(exports, "formatBytes", { enumerable: true, get: function () { return types_js_1.formatBytes; } });
|
|
22
|
+
// SandboxManager
|
|
23
|
+
var SandboxManager_js_1 = require("./SandboxManager.js");
|
|
24
|
+
Object.defineProperty(exports, "SandboxManager", { enumerable: true, get: function () { return SandboxManager_js_1.SandboxManager; } });
|
|
25
|
+
Object.defineProperty(exports, "createSandboxManager", { enumerable: true, get: function () { return SandboxManager_js_1.createSandboxManager; } });
|
|
26
|
+
// ResourceMonitor
|
|
27
|
+
var ResourceMonitor_js_1 = require("./ResourceMonitor.js");
|
|
28
|
+
Object.defineProperty(exports, "ResourceMonitor", { enumerable: true, get: function () { return ResourceMonitor_js_1.ResourceMonitor; } });
|
|
29
|
+
Object.defineProperty(exports, "DEFAULT_THRESHOLDS", { enumerable: true, get: function () { return ResourceMonitor_js_1.DEFAULT_THRESHOLDS; } });
|
|
30
|
+
Object.defineProperty(exports, "DEFAULT_MONITOR_CONFIG", { enumerable: true, get: function () { return ResourceMonitor_js_1.DEFAULT_MONITOR_CONFIG; } });
|
|
31
|
+
// Agent Profiles
|
|
32
|
+
var agent_profiles_js_1 = require("./profiles/agent-profiles.js");
|
|
33
|
+
Object.defineProperty(exports, "AGENT_PROFILES", { enumerable: true, get: function () { return agent_profiles_js_1.AGENT_PROFILES; } });
|
|
34
|
+
Object.defineProperty(exports, "getAgentProfile", { enumerable: true, get: function () { return agent_profiles_js_1.getAgentProfile; } });
|
|
35
|
+
Object.defineProperty(exports, "getAgentSandboxConfig", { enumerable: true, get: function () { return agent_profiles_js_1.getAgentSandboxConfig; } });
|
|
36
|
+
Object.defineProperty(exports, "listAgentProfiles", { enumerable: true, get: function () { return agent_profiles_js_1.listAgentProfiles; } });
|
|
37
|
+
Object.defineProperty(exports, "validateConfigAgainstProfile", { enumerable: true, get: function () { return agent_profiles_js_1.validateConfigAgainstProfile; } });
|
|
38
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/infrastructure/sandbox/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;AAEH,QAAQ;AACR,uCAiBoB;AAHlB,kHAAA,sBAAsB,OAAA;AACtB,6GAAA,iBAAiB,OAAA;AACjB,uGAAA,WAAW,OAAA;AAGb,iBAAiB;AACjB,yDAA2E;AAAlE,mHAAA,cAAc,OAAA;AAAE,yHAAA,oBAAoB,OAAA;AAE7C,kBAAkB;AAClB,2DAM8B;AAL5B,qHAAA,eAAe,OAAA;AAGf,wHAAA,kBAAkB,OAAA;AAClB,4HAAA,sBAAsB,OAAA;AAGxB,iBAAiB;AACjB,kEAOsC;AANpC,mHAAA,cAAc,OAAA;AAEd,oHAAA,eAAe,OAAA;AACf,0HAAA,qBAAqB,OAAA;AACrB,sHAAA,iBAAiB,OAAA;AACjB,iIAAA,4BAA4B,OAAA"}
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Agent Resource Profiles for Docker Sandboxing
|
|
3
|
+
*
|
|
4
|
+
* Defines resource limits and network policies for each QE agent type.
|
|
5
|
+
* Profiles are designed for security (minimal access) and stability (OOM prevention).
|
|
6
|
+
*
|
|
7
|
+
* @module infrastructure/sandbox/profiles/agent-profiles
|
|
8
|
+
* @see Issue #146 - Security Hardening: Docker Sandboxing
|
|
9
|
+
*/
|
|
10
|
+
import { SandboxConfig } from '../types.js';
|
|
11
|
+
/**
|
|
12
|
+
* Agent profile with sandbox configuration and metadata
|
|
13
|
+
*/
|
|
14
|
+
export interface AgentProfile {
|
|
15
|
+
/** Sandbox configuration */
|
|
16
|
+
config: SandboxConfig;
|
|
17
|
+
/** Profile description */
|
|
18
|
+
description: string;
|
|
19
|
+
/** Risk level for audit purposes */
|
|
20
|
+
riskLevel: 'low' | 'medium' | 'high';
|
|
21
|
+
/** Whether agent needs external network access */
|
|
22
|
+
requiresNetwork: boolean;
|
|
23
|
+
}
|
|
24
|
+
/**
|
|
25
|
+
* Resource profiles for all QE agents
|
|
26
|
+
*
|
|
27
|
+
* Each profile is tuned for the specific agent's requirements:
|
|
28
|
+
* - CPU: Based on computational needs
|
|
29
|
+
* - Memory: Based on data processing requirements
|
|
30
|
+
* - Network: Minimal domains required for operation
|
|
31
|
+
*/
|
|
32
|
+
export declare const AGENT_PROFILES: Record<string, AgentProfile>;
|
|
33
|
+
/**
|
|
34
|
+
* Get profile for an agent type
|
|
35
|
+
* Falls back to default if not found
|
|
36
|
+
*/
|
|
37
|
+
export declare function getAgentProfile(agentType: string): AgentProfile;
|
|
38
|
+
/**
|
|
39
|
+
* Get sandbox config for an agent type
|
|
40
|
+
*/
|
|
41
|
+
export declare function getAgentSandboxConfig(agentType: string): SandboxConfig;
|
|
42
|
+
/**
|
|
43
|
+
* List all available agent profiles
|
|
44
|
+
*/
|
|
45
|
+
export declare function listAgentProfiles(): string[];
|
|
46
|
+
/**
|
|
47
|
+
* Validate that a custom config doesn't exceed profile limits
|
|
48
|
+
*/
|
|
49
|
+
export declare function validateConfigAgainstProfile(agentType: string, config: Partial<SandboxConfig>): {
|
|
50
|
+
valid: boolean;
|
|
51
|
+
violations: string[];
|
|
52
|
+
};
|
|
53
|
+
//# sourceMappingURL=agent-profiles.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"agent-profiles.d.ts","sourceRoot":"","sources":["../../../../src/infrastructure/sandbox/profiles/agent-profiles.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,4BAA4B;IAC5B,MAAM,EAAE,aAAa,CAAC;IAEtB,0BAA0B;IAC1B,WAAW,EAAE,MAAM,CAAC;IAEpB,oCAAoC;IACpC,SAAS,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IAErC,kDAAkD;IAClD,eAAe,EAAE,OAAO,CAAC;CAC1B;AAED;;;;;;;GAOG;AACH,eAAO,MAAM,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAyYvD,CAAC;AAEF;;;GAGG;AACH,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,YAAY,CAE/D;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,SAAS,EAAE,MAAM,GAAG,aAAa,CAEtE;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,EAAE,CAE5C;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAC1C,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,OAAO,CAAC,aAAa,CAAC,GAC7B;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,UAAU,EAAE,MAAM,EAAE,CAAA;CAAE,CAuB1C"}
|