agentic-qe 2.8.1 → 2.8.2

package/dist/infrastructure/sandbox/SandboxManager.js

@@ -0,0 +1,527 @@
+"use strict";
+/**
+ * Sandbox Manager for Docker-Based Agent Isolation
+ *
+ * Manages the lifecycle of sandboxed agent containers with resource limits
+ * enforced by cgroups. Provides secure, isolated execution environments
+ * for QE agents.
+ *
+ * @module infrastructure/sandbox/SandboxManager
+ * @see Issue #146 - Security Hardening: Docker Sandboxing
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SandboxManager = void 0;
+exports.createSandboxManager = createSandboxManager;
+const dockerode_1 = __importDefault(require("dockerode"));
+const types_js_1 = require("./types.js");
+const agent_profiles_js_1 = require("./profiles/agent-profiles.js");
+const ResourceMonitor_js_1 = require("./ResourceMonitor.js");
+/**
+ * Default manager configuration
+ */
+const DEFAULT_MANAGER_CONFIG = {
+    agentImage: 'agentic-qe-agent',
+    imageTag: 'latest',
+    networkName: 'agentic-qe-sandbox',
+    enableLogging: true,
+    logDriver: 'json-file',
+    logMaxSize: '10m',
+    logMaxFiles: 3,
+    cleanupOnShutdown: true,
+    healthCheckIntervalMs: 30000,
+};
+/**
+ * SandboxManager manages Docker containers for secure agent execution
+ */
+class SandboxManager {
+    constructor(config = {}) {
+        this.eventHandlers = [];
+        this.isInitialized = false;
+        this.networkId = null;
+        this.config = { ...DEFAULT_MANAGER_CONFIG, ...config };
+        // Initialize Docker client
+        const dockerOptions = {};
+        if (this.config.dockerSocketPath) {
+            dockerOptions.socketPath = this.config.dockerSocketPath;
+        }
+        else if (this.config.dockerHost) {
+            dockerOptions.host = this.config.dockerHost;
+        }
+        if (this.config.dockerVersion) {
+            dockerOptions.version = this.config.dockerVersion;
+        }
+        this.docker = new dockerode_1.default(dockerOptions);
+        this.containers = new Map();
+        this.resourceMonitor = new ResourceMonitor_js_1.ResourceMonitor(this.docker);
+        // Forward resource monitor events
+        this.resourceMonitor.on((event) => this.emitEvent(event));
+    }
+    /**
+     * Initialize the sandbox manager
+     * Creates network if needed and validates Docker connection
+     */
+    async initialize() {
+        if (this.isInitialized)
+            return;
+        try {
+            // Verify Docker connection
+            await this.docker.ping();
+            // Create sandbox network if needed
+            if (this.config.networkName) {
+                await this.ensureNetwork();
+            }
+            // Start resource monitoring
+            this.resourceMonitor.start();
+            this.isInitialized = true;
+        }
+        catch (error) {
+            throw new Error(`Failed to initialize SandboxManager: ${error.message}`);
+        }
+    }
+    /**
+     * Shutdown the sandbox manager
+     * Optionally cleans up all containers
+     */
+    async shutdown() {
+        this.resourceMonitor.stop();
+        if (this.config.cleanupOnShutdown) {
+            await this.destroyAll();
+        }
+        this.isInitialized = false;
+    }
+    /**
+     * Create a sandboxed container for an agent
+     */
+    async createSandbox(agentId, agentType, customConfig) {
+        if (!this.isInitialized) {
+            await this.initialize();
+        }
+        try {
+            // Get profile config and merge with custom config
+            const profileConfig = (0, agent_profiles_js_1.getAgentSandboxConfig)(agentType);
+            const sandboxConfig = {
+                ...types_js_1.DEFAULT_SANDBOX_CONFIG,
+                ...profileConfig,
+                ...customConfig,
+            };
+            // Build container create options
+            const createOptions = this.buildContainerOptions(agentId, agentType, sandboxConfig);
+            // Create container
+            const container = await this.docker.createContainer(createOptions);
+            const containerId = container.id;
+            // Build container info
+            const containerInfo = {
+                containerId,
+                agentId,
+                agentType,
+                status: 'creating',
+                createdAt: new Date(),
+                labels: createOptions.Labels,
+            };
+            this.containers.set(containerId, containerInfo);
+            // Start container
+            await container.start();
+            containerInfo.status = 'running';
+            containerInfo.startedAt = new Date();
+            // Add to resource monitoring
+            this.resourceMonitor.addContainer(containerId, agentId, agentType);
+            // Emit event
+            await this.emitEvent({
+                type: 'created',
+                containerId,
+                agentId,
+                agentType,
+                timestamp: new Date(),
+                details: { config: sandboxConfig },
+            });
+            await this.emitEvent({
+                type: 'started',
+                containerId,
+                agentId,
+                agentType,
+                timestamp: new Date(),
+            });
+            return {
+                success: true,
+                container: containerInfo,
+            };
+        }
+        catch (error) {
+            const errorMessage = error.message;
+            return {
+                success: false,
+                error: `Failed to create sandbox: ${errorMessage}`,
+            };
+        }
+    }
+    /**
+     * Destroy a sandboxed container
+     */
+    async destroySandbox(containerId, force = false) {
+        try {
+            const containerInfo = this.containers.get(containerId);
+            if (!containerInfo) {
+                return {
+                    success: false,
+                    containerId,
+                    error: 'Container not found',
+                };
+            }
+            const container = this.docker.getContainer(containerId);
+            // Update status
+            containerInfo.status = 'removing';
+            // Stop container
+            try {
+                await container.stop({ t: force ? 0 : 10 });
+            }
+            catch (error) {
+                // Container might already be stopped
+                if (!error.message?.includes('is not running')) {
+                    throw error;
+                }
+            }
+            // Remove container
+            await container.remove({ force });
+            // Remove from tracking
+            this.containers.delete(containerId);
+            this.resourceMonitor.removeContainer(containerId);
+            // Emit event
+            await this.emitEvent({
+                type: 'destroyed',
+                containerId,
+                agentId: containerInfo.agentId,
+                agentType: containerInfo.agentType,
+                timestamp: new Date(),
+            });
+            return {
+                success: true,
+                containerId,
+                forced: force,
+            };
+        }
+        catch (error) {
+            return {
+                success: false,
+                containerId,
+                error: `Failed to destroy sandbox: ${error.message}`,
+            };
+        }
+    }
+    /**
+     * Destroy all sandboxed containers
+     */
+    async destroyAll() {
+        const results = [];
+        for (const containerId of this.containers.keys()) {
+            const result = await this.destroySandbox(containerId, true);
+            results.push(result);
+        }
+        return results;
+    }
+    /**
+     * Get resource usage for a container
+     */
+    async getResourceUsage(containerId) {
+        return this.resourceMonitor.getStats(containerId);
+    }
+    /**
+     * List all sandboxed containers
+     */
+    listSandboxes() {
+        return Array.from(this.containers.values());
+    }
+    /**
+     * Get container info by ID
+     */
+    getContainer(containerId) {
+        return this.containers.get(containerId);
+    }
+    /**
+     * Get container by agent ID
+     */
+    getContainerByAgentId(agentId) {
+        for (const container of this.containers.values()) {
+            if (container.agentId === agentId) {
+                return container;
+            }
+        }
+        return undefined;
+    }
+    /**
+     * Check container health
+     */
+    async healthCheck(containerId) {
+        const startTime = Date.now();
+        try {
+            const container = this.docker.getContainer(containerId);
+            const inspection = await container.inspect();
+            const healthy = inspection.State.Running && !inspection.State.OOMKilled;
+            return {
+                healthy,
+                containerId,
+                status: inspection.State.Status,
+                responseTimeMs: Date.now() - startTime,
+                checkedAt: new Date(),
+            };
+        }
+        catch (error) {
+            const containerInfo = this.containers.get(containerId);
+            await this.emitEvent({
+                type: 'health_check_failed',
+                containerId,
+                agentId: containerInfo?.agentId || 'unknown',
+                agentType: containerInfo?.agentType || 'unknown',
+                timestamp: new Date(),
+                error: error.message,
+            });
+            return {
+                healthy: false,
+                containerId,
+                status: 'error',
+                checkedAt: new Date(),
+            };
+        }
+    }
+    /**
+     * Execute a command in a container
+     */
+    async exec(containerId, command) {
+        const container = this.docker.getContainer(containerId);
+        const exec = await container.exec({
+            Cmd: command,
+            AttachStdout: true,
+            AttachStderr: true,
+        });
+        const stream = await exec.start({ hijack: true, stdin: false });
+        return new Promise((resolve, reject) => {
+            let output = '';
+            stream.on('data', (chunk) => {
+                // Docker multiplexes stdout/stderr, skip the 8-byte header
+                output += chunk.slice(8).toString();
+            });
+            stream.on('end', async () => {
+                try {
+                    const inspection = await exec.inspect();
+                    resolve({
+                        exitCode: inspection.ExitCode || 0,
+                        output,
+                    });
+                }
+                catch (error) {
+                    reject(error);
+                }
+            });
+            stream.on('error', reject);
+        });
+    }
+    /**
+     * Get container logs
+     */
+    async getLogs(containerId, options = {}) {
+        const container = this.docker.getContainer(containerId);
+        const logs = await container.logs({
+            stdout: true,
+            stderr: true,
+            tail: options.tail || 100,
+            since: options.since,
+        });
+        return logs.toString();
+    }
+    /**
+     * Add event handler
+     */
+    on(handler) {
+        this.eventHandlers.push(handler);
+    }
+    /**
+     * Remove event handler
+     */
+    off(handler) {
+        const index = this.eventHandlers.indexOf(handler);
+        if (index !== -1) {
+            this.eventHandlers.splice(index, 1);
+        }
+    }
+    /**
+     * Check if Docker is available
+     */
+    async isDockerAvailable() {
+        try {
+            await this.docker.ping();
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Get manager status
+     */
+    getStatus() {
+        return {
+            initialized: this.isInitialized,
+            dockerAvailable: this.isInitialized,
+            containerCount: this.containers.size,
+            networkId: this.networkId,
+        };
+    }
+    // ============================================
+    // Private Methods
+    // ============================================
+    /**
+     * Build Docker container create options
+     */
+    buildContainerOptions(agentId, agentType, config) {
+        const image = `${this.config.agentImage}:${this.config.imageTag || 'latest'}`;
+        // Parse memory limits
+        const memoryBytes = this.parseMemory(config.memoryLimit);
+        const memorySwapBytes = this.parseMemory(config.memorySwapLimit);
+        // Build labels
+        const labels = {
+            'agentic-qe.agent-id': agentId,
+            'agentic-qe.agent-type': agentType,
+            'agentic-qe.sandbox': 'true',
+            'agentic-qe.created-at': new Date().toISOString(),
+            ...config.labels,
+        };
+        // Build environment
+        const env = Object.entries(config.environment || {}).map(([k, v]) => `${k}=${v}`);
+        env.push(`AGENT_ID=${agentId}`);
+        env.push(`AGENT_TYPE=${agentType}`);
+        // Build host config
+        const hostConfig = {
+            // CPU limits
+            CpuQuota: config.cpuLimit * 100000, // 100000 = 1 CPU
+            CpuPeriod: 100000,
+            // Memory limits
+            Memory: memoryBytes,
+            MemorySwap: memorySwapBytes,
+            // Security
+            ReadonlyRootfs: config.readOnlyRootFs,
+            SecurityOpt: ['no-new-privileges:true'],
+            CapDrop: ['ALL'],
+            // Logging
+            LogConfig: this.config.enableLogging
+                ? {
+                    Type: this.config.logDriver,
+                    Config: {
+                        'max-size': this.config.logMaxSize || '10m',
+                        'max-file': String(this.config.logMaxFiles || 3),
+                    },
+                }
+                : { Type: 'none', Config: {} },
+            // Tmpfs for writable directories
+            Tmpfs: {
+                '/tmp': 'size=100m',
+                '/app/tmp': 'size=50m',
+            },
+            // Network
+            NetworkMode: config.networkMode === 'host'
+                ? 'host'
+                : config.networkMode === 'isolated'
+                    ? 'none'
+                    : this.config.networkName || 'bridge',
+            // Restart policy
+            RestartPolicy: {
+                Name: 'on-failure',
+                MaximumRetryCount: 3,
+            },
+        };
+        // Add seccomp profile if specified
+        if (config.seccompProfile) {
+            hostConfig.SecurityOpt?.push(`seccomp=${config.seccompProfile}`);
+        }
+        // Add volumes
+        if (config.volumes) {
+            hostConfig.Binds = config.volumes.map((v) => `${v.source}:${v.target}${v.readOnly ? ':ro' : ''}`);
+        }
+        return {
+            Image: image,
+            name: `agentic-qe-${agentType}-${agentId.substring(0, 8)}`,
+            Labels: labels,
+            Env: env,
+            User: config.user,
+            WorkingDir: config.workingDir || '/app',
+            HostConfig: hostConfig,
+            Healthcheck: {
+                Test: ['CMD', 'node', '-e', 'process.exit(0)'],
+                Interval: this.config.healthCheckIntervalMs * 1000000, // nanoseconds
+                Timeout: 10000000000, // 10 seconds
+                Retries: 3,
+                StartPeriod: 5000000000, // 5 seconds
+            },
+        };
+    }
+    /**
+     * Ensure sandbox network exists
+     */
+    async ensureNetwork() {
+        const networkName = this.config.networkName;
+        try {
+            // Check if network exists
+            const networks = await this.docker.listNetworks({
+                filters: { name: [networkName] },
+            });
+            if (networks.length > 0) {
+                this.networkId = networks[0].Id;
+                return;
+            }
+            // Create network
+            const network = await this.docker.createNetwork({
+                Name: networkName,
+                Driver: 'bridge',
+                Internal: true, // Isolated from external network
+                Labels: {
+                    'agentic-qe.sandbox-network': 'true',
+                },
+            });
+            this.networkId = network.id;
+        }
+        catch (error) {
+            console.warn(`Failed to ensure network ${networkName}:`, error);
+        }
+    }
+    /**
+     * Parse memory string to bytes
+     */
+    parseMemory(memStr) {
+        const match = memStr.toLowerCase().match(/^(\d+(?:\.\d+)?)\s*([kmgt]?)$/);
+        if (!match) {
+            throw new Error(`Invalid memory string: ${memStr}`);
+        }
+        const value = parseFloat(match[1]);
+        const unit = match[2] || '';
+        const multipliers = {
+            '': 1,
+            k: 1024,
+            m: 1024 * 1024,
+            g: 1024 * 1024 * 1024,
+            t: 1024 * 1024 * 1024 * 1024,
+        };
+        return Math.floor(value * multipliers[unit]);
+    }
+    /**
+     * Emit event to all handlers
+     */
+    async emitEvent(event) {
+        for (const handler of this.eventHandlers) {
+            try {
+                await handler(event);
+            }
+            catch (error) {
+                console.error('Error in sandbox event handler:', error);
+            }
+        }
+    }
+}
+exports.SandboxManager = SandboxManager;
+/**
+ * Create a new SandboxManager instance
+ */
+function createSandboxManager(config) {
+    return new SandboxManager(config);
+}
+//# sourceMappingURL=SandboxManager.js.map

package/dist/infrastructure/sandbox/SandboxManager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SandboxManager.js","sourceRoot":"","sources":["../../../src/infrastructure/sandbox/SandboxManager.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;;;;AA4mBH,oDAEC;AA5mBD,0DAA+B;AAa/B,yCAAoD;AACpD,oEAAqE;AACrE,6DAAuD;AAEvD;;GAEG;AACH,MAAM,sBAAsB,GAAyB;IACnD,UAAU,EAAE,kBAAkB;IAC9B,QAAQ,EAAE,QAAQ;IAClB,WAAW,EAAE,oBAAoB;IACjC,aAAa,EAAE,IAAI;IACnB,SAAS,EAAE,WAAW;IACtB,UAAU,EAAE,KAAK;IACjB,WAAW,EAAE,CAAC;IACd,iBAAiB,EAAE,IAAI;IACvB,qBAAqB,EAAE,KAAK;CAC7B,CAAC;AAEF;;GAEG;AACH,MAAa,cAAc;IASzB,YAAY,SAAwC,EAAE;QAJ9C,kBAAa,GAA0B,EAAE,CAAC;QAC1C,kBAAa,GAAY,KAAK,CAAC;QAC/B,cAAS,GAAkB,IAAI,CAAC;QAGtC,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,sBAAsB,EAAE,GAAG,MAAM,EAAE,CAAC;QAEvD,2BAA2B;QAC3B,MAAM,aAAa,GAAyB,EAAE,CAAC;QAC/C,IAAI,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE,CAAC;YACjC,aAAa,CAAC,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC;QAC1D,CAAC;aAAM,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;YAClC,aAAa,CAAC,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC;QAC9C,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAC9B,aAAa,CAAC,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;QACpD,CAAC;QAED,IAAI,CAAC,MAAM,GAAG,IAAI,mBAAM,CAAC,aAAa,CAAC,CAAC;QACxC,IAAI,CAAC,UAAU,GAAG,IAAI,GAAG,EAAE,CAAC;QAC5B,IAAI,CAAC,eAAe,GAAG,IAAI,oCAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAExD,kCAAkC;QAClC,IAAI,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,UAAU;QACd,IAAI,IAAI,CAAC,aAAa;YAAE,OAAO;QAE/B,IAAI,CAAC;YACH,2BAA2B;YAC3B,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAEzB,mCAAmC;YACnC,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;gBAC5B,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;YAC7B,CAAC;YAED,4BAA4B;YAC5B,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;YAE7B,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;QAC5B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,wCAAyC,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;QACtF,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,QAAQ;QACZ,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC;QAE5B,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE,CAAC;YAClC,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QAC1B,CAAC;QAED,IAAI,CAAC,aAAa,GAAG,KAAK,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CACjB,OAAe,EACf,SAAiB,EACjB,YAAqC;QAErC,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QAC1B,CAAC;QAED,IAAI,CAAC;YACH,kDAAkD;YAClD,MAAM,aAAa,GAAG,IAAA,yCAAqB,EAAC,SAAS,CAAC,CAAC;YACvD,MAAM,aAAa,GAAkB;gBACnC,GAAG,iCAAsB;gBACzB,GAAG,aAAa;gBAChB,GAAG,YAAY;aAChB,CAAC;YAEF,iCAAiC;YACjC,MAAM,aAAa,GAAG,IAAI,CAAC,qBAAqB,CAAC,OAAO,EAAE,SAAS,EAAE,aAAa,CAAC,CAAC;YAEpF,mBAAmB;YACnB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC;YACnE,MAAM,WAAW,GAAG,SAAS,CAAC,EAAE,CAAC;YAEjC,uBAAuB;YACvB,MAAM,aAAa,GAAkB;gBACnC,WAAW;gBACX,OAAO;gBACP,SAAS;gBACT,MAAM,EAAE,UAAU;gBAClB,SAAS,EAAE,IAAI,IAAI,EAAE;gBACrB,MAAM,EAAE,aAAa,CAAC,MAAM;aAC7B,CAAC;YAEF,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;YAEhD,kBAAkB;YAClB,MAAM,SAAS,CAAC,KAAK,EAAE,CAAC;YACxB,aAAa,CAAC,MAAM,GAAG,SAAS,CAAC;YACjC,aAAa,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;YAErC,6BAA6B;YAC7B,IAAI,CAAC,eAAe,CAAC,YAAY,CAAC,WAAW,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;YAEnE,aAAa;YACb,MAAM,IAAI,CAAC,SAAS,CAAC;gBACnB,IAAI,EAAE,SAAS;gBACf,WAAW;gBACX,OAAO;gBACP,SAAS;gBACT,SAAS,EAAE,IAAI,IAAI,EAAE;gBACrB,OAAO,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE;aACnC,CAAC,CAAC;YAEH,MAAM,IAAI,CAAC,SAAS,CAAC;gBACnB,IAAI,EAAE,SAAS;gBACf,WAAW;gBACX,OAAO;gBACP,SAAS;gBACT,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAC,CAAC;YAEH,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,aAAa;aACzB,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,YAAY,GAAI,KAAe,CAAC,OAAO,CAAC;YAC9C,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,6BAA6B,YAAY,EAAE;aACnD,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAAC,WAAmB,EAAE,QAAiB,KAAK;QAC9D,IAAI,CAAC;YACH,MAAM,aAAa,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;YACvD,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,WAAW;oBACX,KAAK,EAAE,qBAAqB;iBAC7B,CAAC;YACJ,CAAC;YAED,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;YAExD,gBAAgB;YAChB,aAAa,CAAC,MAAM,GAAG,UAAU,CAAC;YAElC,iBAAiB;YACjB,IAAI,CAAC;gBACH,MAAM,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC9C,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,qCAAqC;gBACrC,IAAI,CAAE,KAAe,CAAC,OAAO,EAAE,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;oBAC1D,MAAM,KAAK,CAAC;gBACd,CAAC;YACH,CAAC;YAED,mBAAmB;YACnB,MAAM,SAAS,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;YAElC,uBAAuB;YACvB,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YACpC,IAAI,CAAC,eAAe,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;YAElD,aAAa;YACb,MAAM,IAAI,CAAC,SAAS,CAAC;gBACnB,IAAI,EAAE,WAAW;gBACjB,WAAW;gBACX,OAAO,EAAE,aAAa,CAAC,OAAO;gBAC9B,SAAS,EAAE,aAAa,CAAC,SAAS;gBAClC,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAC,CAAC;YAEH,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,WAAW;gBACX,MAAM,EAAE,KAAK;aACd,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,WAAW;gBACX,KAAK,EAAE,8BAA+B,KAAe,CAAC,OAAO,EAAE;aAChE,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU;QACd,MAAM,OAAO,GAA2B,EAAE,CAAC;QAE3C,KAAK,MAAM,WAAW,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,EAAE,CAAC;YACjD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;YAC5D,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,gBAAgB,CAAC,WAAmB;QACxC,OAAO,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACpD,CAAC;IAED;;OAEG;IACH,aAAa;QACX,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,WAAmB;QAC9B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC1C,CAAC;IAED;;OAEG;IACH,qBAAqB,CAAC,OAAe;QACnC,KAAK,MAAM,SAAS,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,EAAE,CAAC;YACjD,IAAI,SAAS,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;gBAClC,OAAO,SAAS,CAAC;YACnB,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW,CAAC,WAAmB;QACnC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;YACxD,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,OAAO,EAAE,CAAC;YAE7C,MAAM,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,SAAS,CAAC;YAExE,OAAO;gBACL,OAAO;gBACP,WAAW;gBACX,MAAM,EAAE,UAAU,CAAC,KAAK,CAAC,MAAM;gBAC/B,cAAc,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;gBACtC,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,aAAa,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;YAEvD,MAAM,IAAI,CAAC,SAAS,CAAC;gBACnB,IAAI,EAAE,qBAAqB;gBAC3B,WAAW;gBACX,OAAO,EAAE,aAAa,EAAE,OAAO,IAAI,SAAS;gBAC5C,SAAS,EAAE,aAAa,EAAE,SAAS,IAAI,SAAS;gBAChD,SAAS,EAAE,IAAI,IAAI,EAAE;gBACrB,KAAK,EAAG,KAAe,CAAC,OAAO;aAChC,CAAC,CAAC;YAEH,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,WAAW;gBACX,MAAM,EAAE,OAAO;gBACf,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,IAAI,CACR,WAAmB,EACnB,OAAiB;QAEjB,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QAExD,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC;YAChC,GAAG,EAAE,OAAO;YACZ,YAAY,EAAE,IAAI;YAClB,YAAY,EAAE,IAAI;SACnB,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QAEhE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,IAAI,MAAM,GAAG,EAAE,CAAC;YAEhB,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;gBAClC,2DAA2D;gBAC3D,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;YACtC,CAAC,CAAC,CAAC;YAEH,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,IAAI,EAAE;gBAC1B,IAAI,CAAC;oBACH,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;oBACxC,OAAO,CAAC;wBACN,QAAQ,EAAE,UAAU,CAAC,QAAQ,IAAI,CAAC;wBAClC,MAAM;qBACP,CAAC,CAAC;gBACL,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,MAAM,CAAC,KAAK,CAAC,CAAC;gBAChB,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO,CACX,WAAmB,EACnB,UAA6C,EAAE;QAE/C,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QAExD,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC;YAChC,MAAM,EAAE,IAAI;YACZ,MAAM,EAAE,IAAI;YACZ,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,GAAG;YACzB,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC,QAAQ,EAAE,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,EAAE,CAAC,OAA4B;QAC7B,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC;IAED;;OAEG;IACH,GAAG,CAAC,OAA4B;QAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,KAAK,KAAK,CAAC,CAAC,EAAE,CAAC;YACjB,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,iBAAiB;QACrB,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;OAEG;IACH,SAAS;QAMP,OAAO;YACL,WAAW,EAAE,IAAI,CAAC,aAAa;YAC/B,eAAe,EAAE,IAAI,CAAC,aAAa;YACnC,cAAc,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI;YACpC,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC;IACJ,CAAC;IAED,+CAA+C;IAC/C,kBAAkB;IAClB,+CAA+C;IAE/C;;OAEG;IACK,qBAAqB,CAC3B,OAAe,EACf,SAAiB,EACjB,MAAqB;QAErB,MAAM,KAAK,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,QAAQ,EAAE,CAAC;QAE9E,sBAAsB;QACtB,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACzD,MAAM,eAAe,GAAG,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QAEjE,eAAe;QACf,MAAM,MAAM,GAA2B;YACrC,qBAAqB,EAAE,OAAO;YAC9B,uBAAuB,EAAE,SAAS;YAClC,oBAAoB,EAAE,MAAM;YAC5B,uBAAuB,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACjD,GAAG,MAAM,CAAC,MAAM;SACjB,CAAC;QAEF,oBAAoB;QACpB,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAClF,GAAG,CAAC,IAAI,CAAC,YAAY,OAAO,EAAE,CAAC,CAAC;QAChC,GAAG,CAAC,IAAI,CAAC,cAAc,SAAS,EAAE,CAAC,CAAC;QAEpC,oBAAoB;QACpB,MAAM,UAAU,GAAsB;YACpC,aAAa;YACb,QAAQ,EAAE,MAAM,CAAC,QAAQ,GAAG,MAAM,EAAE,iBAAiB;YACrD,SAAS,EAAE,MAAM;YAEjB,gBAAgB;YAChB,MAAM,EAAE,WAAW;YACnB,UAAU,EAAE,eAAe;YAE3B,WAAW;YACX,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,WAAW,EAAE,CAAC,wBAAwB,CAAC;YACvC,OAAO,EAAE,CAAC,KAAK,CAAC;YAEhB,UAAU;YACV,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;gBAClC,CAAC,CAAC;oBACE,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,SAAwB;oBAC1C,MAAM,EAAE;wBACN,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,KAAK;wBAC3C,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,CAAC,CAAC;qBACjD;iBACF;gBACH,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE;YAEhC,iCAAiC;YACjC,KAAK,EAAE;gBACL,MAAM,EAAE,WAAW;gBACnB,UAAU,EAAE,UAAU;aACvB;YAED,UAAU;YACV,WAAW,EACT,MAAM,CAAC,WAAW,KAAK,MAAM;gBAC3B,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,MAAM,CAAC,WAAW,KAAK,UAAU;oBACjC,CAAC,CAAC,MAAM;oBACR,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,QAAQ;YAE3C,iBAAiB;YACjB,aAAa,EAAE;gBACb,IAAI,EAAE,YAAY;gBAClB,iBAAiB,EAAE,CAAC;aACrB;SACF,CAAC;QAEF,mCAAmC;QACnC,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;YAC1B,UAAU,CAAC,WAAW,EAAE,IAAI,CAAC,WAAW,MAAM,CAAC,cAAc,EAAE,CAAC,CAAC;QACnE,CAAC;QAED,cAAc;QACd,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,UAAU,CAAC,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CACnC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAC3D,CAAC;QACJ,CAAC;QAED,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,IAAI,EAAE,cAAc,SAAS,IAAI,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE;YAC1D,MAAM,EAAE,MAAM;YACd,GAAG,EAAE,GAAG;YACR,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,MAAM;YACvC,UAAU,EAAE,UAAU;YACtB,WAAW,EAAE;gBACX,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,CAAC;gBAC9C,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,qBAAsB,GAAG,OAAO,EAAE,cAAc;gBACtE,OAAO,EAAE,WAAW,EAAE,aAAa;gBACnC,OAAO,EAAE,CAAC;gBACV,WAAW,EAAE,UAAU,EAAE,YAAY;aACtC;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,aAAa;QACzB,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,WAAY,CAAC;QAE7C,IAAI,CAAC;YACH,0BAA0B;YAC1B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;gBAC9C,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,WAAW,CAAC,EAAE;aACjC,CAAC,CAAC;YAEH,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAChC,OAAO;YACT,CAAC;YAED,iBAAiB;YACjB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;gBAC9C,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,QAAQ;gBAChB,QAAQ,EAAE,IAAI,EAAE,iCAAiC;gBACjD,MAAM,EAAE;oBACN,4BAA4B,EAAE,MAAM;iBACrC;aACF,CAAC,CAAC;YAEH,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,EAAE,CAAC;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,IAAI,CAAC,4BAA4B,WAAW,GAAG,EAAE,KAAK,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,MAAc;QAChC,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;QAC1E,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,0BAA0B,MAAM,EAAE,CAAC,CAAC;QACtD,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAE5B,MAAM,WAAW,GAA2B;YAC1C,EAAE,EAAE,CAAC;YACL,CAAC,EAAE,IAAI;YACP,CAAC,EAAE,IAAI,GAAG,IAAI;YACd,CAAC,EAAE,IAAI,GAAG,IAAI,GAAG,IAAI;YACrB,CAAC,EAAE,IAAI,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI;SAC7B,CAAC;QAEF,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC;IAC/C,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,SAAS,CAAC,KAAmB;QACzC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACzC,IAAI,CAAC;gBACH,MAAM,OAAO,CAAC,KAAK,CAAC,CAAC;YACvB,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,KAAK,CAAC,CAAC;YAC1D,CAAC;QACH,CAAC;IACH,CAAC;CACF;AAlkBD,wCAkkBC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAAC,MAAsC;IACzE,OAAO,IAAI,cAAc,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC"}

package/dist/infrastructure/sandbox/index.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Docker-Based Agent Sandboxing Infrastructure
+ *
+ * Provides secure, isolated execution environments for QE agents with:
+ * - Resource limits enforced by cgroups
+ * - Network isolation and domain whitelisting
+ * - Read-only root filesystem
+ * - Non-root user execution
+ * - Resource monitoring and OOM prevention
+ *
+ * @module infrastructure/sandbox
+ * @see Issue #146 - Security Hardening: Docker Sandboxing
+ */
+export { type SandboxConfig, type SandboxManagerConfig, type ContainerInfo, type ContainerStatus, type ResourceStats, type SandboxCreateResult, type SandboxDestroyResult, type HealthCheckResult, type SandboxEvent, type SandboxEventType, type SandboxEventHandler, type NetworkMode, type VolumeMount, DEFAULT_SANDBOX_CONFIG, parseMemoryString, formatBytes, } from './types.js';
+export { SandboxManager, createSandboxManager } from './SandboxManager.js';
+export { ResourceMonitor, type ResourceMonitorConfig, type ResourceThresholds, DEFAULT_THRESHOLDS, DEFAULT_MONITOR_CONFIG, } from './ResourceMonitor.js';
+export { AGENT_PROFILES, type AgentProfile, getAgentProfile, getAgentSandboxConfig, listAgentProfiles, validateConfigAgainstProfile, } from './profiles/agent-profiles.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/infrastructure/sandbox/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/infrastructure/sandbox/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,oBAAoB,EACzB,KAAK,aAAa,EAClB,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,EACtB,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,mBAAmB,EACxB,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,sBAAsB,EACtB,iBAAiB,EACjB,WAAW,GACZ,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAG3E,OAAO,EACL,eAAe,EACf,KAAK,qBAAqB,EAC1B,KAAK,kBAAkB,EACvB,kBAAkB,EAClB,sBAAsB,GACvB,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EACL,cAAc,EACd,KAAK,YAAY,EACjB,eAAe,EACf,qBAAqB,EACrB,iBAAiB,EACjB,4BAA4B,GAC7B,MAAM,8BAA8B,CAAC"}

package/dist/infrastructure/sandbox/index.js

@@ -0,0 +1,38 @@
+"use strict";
+/**
+ * Docker-Based Agent Sandboxing Infrastructure
+ *
+ * Provides secure, isolated execution environments for QE agents with:
+ * - Resource limits enforced by cgroups
+ * - Network isolation and domain whitelisting
+ * - Read-only root filesystem
+ * - Non-root user execution
+ * - Resource monitoring and OOM prevention
+ *
+ * @module infrastructure/sandbox
+ * @see Issue #146 - Security Hardening: Docker Sandboxing
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateConfigAgainstProfile = exports.listAgentProfiles = exports.getAgentSandboxConfig = exports.getAgentProfile = exports.AGENT_PROFILES = exports.DEFAULT_MONITOR_CONFIG = exports.DEFAULT_THRESHOLDS = exports.ResourceMonitor = exports.createSandboxManager = exports.SandboxManager = exports.formatBytes = exports.parseMemoryString = exports.DEFAULT_SANDBOX_CONFIG = void 0;
+// Types
+var types_js_1 = require("./types.js");
+Object.defineProperty(exports, "DEFAULT_SANDBOX_CONFIG", { enumerable: true, get: function () { return types_js_1.DEFAULT_SANDBOX_CONFIG; } });
+Object.defineProperty(exports, "parseMemoryString", { enumerable: true, get: function () { return types_js_1.parseMemoryString; } });
+Object.defineProperty(exports, "formatBytes", { enumerable: true, get: function () { return types_js_1.formatBytes; } });
+// SandboxManager
+var SandboxManager_js_1 = require("./SandboxManager.js");
+Object.defineProperty(exports, "SandboxManager", { enumerable: true, get: function () { return SandboxManager_js_1.SandboxManager; } });
+Object.defineProperty(exports, "createSandboxManager", { enumerable: true, get: function () { return SandboxManager_js_1.createSandboxManager; } });
+// ResourceMonitor
+var ResourceMonitor_js_1 = require("./ResourceMonitor.js");
+Object.defineProperty(exports, "ResourceMonitor", { enumerable: true, get: function () { return ResourceMonitor_js_1.ResourceMonitor; } });
+Object.defineProperty(exports, "DEFAULT_THRESHOLDS", { enumerable: true, get: function () { return ResourceMonitor_js_1.DEFAULT_THRESHOLDS; } });
+Object.defineProperty(exports, "DEFAULT_MONITOR_CONFIG", { enumerable: true, get: function () { return ResourceMonitor_js_1.DEFAULT_MONITOR_CONFIG; } });
+// Agent Profiles
+var agent_profiles_js_1 = require("./profiles/agent-profiles.js");
+Object.defineProperty(exports, "AGENT_PROFILES", { enumerable: true, get: function () { return agent_profiles_js_1.AGENT_PROFILES; } });
+Object.defineProperty(exports, "getAgentProfile", { enumerable: true, get: function () { return agent_profiles_js_1.getAgentProfile; } });
+Object.defineProperty(exports, "getAgentSandboxConfig", { enumerable: true, get: function () { return agent_profiles_js_1.getAgentSandboxConfig; } });
+Object.defineProperty(exports, "listAgentProfiles", { enumerable: true, get: function () { return agent_profiles_js_1.listAgentProfiles; } });
+Object.defineProperty(exports, "validateConfigAgainstProfile", { enumerable: true, get: function () { return agent_profiles_js_1.validateConfigAgainstProfile; } });
+//# sourceMappingURL=index.js.map

package/dist/infrastructure/sandbox/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/infrastructure/sandbox/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;AAEH,QAAQ;AACR,uCAiBoB;AAHlB,kHAAA,sBAAsB,OAAA;AACtB,6GAAA,iBAAiB,OAAA;AACjB,uGAAA,WAAW,OAAA;AAGb,iBAAiB;AACjB,yDAA2E;AAAlE,mHAAA,cAAc,OAAA;AAAE,yHAAA,oBAAoB,OAAA;AAE7C,kBAAkB;AAClB,2DAM8B;AAL5B,qHAAA,eAAe,OAAA;AAGf,wHAAA,kBAAkB,OAAA;AAClB,4HAAA,sBAAsB,OAAA;AAGxB,iBAAiB;AACjB,kEAOsC;AANpC,mHAAA,cAAc,OAAA;AAEd,oHAAA,eAAe,OAAA;AACf,0HAAA,qBAAqB,OAAA;AACrB,sHAAA,iBAAiB,OAAA;AACjB,iIAAA,4BAA4B,OAAA"}

package/dist/infrastructure/sandbox/profiles/agent-profiles.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Agent Resource Profiles for Docker Sandboxing
+ *
+ * Defines resource limits and network policies for each QE agent type.
+ * Profiles are designed for security (minimal access) and stability (OOM prevention).
+ *
+ * @module infrastructure/sandbox/profiles/agent-profiles
+ * @see Issue #146 - Security Hardening: Docker Sandboxing
+ */
+import { SandboxConfig } from '../types.js';
+/**
+ * Agent profile with sandbox configuration and metadata
+ */
+export interface AgentProfile {
+    /** Sandbox configuration */
+    config: SandboxConfig;
+    /** Profile description */
+    description: string;
+    /** Risk level for audit purposes */
+    riskLevel: 'low' | 'medium' | 'high';
+    /** Whether agent needs external network access */
+    requiresNetwork: boolean;
+}
+/**
+ * Resource profiles for all QE agents
+ *
+ * Each profile is tuned for the specific agent's requirements:
+ * - CPU: Based on computational needs
+ * - Memory: Based on data processing requirements
+ * - Network: Minimal domains required for operation
+ */
+export declare const AGENT_PROFILES: Record<string, AgentProfile>;
+/**
+ * Get profile for an agent type
+ * Falls back to default if not found
+ */
+export declare function getAgentProfile(agentType: string): AgentProfile;
+/**
+ * Get sandbox config for an agent type
+ */
+export declare function getAgentSandboxConfig(agentType: string): SandboxConfig;
+/**
+ * List all available agent profiles
+ */
+export declare function listAgentProfiles(): string[];
+/**
+ * Validate that a custom config doesn't exceed profile limits
+ */
+export declare function validateConfigAgainstProfile(agentType: string, config: Partial<SandboxConfig>): {
+    valid: boolean;
+    violations: string[];
+};
+//# sourceMappingURL=agent-profiles.d.ts.map

package/dist/infrastructure/sandbox/profiles/agent-profiles.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-profiles.d.ts","sourceRoot":"","sources":["../../../../src/infrastructure/sandbox/profiles/agent-profiles.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,4BAA4B;IAC5B,MAAM,EAAE,aAAa,CAAC;IAEtB,0BAA0B;IAC1B,WAAW,EAAE,MAAM,CAAC;IAEpB,oCAAoC;IACpC,SAAS,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IAErC,kDAAkD;IAClD,eAAe,EAAE,OAAO,CAAC;CAC1B;AAED;;;;;;;GAOG;AACH,eAAO,MAAM,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAyYvD,CAAC;AAEF;;;GAGG;AACH,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,YAAY,CAE/D;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,SAAS,EAAE,MAAM,GAAG,aAAa,CAEtE;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,EAAE,CAE5C;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAC1C,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,OAAO,CAAC,aAAa,CAAC,GAC7B;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,UAAU,EAAE,MAAM,EAAE,CAAA;CAAE,CAuB1C"}