agentic-qe 2.8.1 → 2.8.2

package/dist/agents/BaseAgent.js

@@ -34,6 +34,10 @@ const KnowledgeGraphContextBuilder_js_1 = require("./context/KnowledgeGraphConte
 const NervousSystemEnhancement_js_1 = require("../nervous-system/integration/NervousSystemEnhancement.js");
 // Nervous System Persistence (Wave 7.1 - State Persistence)
 const NervousSystemPersistenceManager_js_1 = require("../nervous-system/persistence/NervousSystemPersistenceManager.js");
+const NetworkPolicyManager_js_1 = require("../infrastructure/network/NetworkPolicyManager.js");
+const default_policies_js_1 = require("../infrastructure/network/policies/default-policies.js");
+const SandboxManager_js_1 = require("../infrastructure/sandbox/SandboxManager.js");
+const agent_profiles_js_1 = require("../infrastructure/sandbox/profiles/agent-profiles.js");
 class BaseAgent extends events_1.EventEmitter {
     constructor(config) {
         super();
@@ -42,6 +46,10 @@ class BaseAgent extends events_1.EventEmitter {
         this.federatedInitialized = false;
         this.patternStoreInitialized = false;
         this.nervousSystemEnhanced = false;
+        this.networkPolicyInitialized = false;
+        this.networkPolicyOwned = false; // true if we created the manager (not shared)
+        this.sandboxInitialized = false;
+        this.sandboxOwned = false; // true if we created the manager (not shared)
         this.agentId = { id: config.id || (0, utils_1.generateAgentId)(config.type), type: config.type, created: new Date() };
         this.capabilities = new Map((config.capabilities || []).map(cap => [cap.name, cap]));
         this.context = config.context;
@@ -71,6 +79,12 @@ class BaseAgent extends events_1.EventEmitter {
         this.codeIntelligenceConfig = config.codeIntelligence;
         // Nervous System configuration (Wave 7 - Bio-Inspired Intelligence)
         this.nervousSystemConfig = config.nervousSystem;
+        // Network Policy configuration (SP-3 - Issue #146)
+        // Default enabled for security, opt-out available
+        this.networkPolicyConfig = config.networkPolicy ?? { enabled: true };
+        // Sandbox configuration (SP-1 - Issue #146)
+        // Default disabled (opt-in) - requires Docker infrastructure
+        this.sandboxConfig = config.sandbox ?? { enabled: false };
         // Early validation (Issue #137)
         const validation = (0, utils_1.validateLearningConfig)(config);
         if (!validation.valid && validation.warning) {
@@ -141,6 +155,10 @@ class BaseAgent extends events_1.EventEmitter {
                     await this.initializeCodeIntelligence();
                     // Initialize Nervous System (Wave 7 - Bio-Inspired Intelligence)
                     await this.initializeNervousSystem();
+                    // Initialize Network Policy (SP-3 - Issue #146)
+                    await this.initializeNetworkPolicy();
+                    // Initialize Sandbox (SP-1 - Issue #146)
+                    await this.initializeSandbox();
                     await this.initializeComponents();
                     await this.executeHook('post-initialization');
                     this.coordinator.emitEvent('agent.initialized', { agentId: this.agentId });
@@ -198,6 +216,8 @@ class BaseAgent extends events_1.EventEmitter {
                     await this.cleanupFederated(); // Phase 0 M0.5: Cleanup federated learning
                     await this.cleanupPatternStore(); // Phase 0.5: Cleanup pattern store
                     await this.cleanupNervousSystem(); // Wave 7: Cleanup nervous system
+                    await this.cleanupNetworkPolicy(); // SP-3: Cleanup network policy
+                    await this.cleanupSandbox(); // SP-1: Cleanup sandbox container
                     this.coordinator.clearAllHandlers();
                 },
                 onPostTermination: async () => {
@@ -1680,6 +1700,387 @@ class BaseAgent extends events_1.EventEmitter {
             this.logger.warn(`[${this.agentId.id}] Nervous System cleanup error:`, error.message);
         }
     }
+    // ============================================
+    // Network Policy Methods (SP-3 - Issue #146)
+    // ============================================
+    /**
+     * Initialize Network Policy Manager for domain whitelisting and rate limiting
+     * Provides security hardening for agent network access
+     */
+    async initializeNetworkPolicy() {
+        if (this.networkPolicyConfig.enabled === false) {
+            this.logger.info(`[${this.agentId.id}] Network Policy disabled by configuration`);
+            return;
+        }
+        try {
+            // Use shared manager if provided, otherwise create a new one
+            if (this.networkPolicyConfig.sharedManager) {
+                this.networkPolicyManager = this.networkPolicyConfig.sharedManager;
+                this.networkPolicyOwned = false;
+            }
+            else {
+                this.networkPolicyManager = (0, NetworkPolicyManager_js_1.createNetworkPolicyManager)({
+                    enableAuditLogging: this.networkPolicyConfig.enableAuditLogging ?? true,
+                    debug: this.networkPolicyConfig.debug ?? false,
+                });
+                await this.networkPolicyManager.initialize();
+                this.networkPolicyOwned = true;
+            }
+            // Apply any policy overrides for this agent type
+            if (this.networkPolicyConfig.policyOverrides) {
+                this.networkPolicyManager.updatePolicy(this.agentId.type, this.networkPolicyConfig.policyOverrides);
+            }
+            this.networkPolicyInitialized = true;
+            this.logger.info(`[${this.agentId.id}] Network Policy initialized (owned: ${this.networkPolicyOwned})`);
+        }
+        catch (error) {
+            this.logger.warn(`[${this.agentId.id}] Network Policy initialization failed:`, error.message);
+            // Don't throw - agent can work without network policy (graceful degradation)
+        }
+    }
+    /**
+     * Check if network policy enforcement is available
+     */
+    hasNetworkPolicy() {
+        return this.networkPolicyInitialized && this.networkPolicyManager !== undefined;
+    }
+    /**
+     * Get the network policy for this agent type
+     */
+    getNetworkPolicy() {
+        if (!this.networkPolicyManager) {
+            return (0, default_policies_js_1.getNetworkPolicy)(this.agentId.type);
+        }
+        return this.networkPolicyManager.getPolicy(this.agentId.type);
+    }
+    /**
+     * Check if a network request to a domain is allowed
+     * Does NOT consume rate limit tokens - use for pre-flight checks
+     *
+     * @param domain - The target domain (e.g., "api.anthropic.com")
+     * @returns PolicyCheckResult with allowed status and details
+     */
+    async checkNetworkRequest(domain) {
+        if (!this.networkPolicyManager) {
+            // No policy enforcement - allow all
+            return {
+                allowed: true,
+                policy: (0, default_policies_js_1.getNetworkPolicy)(this.agentId.type),
+            };
+        }
+        return this.networkPolicyManager.checkRequest(this.agentId.id, this.agentId.type, domain);
+    }
+    /**
+     * Record a network request (consumes rate limit token)
+     * Call this after making an actual network request
+     *
+     * @param domain - The target domain
+     * @param allowed - Whether the request was allowed
+     * @param responseTimeMs - Response time in milliseconds (optional)
+     */
+    async recordNetworkRequest(domain, allowed, responseTimeMs) {
+        if (!this.networkPolicyManager) {
+            return;
+        }
+        await this.networkPolicyManager.recordRequest(this.agentId.id, this.agentId.type, domain, allowed, responseTimeMs);
+    }
+    /**
+     * Make a policy-enforced network request
+     * Checks domain whitelist and rate limits before allowing the request
+     *
+     * @param url - The full URL to request
+     * @param requestFn - Function that performs the actual request
+     * @returns The result of requestFn if allowed
+     * @throws Error if request is blocked by policy
+     *
+     * @example
+     * ```typescript
+     * const response = await this.makeNetworkRequest(
+     *   'https://api.anthropic.com/v1/messages',
+     *   async () => fetch('https://api.anthropic.com/v1/messages', { method: 'POST', ... })
+     * );
+     * ```
+     */
+    async makeNetworkRequest(url, requestFn) {
+        // Extract domain from URL
+        let domain;
+        try {
+            const parsedUrl = new URL(url);
+            domain = parsedUrl.hostname;
+        }
+        catch {
+            throw new Error(`Invalid URL: ${url}`);
+        }
+        // Check if request is allowed
+        const check = await this.checkNetworkRequest(domain);
+        if (!check.allowed) {
+            const error = new Error(`Network request blocked: ${check.reason} - ${check.details || domain}`);
+            error.policyCheckResult = check;
+            throw error;
+        }
+        // Make the actual request
+        const startTime = Date.now();
+        try {
+            const result = await requestFn();
+            const responseTime = Date.now() - startTime;
+            await this.recordNetworkRequest(domain, true, responseTime);
+            return result;
+        }
+        catch (error) {
+            const responseTime = Date.now() - startTime;
+            await this.recordNetworkRequest(domain, false, responseTime);
+            throw error;
+        }
+    }
+    /**
+     * Get rate limit status for this agent
+     */
+    getNetworkRateLimitStatus() {
+        if (!this.networkPolicyManager) {
+            return null;
+        }
+        return this.networkPolicyManager.getRateLimitStatus(this.agentId.id, this.agentId.type);
+    }
+    /**
+     * Get network audit statistics
+     * @param since - Optional start date for stats
+     */
+    async getNetworkAuditStats(since) {
+        if (!this.networkPolicyManager) {
+            return null;
+        }
+        return this.networkPolicyManager.getAuditStats(since);
+    }
+    /**
+     * Get network policy statistics for this agent
+     */
+    getNetworkPolicyStats() {
+        if (!this.hasNetworkPolicy()) {
+            return { enabled: false };
+        }
+        return {
+            enabled: true,
+            policy: this.getNetworkPolicy(),
+            rateLimitStatus: this.getNetworkRateLimitStatus(),
+        };
+    }
+    /**
+     * Cleanup network policy resources on agent termination
+     */
+    async cleanupNetworkPolicy() {
+        if (!this.networkPolicyInitialized) {
+            return;
+        }
+        try {
+            // Only shutdown if we own the manager (not shared)
+            if (this.networkPolicyOwned && this.networkPolicyManager) {
+                await this.networkPolicyManager.shutdown();
+                this.logger.info(`[${this.agentId.id}] Network Policy cleanup complete`);
+            }
+        }
+        catch (error) {
+            this.logger.warn(`[${this.agentId.id}] Network Policy cleanup error:`, error.message);
+        }
+        this.networkPolicyInitialized = false;
+        this.networkPolicyManager = undefined;
+    }
+    // ============================================
+    // Sandbox Infrastructure Methods (SP-1 - Issue #146)
+    // ============================================
+    /**
+     * Initialize Sandbox Manager for Docker-based agent isolation
+     * Provides secure, isolated execution environments with resource limits
+     */
+    async initializeSandbox() {
+        if (this.sandboxConfig.enabled === false) {
+            this.logger.debug(`[${this.agentId.id}] Sandbox disabled by configuration`);
+            return;
+        }
+        try {
+            // Use shared manager if provided, otherwise create a new one
+            if (this.sandboxConfig.sharedManager) {
+                this.sandboxManager = this.sandboxConfig.sharedManager;
+                this.sandboxOwned = false;
+            }
+            else {
+                this.sandboxManager = (0, SandboxManager_js_1.createSandboxManager)({
+                    agentImage: process.env.AQE_SANDBOX_IMAGE || 'agentic-qe-agent',
+                    imageTag: process.env.AQE_SANDBOX_TAG || 'latest',
+                    cleanupOnShutdown: true,
+                });
+                await this.sandboxManager.initialize();
+                this.sandboxOwned = true;
+            }
+            // Auto-create sandbox container if configured
+            if (this.sandboxConfig.autoCreateSandbox !== false) {
+                const result = await this.createSandboxContainer();
+                if (result.success && result.container) {
+                    this.containerId = result.container.containerId;
+                }
+                else if (!result.success) {
+                    // Docker not available - graceful degradation
+                    this.logger.info(`[${this.agentId.id}] Sandbox container creation skipped: ${result.error}`);
+                }
+            }
+            this.sandboxInitialized = true;
+            this.logger.info(`[${this.agentId.id}] Sandbox initialized (owned: ${this.sandboxOwned}, container: ${this.containerId || 'none'})`);
+        }
+        catch (error) {
+            this.logger.warn(`[${this.agentId.id}] Sandbox initialization failed:`, error.message);
+            // Don't throw - agent can work without sandbox (graceful degradation)
+        }
+    }
+    /**
+     * Check if sandbox isolation is available
+     */
+    hasSandbox() {
+        return this.sandboxInitialized && this.sandboxManager !== undefined;
+    }
+    /**
+     * Check if agent is running in a sandbox container
+     */
+    isInSandbox() {
+        return this.containerId !== undefined;
+    }
+    /**
+     * Get the container ID if running in sandbox
+     */
+    getContainerId() {
+        return this.containerId;
+    }
+    /**
+     * Get sandbox configuration for this agent type
+     */
+    getSandboxConfig() {
+        return (0, agent_profiles_js_1.getAgentSandboxConfig)(this.agentId.type);
+    }
+    /**
+     * Create a sandbox container for this agent
+     * @param customConfig - Optional custom sandbox configuration
+     */
+    async createSandboxContainer(customConfig) {
+        if (!this.sandboxManager) {
+            return {
+                success: false,
+                error: 'Sandbox manager not initialized',
+            };
+        }
+        // Check if Docker is available
+        const dockerAvailable = await this.sandboxManager.isDockerAvailable();
+        if (!dockerAvailable) {
+            return {
+                success: false,
+                error: 'Docker not available',
+            };
+        }
+        // Merge profile config with any overrides
+        const mergedConfig = {
+            ...this.sandboxConfig.sandboxOverrides,
+            ...customConfig,
+        };
+        return this.sandboxManager.createSandbox(this.agentId.id, this.agentId.type, mergedConfig);
+    }
+    /**
+     * Get resource usage for the sandbox container
+     */
+    async getSandboxResourceUsage() {
+        if (!this.sandboxManager || !this.containerId) {
+            return null;
+        }
+        return this.sandboxManager.getResourceUsage(this.containerId);
+    }
+    /**
+     * Check sandbox container health
+     */
+    async checkSandboxHealth() {
+        if (!this.sandboxManager || !this.containerId) {
+            return null;
+        }
+        return this.sandboxManager.healthCheck(this.containerId);
+    }
+    /**
+     * Execute a command in the sandbox container
+     * @param command - Command to execute as array of strings
+     */
+    async execInSandbox(command) {
+        if (!this.sandboxManager || !this.containerId) {
+            return null;
+        }
+        return this.sandboxManager.exec(this.containerId, command);
+    }
+    /**
+     * Get sandbox container logs
+     * @param options - Log retrieval options
+     */
+    async getSandboxLogs(options) {
+        if (!this.sandboxManager || !this.containerId) {
+            return null;
+        }
+        return this.sandboxManager.getLogs(this.containerId, options);
+    }
+    /**
+     * Subscribe to sandbox events
+     * @param handler - Event handler function
+     */
+    onSandboxEvent(handler) {
+        if (this.sandboxManager) {
+            this.sandboxManager.on(handler);
+        }
+    }
+    /**
+     * Unsubscribe from sandbox events
+     * @param handler - Event handler to remove
+     */
+    offSandboxEvent(handler) {
+        if (this.sandboxManager) {
+            this.sandboxManager.off(handler);
+        }
+    }
+    /**
+     * Get sandbox statistics for this agent
+     */
+    getSandboxStats() {
+        if (!this.hasSandbox()) {
+            return { enabled: false, inSandbox: false };
+        }
+        return {
+            enabled: true,
+            inSandbox: this.isInSandbox(),
+            containerId: this.containerId,
+            sandboxConfig: this.getSandboxConfig(),
+        };
+    }
+    /**
+     * Cleanup sandbox resources on agent termination
+     */
+    async cleanupSandbox() {
+        if (!this.sandboxInitialized) {
+            return;
+        }
+        try {
+            // Destroy our container if we have one
+            if (this.containerId && this.sandboxManager) {
+                const result = await this.sandboxManager.destroySandbox(this.containerId, true);
+                if (result.success) {
+                    this.logger.info(`[${this.agentId.id}] Sandbox container ${this.containerId} destroyed`);
+                }
+                else {
+                    this.logger.warn(`[${this.agentId.id}] Sandbox container destruction failed: ${result.error}`);
+                }
+            }
+            // Only shutdown manager if we own it (not shared)
+            if (this.sandboxOwned && this.sandboxManager) {
+                await this.sandboxManager.shutdown();
+                this.logger.info(`[${this.agentId.id}] Sandbox manager shutdown complete`);
+            }
+        }
+        catch (error) {
+            this.logger.warn(`[${this.agentId.id}] Sandbox cleanup error:`, error.message);
+        }
+        this.sandboxInitialized = false;
+        this.sandboxManager = undefined;
+        this.containerId = undefined;
+    }
 }
 exports.BaseAgent = BaseAgent;
 class BaseAgentFactory {