chainlesschain 0.51.0 → 0.66.0

package/src/lib/sandbox-v2.js

@@ -695,4 +695,310 @@ export function pruneExpired(db, now = Date.now()) {
 export function _resetState() {
   activeSandboxes.clear();
   auditLog.length = 0;
+  _v2Isolations.length = 0;
+}
+
+// ═════════════════════════════════════════════════════════════════
+// Phase 87 — Agent Security Sandbox 2.0 additions (strictly-additive)
+// Frozen canonical enums + lifecycle state machine (pause/resume/
+// terminate) + per-type quota + explicit enforce/check helpers +
+// risk-level classification + auto-isolate + filtered audit/stats.
+// ═════════════════════════════════════════════════════════════════
+
+export const SANDBOX_STATUS = Object.freeze({
+  CREATING: "creating",
+  READY: "ready",
+  RUNNING: "running",
+  PAUSED: "paused",
+  TERMINATED: "terminated",
+  ERROR: "error",
+});
+
+export const PERMISSION_TYPE = Object.freeze({
+  FILESYSTEM: "filesystem",
+  NETWORK: "network",
+  SYSCALL: "syscall",
+  IPC: "ipc",
+  PROCESS: "process",
+});
+
+export const RISK_LEVEL = Object.freeze({
+  SAFE: "safe",
+  LOW: "low",
+  MEDIUM: "medium",
+  HIGH: "high",
+  CRITICAL: "critical",
+});
+
+export const QUOTA_TYPE = Object.freeze({
+  CPU_PERCENT: "cpu_percent",
+  MEMORY_MB: "memory_mb",
+  DISK_MB: "disk_mb",
+  NETWORK_KBPS: "network_kbps",
+  PROCESS_COUNT: "process_count",
+});
+
+const _PERM_TYPE_VALUES = new Set(Object.values(PERMISSION_TYPE));
+const _QUOTA_TYPE_VALUES = new Set(Object.values(QUOTA_TYPE));
+
+// V2 audit / isolation state
+const _v2Isolations = [];
+
+// QUOTA_TYPE → internal quota-field mapping (maps canonical Phase 87 names
+// onto the pre-existing sandbox.quota fields).
+const _QUOTA_FIELD_MAP = {
+  [QUOTA_TYPE.CPU_PERCENT]: "cpu",
+  [QUOTA_TYPE.MEMORY_MB]: "memory",
+  [QUOTA_TYPE.DISK_MB]: "storage",
+  [QUOTA_TYPE.NETWORK_KBPS]: "network",
+  [QUOTA_TYPE.PROCESS_COUNT]: "processCount",
+};
+
+function _requireSandbox(sandboxId) {
+  const s = activeSandboxes.get(sandboxId);
+  if (!s) throw new Error(`Sandbox not found: ${sandboxId}`);
+  return s;
+}
+
+/**
+ * Pause a sandbox: active → paused (no execution allowed while paused).
+ */
+export function pauseSandboxV2(db, sandboxId) {
+  ensureSandboxTables(db);
+  const sandbox = _requireSandbox(sandboxId);
+  if (sandbox.status === SANDBOX_STATUS.PAUSED)
+    throw new Error("Sandbox already paused");
+  if (sandbox.status === SANDBOX_STATUS.TERMINATED)
+    throw new Error("Cannot pause terminated sandbox");
+  const prev = sandbox.status;
+  sandbox.status = SANDBOX_STATUS.PAUSED;
+  db.prepare(
+    `UPDATE sandbox_instances SET status = ?, updated_at = datetime('now') WHERE id = ?`,
+  ).run(SANDBOX_STATUS.PAUSED, sandboxId);
+  logAudit(db, sandboxId, "pause", { previousStatus: prev });
+  return { id: sandboxId, status: SANDBOX_STATUS.PAUSED, previousStatus: prev };
+}
+
+/**
+ * Resume a paused sandbox back to active.
+ */
+export function resumeSandboxV2(db, sandboxId) {
+  ensureSandboxTables(db);
+  const sandbox = _requireSandbox(sandboxId);
+  if (sandbox.status !== SANDBOX_STATUS.PAUSED)
+    throw new Error(`Cannot resume: sandbox is ${sandbox.status}, not paused`);
+  sandbox.status = "active";
+  db.prepare(
+    `UPDATE sandbox_instances SET status = 'active', updated_at = datetime('now') WHERE id = ?`,
+  ).run(sandboxId);
+  logAudit(db, sandboxId, "resume", {});
+  return { id: sandboxId, status: "active" };
+}
+
+/**
+ * Terminate a sandbox (canonical name for destroy; records TERMINATED status).
+ */
+export function terminateSandboxV2(db, sandboxId, reason = null) {
+  ensureSandboxTables(db);
+  const sandbox = _requireSandbox(sandboxId);
+  const prev = sandbox.status;
+  sandbox.status = SANDBOX_STATUS.TERMINATED;
+  activeSandboxes.delete(sandboxId);
+  db.prepare(
+    `UPDATE sandbox_instances SET status = ?, updated_at = datetime('now') WHERE id = ?`,
+  ).run(SANDBOX_STATUS.TERMINATED, sandboxId);
+  logAudit(db, sandboxId, "terminate", { previousStatus: prev, reason });
+  return {
+    id: sandboxId,
+    status: SANDBOX_STATUS.TERMINATED,
+    previousStatus: prev,
+    reason,
+  };
+}
+
+/**
+ * Set a single quota value keyed by QUOTA_TYPE. Validates type; merges into
+ * existing quota object instead of replacing.
+ */
+export function setQuotaTyped(db, sandboxId, quotaType, limit) {
+  ensureSandboxTables(db);
+  if (!_QUOTA_TYPE_VALUES.has(quotaType))
+    throw new Error(`Invalid quotaType: ${quotaType}`);
+  if (!Number.isFinite(limit) || limit < 0)
+    throw new Error(`Invalid limit: ${limit}`);
+  const sandbox = _requireSandbox(sandboxId);
+  const field = _QUOTA_FIELD_MAP[quotaType];
+  const nextQuota = { ...sandbox.quota, [field]: limit };
+  sandbox.quota = nextQuota;
+  db.prepare(
+    `UPDATE sandbox_instances SET quota = ?, updated_at = datetime('now') WHERE id = ?`,
+  ).run(JSON.stringify(nextQuota), sandboxId);
+  logAudit(db, sandboxId, "set-quota-typed", { quotaType, limit, field });
+  return { id: sandboxId, quotaType, limit, quota: nextQuota };
+}
+
+/**
+ * Explicit permission enforcement (boolean result + optional throw on denied).
+ * Supports filesystem / network / syscall permission types.
+ */
+export function enforcePermission(
+  sandbox,
+  { type, target, mode, throwOnDeny = false } = {},
+) {
+  if (!_PERM_TYPE_VALUES.has(type))
+    throw new Error(`Invalid permission type: ${type}`);
+  if (!sandbox || !sandbox.permissions)
+    throw new Error("Sandbox or permissions missing");
+  let allowed = false;
+  if (type === PERMISSION_TYPE.FILESYSTEM) {
+    allowed = checkFilePermission(sandbox.permissions, target, mode || "read");
+  } else if (type === PERMISSION_TYPE.NETWORK) {
+    allowed = checkNetworkPermission(sandbox.permissions, target);
+  } else if (type === PERMISSION_TYPE.SYSCALL) {
+    allowed = checkSystemCallPermission(sandbox.permissions, target);
+  } else {
+    // IPC / PROCESS — not implemented in base library; treat as denied-by-default
+    allowed = false;
+  }
+  if (!allowed && throwOnDeny)
+    throw new Error(`Permission denied: ${type} ${mode || ""} ${target}`);
+  return { allowed, type, target, mode: mode || null };
+}
+
+/**
+ * Per-type quota check. Returns {ok, current, limit, remaining}.
+ */
+export function checkQuotaV2(sandbox, quotaType, amount = 0) {
+  if (!_QUOTA_TYPE_VALUES.has(quotaType))
+    throw new Error(`Invalid quotaType: ${quotaType}`);
+  if (!sandbox || !sandbox.quota) throw new Error("Sandbox or quota missing");
+  const field = _QUOTA_FIELD_MAP[quotaType];
+  const limit = sandbox.quota[field];
+  const current = (sandbox.resourceUsage?.[field] || 0) + amount;
+  const remaining = limit != null ? Math.max(0, limit - current) : Infinity;
+  return {
+    quotaType,
+    field,
+    limit: limit ?? null,
+    current,
+    remaining,
+    ok: limit == null || current <= limit,
+  };
+}
+
+/**
+ * Map a risk score (0..100) to a RISK_LEVEL enum value.
+ * safe < 20 ≤ low < 40 ≤ medium < 60 ≤ high < 80 ≤ critical
+ */
+export function getRiskLevel(score) {
+  const n = Number(score) || 0;
+  if (n < 20) return RISK_LEVEL.SAFE;
+  if (n < 40) return RISK_LEVEL.LOW;
+  if (n < 60) return RISK_LEVEL.MEDIUM;
+  if (n < 80) return RISK_LEVEL.HIGH;
+  return RISK_LEVEL.CRITICAL;
+}
+
+/**
+ * Calculate risk score via monitorBehavior and classify with RISK_LEVEL.
+ */
+export function calculateRiskScore(db, sandboxId) {
+  const report = monitorBehavior(db, sandboxId);
+  const level = getRiskLevel(report.riskScore);
+  return {
+    sandboxId,
+    riskScore: report.riskScore,
+    riskLevel: level,
+    patterns: report.patterns,
+    totalEvents: report.totalEvents,
+  };
+}
+
+/**
+ * Auto-isolate a sandbox: records an isolation entry + terminates.
+ * Typical trigger: risk level == CRITICAL or explicit admin call.
+ */
+export function autoIsolate(db, sandboxId, reason = "high-risk") {
+  ensureSandboxTables(db);
+  const sandbox = _requireSandbox(sandboxId);
+  const entry = {
+    id: crypto.randomUUID(),
+    sandboxId,
+    reason,
+    isolatedAt: new Date().toISOString(),
+    agentId: sandbox.agentId,
+  };
+  _v2Isolations.push(entry);
+  logAudit(db, sandboxId, "auto-isolate", { reason });
+  try {
+    terminateSandboxV2(db, sandboxId, reason);
+  } catch (_e) {
+    // swallow — sandbox may already be terminated
+  }
+  return entry;
+}
+
+export function listIsolations(options = {}) {
+  let result = [..._v2Isolations];
+  if (options.sandboxId)
+    result = result.filter((i) => i.sandboxId === options.sandboxId);
+  if (options.reason)
+    result = result.filter((i) => i.reason === options.reason);
+  return result;
+}
+
+/**
+ * Filtered audit log — time range + event types + limit.
+ */
+export function filterAuditLog(db, sandboxId, options = {}) {
+  let entries = [...auditLog];
+  if (sandboxId) entries = entries.filter((e) => e.sandboxId === sandboxId);
+  if (options.eventTypes && options.eventTypes.length > 0) {
+    const set = new Set(options.eventTypes);
+    entries = entries.filter((e) => set.has(e.action));
+  }
+  if (options.timeRange) {
+    const from = options.timeRange.from
+      ? new Date(options.timeRange.from).getTime()
+      : null;
+    const to = options.timeRange.to
+      ? new Date(options.timeRange.to).getTime()
+      : null;
+    entries = entries.filter((e) => {
+      const t = new Date(e.timestamp).getTime();
+      if (from != null && t < from) return false;
+      if (to != null && t > to) return false;
+      return true;
+    });
+  }
+  if (options.limit) entries = entries.slice(-options.limit);
+  return entries;
+}
+
+/**
+ * Extended V2 stats: per-status sandbox counts + audit summary + isolations.
+ */
+export function getSandboxStatsV2() {
+  const byStatus = {};
+  for (const s of activeSandboxes.values()) {
+    const st = s.status || "unknown";
+    byStatus[st] = (byStatus[st] || 0) + 1;
+  }
+  const auditByAction = {};
+  for (const e of auditLog) {
+    auditByAction[e.action] = (auditByAction[e.action] || 0) + 1;
+  }
+  return {
+    totalSandboxes: activeSandboxes.size,
+    byStatus,
+    auditEventCount: auditLog.length,
+    auditByAction,
+    isolations: {
+      total: _v2Isolations.length,
+      byReason: _v2Isolations.reduce((acc, i) => {
+        acc[i.reason] = (acc[i.reason] || 0) + 1;
+        return acc;
+      }, {}),
+    },
+  };
 }