rust-kgdb 0.3.11 → 0.4.0

package/secure-agent-sandbox-demo.js

@@ -0,0 +1,469 @@
+#!/usr/bin/env node
+/**
+ * HyperMind Secure Agent Sandbox Demo
+ *
+ * This demonstrates the WASM sandbox security model for enterprise agent deployment.
+ * Each agent runs in isolated memory with capability-based access control.
+ *
+ * SECURITY FEATURES:
+ * 1. Memory isolation (64MB default limit per agent)
+ * 2. CPU time limits (10s default, fuel metering)
+ * 3. Capability-based access control
+ * 4. Proxied scope for safe KG operations
+ * 5. Full execution trace for audit compliance
+ *
+ * ENTERPRISE USE CASES:
+ * - Fraud detection agents with restricted write access
+ * - Compliance agents with read-only KG access
+ * - Multi-tenant environments with isolated execution
+ */
+
+const http = require('http')
+
+const KGDB_ENDPOINT = process.env.KGDB_ENDPOINT || 'http://localhost:30080'
+
+// =====================================================================
+// CAPABILITY MODEL - Mirrors Rust sandbox.rs
+// =====================================================================
+
+/**
+ * Capability enum matching rust-kgdb sandbox
+ * @see crates/hypermind-runtime/src/sandbox.rs
+ */
+const Capability = {
+  ReadKG: 'ReadKG',           // SPARQL SELECT/CONSTRUCT
+  WriteKG: 'WriteKG',         // SPARQL INSERT/DELETE
+  ExecuteTool: 'ExecuteTool', // Execute morphism tools
+  SpawnAgent: 'SpawnAgent',   // Spawn sub-agents
+  HttpAccess: 'HttpAccess',   // External HTTP APIs
+  FileRead: 'FileRead',       // Filesystem read (restricted)
+  FileWrite: 'FileWrite',     // Filesystem write (restricted)
+}
+
+/**
+ * Sandbox configuration
+ */
+function createSandboxConfig(overrides = {}) {
+  return {
+    maxMemoryBytes: 64 * 1024 * 1024,        // 64MB default
+    maxExecutionTime: 10000,                  // 10s in ms
+    capabilities: new Set([
+      Capability.ReadKG,
+      Capability.ExecuteTool
+    ]),
+    fuelLimit: 10_000_000,                   // ~10M operations
+    ...overrides
+  }
+}
+
+// =====================================================================
+// AGENT PROFILES - Enterprise Security Templates
+// =====================================================================
+
+/**
+ * Fraud Detection Agent - Read KG, Execute Tools, NO Write
+ * Use case: Analyze transactions for circular patterns without modifying data
+ */
+const FRAUD_DETECTOR_PROFILE = {
+  name: 'fraud-detector',
+  description: 'Analyzes knowledge graph for fraud patterns',
+  config: createSandboxConfig({
+    capabilities: new Set([
+      Capability.ReadKG,
+      Capability.ExecuteTool
+    ]),
+    maxMemoryBytes: 128 * 1024 * 1024,  // 128MB for complex queries
+    maxExecutionTime: 30000              // 30s for deep analysis
+  }),
+  allowedQueries: [
+    'SPARQL SELECT',
+    'SPARQL CONSTRUCT'
+  ],
+  blockedOperations: [
+    'INSERT',
+    'DELETE',
+    'DROP',
+    'CLEAR'
+  ]
+}
+
+/**
+ * Compliance Agent - Read-only, External HTTP for reporting
+ */
+const COMPLIANCE_AGENT_PROFILE = {
+  name: 'compliance-checker',
+  description: 'Validates regulatory compliance without modifications',
+  config: createSandboxConfig({
+    capabilities: new Set([
+      Capability.ReadKG,
+      Capability.HttpAccess  // For sending reports
+    ]),
+    maxMemoryBytes: 64 * 1024 * 1024,
+    maxExecutionTime: 60000   // 60s for comprehensive checks
+  })
+}
+
+/**
+ * Admin Agent - Full access (use with caution)
+ */
+const ADMIN_AGENT_PROFILE = {
+  name: 'admin-agent',
+  description: 'Full administrative access - requires explicit authorization',
+  config: createSandboxConfig({
+    capabilities: new Set([
+      Capability.ReadKG,
+      Capability.WriteKG,
+      Capability.ExecuteTool,
+      Capability.SpawnAgent,
+      Capability.HttpAccess
+    ]),
+    maxMemoryBytes: 256 * 1024 * 1024,
+    fuelLimit: 100_000_000    // 100M operations
+  })
+}
+
+// =====================================================================
+// SANDBOX EXECUTION SIMULATION
+// =====================================================================
+
+/**
+ * Simulated sandbox execution with capability checking
+ */
+class SecureAgentSandbox {
+  constructor(profile) {
+    this.profile = profile
+    this.config = profile.config
+    this.trace = []
+    this.fuelConsumed = 0
+    this.memoryUsed = 0
+  }
+
+  /**
+   * Check if capability is granted
+   */
+  hasCapability(cap) {
+    return this.config.capabilities.has(cap)
+  }
+
+  /**
+   * Execute SPARQL query with capability check
+   */
+  async kgQuery(sparql) {
+    // Check capability
+    if (!this.hasCapability(Capability.ReadKG)) {
+      const error = `CAPABILITY_DENIED: ${this.profile.name} lacks ReadKG capability`
+      this.trace.push({ type: 'error', message: error })
+      throw new Error(error)
+    }
+
+    // Check for blocked operations
+    if (this.profile.blockedOperations) {
+      for (const blocked of this.profile.blockedOperations) {
+        if (sparql.toUpperCase().includes(blocked)) {
+          const error = `OPERATION_BLOCKED: ${blocked} not allowed for ${this.profile.name}`
+          this.trace.push({ type: 'error', message: error })
+          throw new Error(error)
+        }
+      }
+    }
+
+    // Simulate fuel consumption
+    this.fuelConsumed += sparql.length * 100  // ~100 fuel per char
+    if (this.config.fuelLimit && this.fuelConsumed > this.config.fuelLimit) {
+      throw new Error('FUEL_EXHAUSTED: Execution limit exceeded')
+    }
+
+    // Record trace
+    this.trace.push({
+      type: 'kg_query',
+      timestamp: new Date().toISOString(),
+      query: sparql.substring(0, 100) + (sparql.length > 100 ? '...' : ''),
+      fuelUsed: sparql.length * 100
+    })
+
+    // Execute actual query
+    return executeSparql(sparql)
+  }
+
+  /**
+   * Execute SPARQL update with capability check
+   */
+  async kgInsert(updateSparql) {
+    if (!this.hasCapability(Capability.WriteKG)) {
+      const error = `CAPABILITY_DENIED: ${this.profile.name} lacks WriteKG capability`
+      this.trace.push({ type: 'error', message: error })
+      throw new Error(error)
+    }
+
+    this.trace.push({
+      type: 'kg_insert',
+      timestamp: new Date().toISOString(),
+      update: updateSparql.substring(0, 100) + '...'
+    })
+
+    // Would execute actual insert in production
+    return { success: true, triplesInserted: 0 }
+  }
+
+  /**
+   * Get execution trace for audit
+   */
+  getTrace() {
+    return {
+      agent: this.profile.name,
+      capabilities: Array.from(this.config.capabilities),
+      fuelConsumed: this.fuelConsumed,
+      fuelLimit: this.config.fuelLimit,
+      memoryUsed: this.memoryUsed,
+      entries: this.trace
+    }
+  }
+}
+
+// =====================================================================
+// HTTP UTILITIES
+// =====================================================================
+
+function executeSparql(query) {
+  return new Promise((resolve, reject) => {
+    const url = new URL(KGDB_ENDPOINT)
+    const options = {
+      hostname: url.hostname,
+      port: url.port || 80,
+      path: '/dataset/query',
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/sparql-query',
+        'Accept': 'application/json'
+      }
+    }
+
+    const req = http.request(options, (res) => {
+      let data = ''
+      res.on('data', chunk => data += chunk)
+      res.on('end', () => {
+        try {
+          if (res.statusCode >= 400) {
+            reject(new Error(`HTTP ${res.statusCode}: ${data}`))
+          } else {
+            resolve(JSON.parse(data))
+          }
+        } catch (e) {
+          resolve({ raw: data })
+        }
+      })
+    })
+
+    req.on('error', reject)
+    req.write(query)
+    req.end()
+  })
+}
+
+// =====================================================================
+// DEMO SCENARIOS
+// =====================================================================
+
+async function demoFraudDetectorAgent() {
+  console.log('\n' + '='.repeat(70))
+  console.log('DEMO 1: Fraud Detection Agent (Read-Only)')
+  console.log('='.repeat(70))
+
+  const sandbox = new SecureAgentSandbox(FRAUD_DETECTOR_PROFILE)
+
+  console.log('\nAgent Profile:')
+  console.log(`  Name: ${sandbox.profile.name}`)
+  console.log(`  Capabilities: ${Array.from(sandbox.config.capabilities).join(', ')}`)
+  console.log(`  Memory Limit: ${sandbox.config.maxMemoryBytes / 1024 / 1024}MB`)
+  console.log(`  Fuel Limit: ${sandbox.config.fuelLimit.toLocaleString()} operations`)
+
+  // Test 1: Allowed read query
+  console.log('\n[TEST 1] Execute allowed SELECT query:')
+  try {
+    const result = await sandbox.kgQuery(`
+      SELECT ?prof ?course WHERE {
+        ?prof <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://swat.cse.lehigh.edu/onto/univ-bench.owl#Professor> .
+        ?prof <http://swat.cse.lehigh.edu/onto/univ-bench.owl#teacherOf> ?course .
+      } LIMIT 5
+    `)
+    console.log('  SUCCESS: Query executed')
+    console.log(`  Results: ${result.results?.bindings?.length || 0} rows`)
+  } catch (e) {
+    console.log(`  ERROR: ${e.message}`)
+  }
+
+  // Test 2: Blocked INSERT attempt
+  console.log('\n[TEST 2] Attempt blocked INSERT operation:')
+  try {
+    await sandbox.kgQuery(`
+      INSERT DATA { <http://example.org/test> <http://example.org/p> "malicious" }
+    `)
+    console.log('  ERROR: Should have been blocked!')
+  } catch (e) {
+    console.log(`  BLOCKED: ${e.message}`)
+  }
+
+  // Test 3: Attempt write capability
+  console.log('\n[TEST 3] Attempt kgInsert without WriteKG capability:')
+  try {
+    await sandbox.kgInsert('INSERT DATA { <http://test> <http://p> "value" }')
+    console.log('  ERROR: Should have been denied!')
+  } catch (e) {
+    console.log(`  DENIED: ${e.message}`)
+  }
+
+  // Print audit trace
+  console.log('\n[AUDIT TRACE]')
+  const trace = sandbox.getTrace()
+  console.log(JSON.stringify(trace, null, 2))
+
+  return trace
+}
+
+async function demoCapabilityEscalation() {
+  console.log('\n' + '='.repeat(70))
+  console.log('DEMO 2: Capability Escalation Prevention')
+  console.log('='.repeat(70))
+
+  const sandbox = new SecureAgentSandbox(COMPLIANCE_AGENT_PROFILE)
+
+  console.log('\nAgent Profile:')
+  console.log(`  Name: ${sandbox.profile.name}`)
+  console.log(`  Capabilities: ${Array.from(sandbox.config.capabilities).join(', ')}`)
+
+  // Test: Try to spawn sub-agent without capability
+  console.log('\n[TEST] Attempt to use SpawnAgent capability:')
+  if (!sandbox.hasCapability(Capability.SpawnAgent)) {
+    console.log('  DENIED: Agent cannot spawn sub-agents')
+  }
+
+  // Test: Try to execute tool without capability
+  console.log('\n[TEST] Attempt to use ExecuteTool capability:')
+  if (!sandbox.hasCapability(Capability.ExecuteTool)) {
+    console.log('  DENIED: Agent cannot execute morphism tools')
+  }
+}
+
+async function demoResourceLimits() {
+  console.log('\n' + '='.repeat(70))
+  console.log('DEMO 3: Resource Limit Enforcement')
+  console.log('='.repeat(70))
+
+  // Create sandbox with very low fuel limit
+  const restrictedProfile = {
+    name: 'restricted-agent',
+    description: 'Agent with very low resource limits',
+    config: createSandboxConfig({
+      fuelLimit: 1000,  // Very low limit
+      capabilities: new Set([Capability.ReadKG])
+    })
+  }
+
+  const sandbox = new SecureAgentSandbox(restrictedProfile)
+
+  console.log('\nAgent Profile:')
+  console.log(`  Fuel Limit: ${sandbox.config.fuelLimit} operations (very low)`)
+
+  // Execute queries until fuel exhausted
+  console.log('\n[TEST] Execute queries until fuel exhausted:')
+  let queryCount = 0
+  while (sandbox.fuelConsumed < sandbox.config.fuelLimit + 5000) {
+    queryCount++
+    try {
+      await sandbox.kgQuery(`SELECT * WHERE { ?s ?p ?o } LIMIT 1`)
+      console.log(`  Query ${queryCount}: OK (fuel: ${sandbox.fuelConsumed})`)
+    } catch (e) {
+      if (e.message.includes('FUEL_EXHAUSTED')) {
+        console.log(`  Query ${queryCount}: FUEL_EXHAUSTED after ${sandbox.fuelConsumed} operations`)
+        break
+      }
+      // Network errors are OK for demo
+      queryCount++
+    }
+    if (queryCount > 5) break  // Safety limit for demo
+  }
+}
+
+async function demoSecurityComparison() {
+  console.log('\n' + '='.repeat(70))
+  console.log('SECURITY MODEL COMPARISON')
+  console.log('='.repeat(70))
+
+  console.log(`
+| Feature                    | HyperMind WASM    | LangChain   | AutoGPT     |
+|----------------------------|-------------------|-------------|-------------|
+| Memory Isolation           | YES (wasmtime)    | NO          | NO          |
+| CPU Time Limits            | YES (fuel meter)  | NO          | NO          |
+| Capability-Based Access    | YES (7 caps)      | NO          | NO          |
+| Execution Trace/Audit      | YES (full)        | Partial     | NO          |
+| Multi-tenant Safe          | YES               | NO          | NO          |
+| Secure by Default          | YES               | NO          | NO          |
+
+HyperMind Security Model (crates/hypermind-runtime/src/sandbox.rs):
+
+  Capabilities:
+    - ReadKG:      SPARQL SELECT/CONSTRUCT only
+    - WriteKG:     SPARQL INSERT/DELETE (requires explicit grant)
+    - ExecuteTool: Run morphism tools (validated type contracts)
+    - SpawnAgent:  Create sub-agents (controlled hierarchy)
+    - HttpAccess:  External API calls (audit logged)
+    - FileRead:    Restricted filesystem read
+    - FileWrite:   Restricted filesystem write
+
+  Limits (configurable per agent):
+    - Memory: 64MB default (wasmtime linear memory)
+    - CPU: 10s default (fuel metering ~10M operations)
+    - Operations: All proxied through host imports
+
+  Host Imports (WASM can only call these):
+    - kg_query(ptr, len) -> i32
+    - kg_insert(ptr, len) -> i32
+    - tool_call(tool_ptr, tool_len, input_ptr, input_len) -> i32
+    - log(ptr, len)
+`)
+}
+
+// =====================================================================
+// MAIN
+// =====================================================================
+
+async function main() {
+  console.log('='.repeat(70))
+  console.log('HyperMind WASM Sandbox Security Demo')
+  console.log('Enterprise-Grade Agent Isolation')
+  console.log('='.repeat(70))
+  console.log(`\nKGDB Endpoint: ${KGDB_ENDPOINT}`)
+
+  await demoSecurityComparison()
+
+  try {
+    await demoFraudDetectorAgent()
+  } catch (e) {
+    console.log(`\nNote: KGDB connection failed (expected if cluster not running)`)
+    console.log(`Error: ${e.message}`)
+  }
+
+  await demoCapabilityEscalation()
+  await demoResourceLimits()
+
+  console.log('\n' + '='.repeat(70))
+  console.log('CONCLUSION: HyperMind WASM Sandbox')
+  console.log('='.repeat(70))
+  console.log(`
+Enterprise Security Benefits:
+
+1. COMPLIANCE: Full audit trail of all agent operations
+2. ISOLATION: Each agent runs in isolated WASM memory
+3. CONTROL: Fine-grained capability-based access control
+4. LIMITS: Configurable memory and CPU constraints
+5. SAFETY: Secure-by-default with opt-in permissions
+
+This is the ONLY agent framework with mathematical security guarantees
+backed by WebAssembly runtime isolation.
+
+Implementation: crates/hypermind-runtime/src/sandbox.rs
+Build: cargo build -p hypermind-runtime --features wasm-sandbox
+`)
+}
+
+main().catch(console.error)