dag-isolation-manager

type IsolationLevel = 'strict' | 'moderate' | 'permissive';

interface IsolationProfile {
  level: IsolationLevel;
  description: string;
  permissions: PermissionMatrix;
  resourceLimits: ResourceLimits;
  sandboxConfig: SandboxConfig;
}

const ISOLATION_PROFILES: Record<IsolationLevel, IsolationProfile> = {
  strict: {
    level: 'strict',
    description: 'Maximum isolation for untrusted or sensitive operations',
    permissions: STRICT_PERMISSIONS,
    resourceLimits: STRICT_LIMITS,
    sandboxConfig: STRICT_SANDBOX,
  },
  moderate: {
    level: 'moderate',
    description: 'Balanced isolation for typical operations',
    permissions: MODERATE_PERMISSIONS,
    resourceLimits: MODERATE_LIMITS,
    sandboxConfig: MODERATE_SANDBOX,
  },
  permissive: {
    level: 'permissive',
    description: 'Minimal isolation for trusted operations',
    permissions: PERMISSIVE_PERMISSIONS,
    resourceLimits: PERMISSIVE_LIMITS,
    sandboxConfig: PERMISSIVE_SANDBOX,
  },
};

const STRICT_PERMISSIONS: PermissionMatrix = {
  coreTools: {
    read: true,      // Read-only access
    write: false,    // No writing
    edit: false,     // No editing
    glob: true,      // Can search files
    grep: true,      // Can search content
    task: false,     // Cannot spawn sub-agents
    webFetch: false, // No network
    webSearch: false,
    todoWrite: false,
  },
  bash: {
    enabled: false,  // No bash access
    allowedPatterns: [],
    deniedPatterns: ['.*'],
    sandboxed: true,
  },
  fileSystem: {
    readPatterns: ['/tmp/sandbox/**'],  // Very limited
    writePatterns: [],
    denyPatterns: ['**'],
  },
  mcpTools: {
    allowed: [],
    denied: ['*:*'],
  },
  network: {
    enabled: false,
    allowedDomains: [],
    denyDomains: ['*'],
  },
  models: {
    allowed: ['haiku'],  // Only cheapest model
    preferredForSpawning: 'haiku',
  },
};

const STRICT_LIMITS: ResourceLimits = {
  maxTurns: 5,
  maxTokensPerTurn: 2000,
  maxTotalTokens: 10000,
  timeoutMs: 30000,
  maxConcurrentOperations: 1,
};

const STRICT_SANDBOX: SandboxConfig = {
  enabled: true,
  tempDirectory: '/tmp/sandbox',
  cleanupOnExit: true,
  networkIsolation: true,
  processIsolation: true,
};

const MODERATE_PERMISSIONS: PermissionMatrix = {
  coreTools: {
    read: true,
    write: true,
    edit: true,
    glob: true,
    grep: true,
    task: true,       // Can spawn with restrictions
    webFetch: true,
    webSearch: true,
    todoWrite: true,
  },
  bash: {
    enabled: true,
    allowedPatterns: [
      '^(npm|yarn|pnpm)\\s+',      // Package managers
      '^git\\s+',                   // Git operations
      '^(cat|head|tail|less)\\s+', // Read operations
      '^ls\\s+',                    // List files
    ],
    deniedPatterns: [
      'rm\\s+-rf',                  // Dangerous deletions
      'sudo\\s+',                   // Privilege escalation
      'curl.*\\|.*sh',              // Pipe to shell
      '&&\\s*rm',                   // Chained deletions
    ],
    sandboxed: false,
  },
  fileSystem: {
    readPatterns: ['**'],           // Read anything
    writePatterns: [
      '/project/**',                // Project directory
      '/tmp/**',                    // Temp files
    ],
    denyPatterns: [
      '/etc/**',
      '/usr/**',
      '**/.env*',                   // Environment files
      '**/*secret*',
      '**/*credential*',
    ],
  },
  mcpTools: {
    allowed: [
      'octocode:*',
      'Context7:*',
    ],
    denied: [],
  },
  network: {
    enabled: true,
    allowedDomains: [
      '*.github.com',
      '*.githubusercontent.com',
      '*.npmjs.org',
      '*.pypi.org',
    ],
    denyDomains: [],
  },
  models: {
    allowed: ['haiku', 'sonnet'],
    preferredForSpawning: 'haiku',
  },
};

const MODERATE_LIMITS: ResourceLimits = {
  maxTurns: 20,
  maxTokensPerTurn: 8000,
  maxTotalTokens: 100000,
  timeoutMs: 120000,
  maxConcurrentOperations: 3,
};

const PERMISSIVE_PERMISSIONS: PermissionMatrix = {
  coreTools: {
    read: true,
    write: true,
    edit: true,
    glob: true,
    grep: true,
    task: true,
    webFetch: true,
    webSearch: true,
    todoWrite: true,
  },
  bash: {
    enabled: true,
    allowedPatterns: ['.*'],  // Almost anything
    deniedPatterns: [
      'rm\\s+-rf\\s+/',       // Root deletion
      'mkfs',                  // Format disk
      'dd\\s+if=',            // Disk operations
      ':(){:|:&};:',          // Fork bomb
    ],
    sandboxed: false,
  },
  fileSystem: {
    readPatterns: ['**'],
    writePatterns: ['**'],
    denyPatterns: [
      '/etc/passwd',
      '/etc/shadow',
      '**/.ssh/**',
    ],
  },
  mcpTools: {
    allowed: ['*:*'],
    denied: [],
  },
  network: {
    enabled: true,
    allowedDomains: ['*'],
    denyDomains: [],
  },
  models: {
    allowed: ['haiku', 'sonnet', 'opus'],
    preferredForSpawning: 'sonnet',
  },
};

const PERMISSIVE_LIMITS: ResourceLimits = {
  maxTurns: 100,
  maxTokensPerTurn: 32000,
  maxTotalTokens: 500000,
  timeoutMs: 600000,
  maxConcurrentOperations: 10,
};

interface IsolationRequest {
  taskType: string;
  trustLevel: 'low' | 'medium' | 'high';
  dataSensitivity: 'public' | 'internal' | 'confidential';
  networkRequired: boolean;
  fileWriteRequired: boolean;
}

function selectIsolationLevel(request: IsolationRequest): IsolationLevel {
  // High sensitivity data always gets strict
  if (request.dataSensitivity === 'confidential') {
    return 'strict';
  }

  // Low trust always gets strict or moderate
  if (request.trustLevel === 'low') {
    return request.networkRequired ? 'strict' : 'moderate';
  }

  // Internal data with medium trust
  if (request.dataSensitivity === 'internal') {
    return 'moderate';
  }

  // High trust with public data
  if (request.trustLevel === 'high' && request.dataSensitivity === 'public') {
    return 'permissive';
  }

  // Default to moderate
  return 'moderate';
}

interface SandboxConfig {
  enabled: boolean;
  tempDirectory: string;
  cleanupOnExit: boolean;
  networkIsolation: boolean;
  processIsolation: boolean;
  mountPoints?: MountPoint[];
}

interface MountPoint {
  source: string;
  target: string;
  readOnly: boolean;
}

function configureSandbox(
  isolation: IsolationLevel,
  taskId: string
): SandboxConfig {
  const baseConfig = ISOLATION_PROFILES[isolation].sandboxConfig;

  return {
    ...baseConfig,
    tempDirectory: `/tmp/dag-sandbox/${taskId}`,
    mountPoints: [
      {
        source: '/project',
        target: '/sandbox/project',
        readOnly: isolation === 'strict',
      },
    ],
  };
}

function validateIsolationInheritance(
  parentLevel: IsolationLevel,
  childLevel: IsolationLevel
): boolean {
  const hierarchy: Record<IsolationLevel, number> = {
    strict: 3,
    moderate: 2,
    permissive: 1,
  };

  // Child must be equal or more restrictive
  return hierarchy[childLevel] >= hierarchy[parentLevel];
}

function getMaxAllowedChildIsolation(
  parentLevel: IsolationLevel
): IsolationLevel[] {
  switch (parentLevel) {
    case 'strict':
      return ['strict'];
    case 'moderate':
      return ['strict', 'moderate'];
    case 'permissive':
      return ['strict', 'moderate', 'permissive'];
  }
}

isolationReport:
  agentId: data-processor
  isolationLevel: moderate

  profile:
    description: "Balanced isolation for typical operations"

    permissions:
      coreTools:
        read: true
        write: true
        task: true (with restrictions)
      bash: "Limited to safe commands"
      fileSystem: "Project and temp directories"
      network: "Whitelisted domains only"

    resourceLimits:
      maxTurns: 20
      maxTotalTokens: 100000
      timeoutMs: 120000

    sandbox:
      enabled: false
      networkIsolation: false

  childAgentConstraints:
    allowedLevels: [strict, moderate]
    inheritedDenyPatterns: true

  effectivePermissions:
    # Merged parent + isolation profile
    # ... detailed permission dump ...