Phase 2: Implement Execution Environment Abstraction (v0.3.0)

This commit implements Phase 2 of the CHORUS Task Execution Engine development plan, providing a comprehensive execution environment abstraction layer with Docker container sandboxing support. ## New Features ### Core Sandbox Interface - Comprehensive ExecutionSandbox interface with isolated task execution - Support for command execution, file I/O, environment management - Resource usage monitoring and sandbox lifecycle management - Standardized error handling with SandboxError types and categories ### Docker Container Sandbox Implementation - Full Docker API integration with secure container creation - Transparent repository mounting with configurable read/write access - Advanced security policies with capability dropping and privilege controls - Comprehensive resource limits (CPU, memory, disk, processes, file handles) - Support for tmpfs mounts, masked paths, and read-only bind mounts - Container lifecycle management with proper cleanup and health monitoring ### Security & Resource Management - Configurable security policies with SELinux, AppArmor, and Seccomp support - Fine-grained capability management with secure defaults - Network isolation options with configurable DNS and proxy settings - Resource monitoring with real-time CPU, memory, and network usage tracking - Comprehensive ulimits configuration for process and file handle limits ### Repository Integration - Seamless repository mounting from local paths to container workspaces - Git configuration support with user credentials and global settings - File inclusion/exclusion patterns for selective repository access - Configurable permissions and ownership for mounted repositories ### Testing Infrastructure - Comprehensive test suite with 60+ test cases covering all functionality - Docker integration tests with Alpine Linux containers (skipped in short mode) - Mock sandbox implementation for unit testing without Docker dependencies - Security policy validation tests with read-only filesystem enforcement - Resource usage monitoring and cleanup verification tests ## Technical Details ### Dependencies Added - github.com/docker/docker v28.4.0+incompatible - Docker API client - github.com/docker/go-connections v0.6.0 - Docker connection utilities - github.com/docker/go-units v0.5.0 - Docker units and formatting - Associated Docker API dependencies for complete container management ### Architecture - Interface-driven design enabling multiple sandbox implementations - Comprehensive configuration structures for all sandbox aspects - Resource usage tracking with detailed metrics collection - Error handling with retryable error classification - Proper cleanup and resource management throughout sandbox lifecycle ### Compatibility - Maintains backward compatibility with existing CHORUS architecture - Designed for future integration with Phase 3 Core Task Execution Engine - Extensible design supporting additional sandbox implementations (VM, process) This Phase 2 implementation provides the foundation for secure, isolated task execution that will be integrated with the AI model providers from Phase 1 in the upcoming Phase 3 development. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-25 14:28:08 +10:00
parent d1252ade69
commit 8d9b62daf3
653 changed files with 88039 additions and 3766 deletions
--- a/vendor/google.golang.org/protobuf/cmd/protoc-gen-go/internal_gengo/main.go
+++ b/vendor/google.golang.org/protobuf/cmd/protoc-gen-go/internal_gengo/main.go
@@ -17,6 +17,7 @@ import (
 	"unicode/utf8"

 	"google.golang.org/protobuf/compiler/protogen"
+	"google.golang.org/protobuf/internal/editionssupport"
 	"google.golang.org/protobuf/internal/encoding/tag"
 	"google.golang.org/protobuf/internal/filedesc"
 	"google.golang.org/protobuf/internal/genid"
@@ -29,7 +30,10 @@ import (
 )

 // SupportedFeatures reports the set of supported protobuf language features.
-var SupportedFeatures = uint64(pluginpb.CodeGeneratorResponse_FEATURE_PROTO3_OPTIONAL)
+var SupportedFeatures = uint64(pluginpb.CodeGeneratorResponse_FEATURE_PROTO3_OPTIONAL | pluginpb.CodeGeneratorResponse_FEATURE_SUPPORTS_EDITIONS)
+
+var SupportedEditionsMinimum = editionssupport.Minimum
+var SupportedEditionsMaximum = editionssupport.Maximum

 // GenerateVersionMarkers specifies whether to generate version markers.
 var GenerateVersionMarkers = true
@@ -227,7 +231,7 @@ func genImport(gen *protogen.Plugin, g *protogen.GeneratedFile, f *fileInfo, imp

 func genEnum(g *protogen.GeneratedFile, f *fileInfo, e *enumInfo) {
 	// Enum type declaration.
-	g.Annotate(e.GoIdent.GoName, e.Location)
+	g.AnnotateSymbol(e.GoIdent.GoName, protogen.Annotation{Location: e.Location})
 	leadingComments := appendDeprecationSuffix(e.Comments.Leading,
 		e.Desc.ParentFile(),
 		e.Desc.Options().(*descriptorpb.EnumOptions).GetDeprecated())
@@ -237,7 +241,7 @@ func genEnum(g *protogen.GeneratedFile, f *fileInfo, e *enumInfo) {
 	// Enum value constants.
 	g.P("const (")
 	for _, value := range e.Values {
-		g.Annotate(value.GoIdent.GoName, value.Location)
+		g.AnnotateSymbol(value.GoIdent.GoName, protogen.Annotation{Location: value.Location})
 		leadingComments := appendDeprecationSuffix(value.Comments.Leading,
 			value.Desc.ParentFile(),
 			value.Desc.Options().(*descriptorpb.EnumValueOptions).GetDeprecated())
@@ -289,11 +293,11 @@ func genEnum(g *protogen.GeneratedFile, f *fileInfo, e *enumInfo) {
 	genEnumReflectMethods(g, f, e)

 	// UnmarshalJSON method.
-	needsUnmarshalJSONMethod := e.genJSONMethod && e.Desc.Syntax() == protoreflect.Proto2
-	if fde, ok := e.Desc.(*filedesc.Enum); ok && fde.L1.EditionFeatures.GenerateLegacyUnmarshalJSON {
-		needsUnmarshalJSONMethod = true
+	needsUnmarshalJSONMethod := false
+	if fde, ok := e.Desc.(*filedesc.Enum); ok {
+		needsUnmarshalJSONMethod = fde.L1.EditionFeatures.GenerateLegacyUnmarshalJSON
 	}
-	if needsUnmarshalJSONMethod {
+	if e.genJSONMethod && needsUnmarshalJSONMethod {
 		g.P("// Deprecated: Do not use.")
 		g.P("func (x *", e.GoIdent, ") UnmarshalJSON(b []byte) error {")
 		g.P("num, err := ", protoimplPackage.Ident("X"), ".UnmarshalJSONEnum(x.Descriptor(), b)")
@@ -327,7 +331,7 @@ func genMessage(g *protogen.GeneratedFile, f *fileInfo, m *messageInfo) {
 	}

 	// Message type declaration.
-	g.Annotate(m.GoIdent.GoName, m.Location)
+	g.AnnotateSymbol(m.GoIdent.GoName, protogen.Annotation{Location: m.Location})
 	leadingComments := appendDeprecationSuffix(m.Comments.Leading,
 		m.Desc.ParentFile(),
 		m.Desc.Options().(*descriptorpb.MessageOptions).GetDeprecated())
@@ -388,7 +392,7 @@ func genMessageField(g *protogen.GeneratedFile, f *fileInfo, m *messageInfo, fie
 			tags = append(tags, gotrackTags...)
 		}

-		g.Annotate(m.GoIdent.GoName+"."+oneof.GoName, oneof.Location)
+		g.AnnotateSymbol(m.GoIdent.GoName+"."+oneof.GoName, protogen.Annotation{Location: oneof.Location})
 		leadingComments := oneof.Comments.Leading
 		if leadingComments != "" {
 			leadingComments += "\n"
@@ -427,7 +431,7 @@ func genMessageField(g *protogen.GeneratedFile, f *fileInfo, m *messageInfo, fie
 	if field.Desc.IsWeak() {
 		name = genid.WeakFieldPrefix_goname + name
 	}
-	g.Annotate(m.GoIdent.GoName+"."+name, field.Location)
+	g.AnnotateSymbol(m.GoIdent.GoName+"."+name, protogen.Annotation{Location: field.Location})
 	leadingComments := appendDeprecationSuffix(field.Comments.Leading,
 		field.Desc.ParentFile(),
 		field.Desc.Options().(*descriptorpb.FieldOptions).GetDeprecated())
@@ -555,7 +559,7 @@ func genMessageGetterMethods(g *protogen.GeneratedFile, f *fileInfo, m *messageI

 		// Getter for parent oneof.
 		if oneof := field.Oneof; oneof != nil && oneof.Fields[0] == field && !oneof.Desc.IsSynthetic() {
-			g.Annotate(m.GoIdent.GoName+".Get"+oneof.GoName, oneof.Location)
+			g.AnnotateSymbol(m.GoIdent.GoName+".Get"+oneof.GoName, protogen.Annotation{Location: oneof.Location})
 			g.P("func (m *", m.GoIdent.GoName, ") Get", oneof.GoName, "() ", oneofInterfaceName(oneof), " {")
 			g.P("if m != nil {")
 			g.P("return m.", oneof.GoName)
@@ -568,7 +572,7 @@ func genMessageGetterMethods(g *protogen.GeneratedFile, f *fileInfo, m *messageI
 		// Getter for message field.
 		goType, pointer := fieldGoType(g, f, field)
 		defaultValue := fieldDefaultValue(g, f, m, field)
-		g.Annotate(m.GoIdent.GoName+".Get"+field.GoName, field.Location)
+		g.AnnotateSymbol(m.GoIdent.GoName+".Get"+field.GoName, protogen.Annotation{Location: field.Location})
 		leadingComments := appendDeprecationSuffix("",
 			field.Desc.ParentFile(),
 			field.Desc.Options().(*descriptorpb.FieldOptions).GetDeprecated())
@@ -811,8 +815,8 @@ func genMessageOneofWrapperTypes(g *protogen.GeneratedFile, f *fileInfo, m *mess
 		g.P("}")
 		g.P()
 		for _, field := range oneof.Fields {
-			g.Annotate(field.GoIdent.GoName, field.Location)
-			g.Annotate(field.GoIdent.GoName+"."+field.GoName, field.Location)
+			g.AnnotateSymbol(field.GoIdent.GoName, protogen.Annotation{Location: field.Location})
+			g.AnnotateSymbol(field.GoIdent.GoName+"."+field.GoName, protogen.Annotation{Location: field.Location})
 			g.P("type ", field.GoIdent, " struct {")
 			goType, _ := fieldGoType(g, f, field)
 			tags := structTags{
--- a/vendor/google.golang.org/protobuf/cmd/protoc-gen-go/internal_gengo/reflect.go
+++ b/vendor/google.golang.org/protobuf/cmd/protoc-gen-go/internal_gengo/reflect.go
@@ -132,7 +132,7 @@ func genReflectFileDescriptor(gen *protogen.Plugin, g *protogen.GeneratedFile, f
 		panic("too many dependencies") // sanity check
 	}

-	g.P("var ", goTypesVarName(f), " = []interface{}{")
+	g.P("var ", goTypesVarName(f), " = []any{")
 	for _, s := range goTypes {
 		g.P(s)
 	}
@@ -170,7 +170,7 @@ func genReflectFileDescriptor(gen *protogen.Plugin, g *protogen.GeneratedFile, f
 				idx := f.allMessagesByPtr[message]
 				typesVar := messageTypesVarName(f)

-				g.P(typesVar, "[", idx, "].Exporter = func(v interface{}, i int) interface{} {")
+				g.P(typesVar, "[", idx, "].Exporter = func(v any, i int) any {")
 				g.P("switch v := v.(*", message.GoIdent, "); i {")
 				for i := 0; i < sf.count; i++ {
 					if name := sf.unexported[i]; name != "" {
@@ -191,7 +191,7 @@ func genReflectFileDescriptor(gen *protogen.Plugin, g *protogen.GeneratedFile, f
 				typesVar := messageTypesVarName(f)

 				// Associate the wrapper types by directly passing them to the MessageInfo.
-				g.P(typesVar, "[", idx, "].OneofWrappers = []interface{} {")
+				g.P(typesVar, "[", idx, "].OneofWrappers = []any {")
 				for _, oneof := range message.Oneofs {
 					if !oneof.Desc.IsSynthetic() {
 						for _, field := range oneof.Fields {
--- a/vendor/google.golang.org/protobuf/cmd/protoc-gen-go/internal_gengo/well_known_types.go
+++ b/vendor/google.golang.org/protobuf/cmd/protoc-gen-go/internal_gengo/well_known_types.go
@@ -213,11 +213,11 @@ func genPackageKnownComment(f *fileInfo) protogen.Comments {
 The standard Go "encoding/json" package has functionality to serialize
 arbitrary types to a large degree. The Value.AsInterface, Struct.AsMap, and
 ListValue.AsSlice methods can convert the protobuf message representation into
- a form represented by interface{}, map[string]interface{}, and []interface{}.
+ a form represented by any, map[string]any, and []any.
 This form can be used with other packages that operate on such data structures
 and also directly with the standard json package.

- In order to convert the interface{}, map[string]interface{}, and []interface{}
+ In order to convert the any, map[string]any, and []any
 forms back as Value, Struct, and ListValue messages, use the NewStruct,
 NewList, and NewValue constructor functions.

@@ -252,28 +252,28 @@ func genPackageKnownComment(f *fileInfo) protogen.Comments {

 To construct a Value message representing the above JSON object:

-	m, err := structpb.NewValue(map[string]interface{}{
+	m, err := structpb.NewValue(map[string]any{
 		"firstName": "John",
 		"lastName":  "Smith",
 		"isAlive":   true,
 		"age":       27,
-		"address": map[string]interface{}{
+		"address": map[string]any{
 			"streetAddress": "21 2nd Street",
 			"city":          "New York",
 			"state":         "NY",
 			"postalCode":    "10021-3100",
 		},
-		"phoneNumbers": []interface{}{
-			map[string]interface{}{
+		"phoneNumbers": []any{
+			map[string]any{
 				"type":   "home",
 				"number": "212 555-1234",
 			},
-			map[string]interface{}{
+			map[string]any{
 				"type":   "office",
 				"number": "646 555-4567",
 			},
 		},
-		"children": []interface{}{},
+		"children": []any{},
 		"spouse":   nil,
 	})
 	if err != nil {
@@ -634,7 +634,7 @@ func genMessageKnownFunctions(g *protogen.GeneratedFile, f *fileInfo, m *message
 		g.P("// NewStruct constructs a Struct from a general-purpose Go map.")
 		g.P("// The map keys must be valid UTF-8.")
 		g.P("// The map values are converted using NewValue.")
-		g.P("func NewStruct(v map[string]interface{}) (*Struct, error) {")
+		g.P("func NewStruct(v map[string]any) (*Struct, error) {")
 		g.P("	x := &Struct{Fields: make(map[string]*Value, len(v))}")
 		g.P("	for k, v := range v {")
 		g.P("		if !", utf8Package.Ident("ValidString"), "(k) {")
@@ -652,9 +652,9 @@ func genMessageKnownFunctions(g *protogen.GeneratedFile, f *fileInfo, m *message

 		g.P("// AsMap converts x to a general-purpose Go map.")
 		g.P("// The map values are converted by calling Value.AsInterface.")
-		g.P("func (x *Struct) AsMap() map[string]interface{} {")
+		g.P("func (x *Struct) AsMap() map[string]any {")
 		g.P("	f := x.GetFields()")
-		g.P("	vs := make(map[string]interface{}, len(f))")
+		g.P("	vs := make(map[string]any, len(f))")
 		g.P("	for k, v := range f {")
 		g.P("		vs[k] = v.AsInterface()")
 		g.P("	}")
@@ -675,7 +675,7 @@ func genMessageKnownFunctions(g *protogen.GeneratedFile, f *fileInfo, m *message
 	case genid.ListValue_message_fullname:
 		g.P("// NewList constructs a ListValue from a general-purpose Go slice.")
 		g.P("// The slice elements are converted using NewValue.")
-		g.P("func NewList(v []interface{}) (*ListValue, error) {")
+		g.P("func NewList(v []any) (*ListValue, error) {")
 		g.P("	x := &ListValue{Values: make([]*Value, len(v))}")
 		g.P("	for i, v := range v {")
 		g.P("		var err error")
@@ -690,9 +690,9 @@ func genMessageKnownFunctions(g *protogen.GeneratedFile, f *fileInfo, m *message

 		g.P("// AsSlice converts x to a general-purpose Go slice.")
 		g.P("// The slice elements are converted by calling Value.AsInterface.")
-		g.P("func (x *ListValue) AsSlice() []interface{} {")
+		g.P("func (x *ListValue) AsSlice() []any {")
 		g.P("	vals := x.GetValues()")
-		g.P("	vs := make([]interface{}, len(vals))")
+		g.P("	vs := make([]any, len(vals))")
 		g.P("	for i, v := range vals {")
 		g.P("		vs[i] = v.AsInterface()")
 		g.P("	}")
@@ -723,13 +723,13 @@ func genMessageKnownFunctions(g *protogen.GeneratedFile, f *fileInfo, m *message
 		g.P("//	║ float32, float64       │ stored as NumberValue                      ║")
 		g.P("//	║ string                 │ stored as StringValue; must be valid UTF-8 ║")
 		g.P("//	║ []byte                 │ stored as StringValue; base64-encoded      ║")
-		g.P("//	║ map[string]interface{} │ stored as StructValue                      ║")
-		g.P("//	║ []interface{}          │ stored as ListValue                        ║")
+		g.P("//	║ map[string]any         │ stored as StructValue                      ║")
+		g.P("//	║ []any                  │ stored as ListValue                        ║")
 		g.P("//	╚════════════════════════╧════════════════════════════════════════════╝")
 		g.P("//")
 		g.P("// When converting an int64 or uint64 to a NumberValue, numeric precision loss")
 		g.P("// is possible since they are stored as a float64.")
-		g.P("func NewValue(v interface{}) (*Value, error) {")
+		g.P("func NewValue(v any) (*Value, error) {")
 		g.P("	switch v := v.(type) {")
 		g.P("	case nil:")
 		g.P("		return NewNullValue(), nil")
@@ -759,13 +759,13 @@ func genMessageKnownFunctions(g *protogen.GeneratedFile, f *fileInfo, m *message
 		g.P("	case []byte:")
 		g.P("		s := ", base64Package.Ident("StdEncoding"), ".EncodeToString(v)")
 		g.P("		return NewStringValue(s), nil")
-		g.P("	case map[string]interface{}:")
+		g.P("	case map[string]any:")
 		g.P("		v2, err := NewStruct(v)")
 		g.P("		if err != nil {")
 		g.P("			return nil, err")
 		g.P("		}")
 		g.P("		return NewStructValue(v2), nil")
-		g.P("	case []interface{}:")
+		g.P("	case []any:")
 		g.P("		v2, err := NewList(v)")
 		g.P("		if err != nil {")
 		g.P("			return nil, err")
@@ -820,7 +820,7 @@ func genMessageKnownFunctions(g *protogen.GeneratedFile, f *fileInfo, m *message
 		g.P("//")
 		g.P("// Floating-point values (i.e., \"NaN\", \"Infinity\", and \"-Infinity\") are")
 		g.P("// converted as strings to remain compatible with MarshalJSON.")
-		g.P("func (x *Value) AsInterface() interface{} {")
+		g.P("func (x *Value) AsInterface() any {")
 		g.P("	switch v := x.GetKind().(type) {")
 		g.P("	case *Value_NumberValue:")
 		g.P("		if v != nil {")
--- a/vendor/google.golang.org/protobuf/cmd/protoc-gen-go/main.go
+++ b/vendor/google.golang.org/protobuf/cmd/protoc-gen-go/main.go
@@ -51,6 +51,8 @@ func main() {
 			}
 		}
 		gen.SupportedFeatures = gengo.SupportedFeatures
+		gen.SupportedEditionsMinimum = gengo.SupportedEditionsMinimum
+		gen.SupportedEditionsMaximum = gengo.SupportedEditionsMaximum
 		return nil
 	})
 }