Phase 2: Implement Execution Environment Abstraction (v0.3.0)
This commit implements Phase 2 of the CHORUS Task Execution Engine development plan, providing a comprehensive execution environment abstraction layer with Docker container sandboxing support. ## New Features ### Core Sandbox Interface - Comprehensive ExecutionSandbox interface with isolated task execution - Support for command execution, file I/O, environment management - Resource usage monitoring and sandbox lifecycle management - Standardized error handling with SandboxError types and categories ### Docker Container Sandbox Implementation - Full Docker API integration with secure container creation - Transparent repository mounting with configurable read/write access - Advanced security policies with capability dropping and privilege controls - Comprehensive resource limits (CPU, memory, disk, processes, file handles) - Support for tmpfs mounts, masked paths, and read-only bind mounts - Container lifecycle management with proper cleanup and health monitoring ### Security & Resource Management - Configurable security policies with SELinux, AppArmor, and Seccomp support - Fine-grained capability management with secure defaults - Network isolation options with configurable DNS and proxy settings - Resource monitoring with real-time CPU, memory, and network usage tracking - Comprehensive ulimits configuration for process and file handle limits ### Repository Integration - Seamless repository mounting from local paths to container workspaces - Git configuration support with user credentials and global settings - File inclusion/exclusion patterns for selective repository access - Configurable permissions and ownership for mounted repositories ### Testing Infrastructure - Comprehensive test suite with 60+ test cases covering all functionality - Docker integration tests with Alpine Linux containers (skipped in short mode) - Mock sandbox implementation for unit testing without Docker dependencies - Security policy validation tests with read-only filesystem enforcement - Resource usage monitoring and cleanup verification tests ## Technical Details ### Dependencies Added - github.com/docker/docker v28.4.0+incompatible - Docker API client - github.com/docker/go-connections v0.6.0 - Docker connection utilities - github.com/docker/go-units v0.5.0 - Docker units and formatting - Associated Docker API dependencies for complete container management ### Architecture - Interface-driven design enabling multiple sandbox implementations - Comprehensive configuration structures for all sandbox aspects - Resource usage tracking with detailed metrics collection - Error handling with retryable error classification - Proper cleanup and resource management throughout sandbox lifecycle ### Compatibility - Maintains backward compatibility with existing CHORUS architecture - Designed for future integration with Phase 3 Core Task Execution Engine - Extensible design supporting additional sandbox implementations (VM, process) This Phase 2 implementation provides the foundation for secure, isolated task execution that will be integrated with the AI model providers from Phase 1 in the upcoming Phase 3 development. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
anthonyrawlins
105
vendor/modules.txt
vendored
105
vendor/modules.txt
vendored
@@ -5,6 +5,13 @@ filippo.io/age/armor
|
||||
filippo.io/age/internal/bech32
|
||||
filippo.io/age/internal/format
|
||||
filippo.io/age/internal/stream
|
||||
# github.com/Microsoft/go-winio v0.6.2
|
||||
## explicit; go 1.21
|
||||
github.com/Microsoft/go-winio
|
||||
github.com/Microsoft/go-winio/internal/fs
|
||||
github.com/Microsoft/go-winio/internal/socket
|
||||
github.com/Microsoft/go-winio/internal/stringbuffer
|
||||
github.com/Microsoft/go-winio/pkg/guid
|
||||
# github.com/RoaringBitmap/roaring/v2 v2.4.5
|
||||
## explicit; go 1.15
|
||||
github.com/RoaringBitmap/roaring/v2
|
||||
@@ -130,6 +137,13 @@ github.com/chorus-services/backbeat/pkg/sdk
|
||||
## explicit; go 1.17
|
||||
github.com/containerd/cgroups
|
||||
github.com/containerd/cgroups/stats/v1
|
||||
# github.com/containerd/errdefs v1.0.0
|
||||
## explicit; go 1.20
|
||||
github.com/containerd/errdefs
|
||||
# github.com/containerd/errdefs/pkg v0.3.0
|
||||
## explicit; go 1.22
|
||||
github.com/containerd/errdefs/pkg/errhttp
|
||||
github.com/containerd/errdefs/pkg/internal/cause
|
||||
# github.com/coreos/go-systemd/v22 v22.5.0
|
||||
## explicit; go 1.12
|
||||
github.com/coreos/go-systemd/v22/dbus
|
||||
@@ -146,6 +160,38 @@ github.com/decred/dcrd/dcrec/secp256k1/v4/ecdsa
|
||||
# github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f
|
||||
## explicit
|
||||
github.com/dgryski/go-rendezvous
|
||||
# github.com/distribution/reference v0.6.0
|
||||
## explicit; go 1.20
|
||||
github.com/distribution/reference
|
||||
# github.com/docker/docker v28.4.0+incompatible
|
||||
## explicit
|
||||
github.com/docker/docker/api
|
||||
github.com/docker/docker/api/types
|
||||
github.com/docker/docker/api/types/blkiodev
|
||||
github.com/docker/docker/api/types/build
|
||||
github.com/docker/docker/api/types/checkpoint
|
||||
github.com/docker/docker/api/types/common
|
||||
github.com/docker/docker/api/types/container
|
||||
github.com/docker/docker/api/types/events
|
||||
github.com/docker/docker/api/types/filters
|
||||
github.com/docker/docker/api/types/image
|
||||
github.com/docker/docker/api/types/mount
|
||||
github.com/docker/docker/api/types/network
|
||||
github.com/docker/docker/api/types/registry
|
||||
github.com/docker/docker/api/types/storage
|
||||
github.com/docker/docker/api/types/strslice
|
||||
github.com/docker/docker/api/types/swarm
|
||||
github.com/docker/docker/api/types/swarm/runtime
|
||||
github.com/docker/docker/api/types/system
|
||||
github.com/docker/docker/api/types/time
|
||||
github.com/docker/docker/api/types/versions
|
||||
github.com/docker/docker/api/types/volume
|
||||
github.com/docker/docker/client
|
||||
# github.com/docker/go-connections v0.6.0
|
||||
## explicit; go 1.18
|
||||
github.com/docker/go-connections/nat
|
||||
github.com/docker/go-connections/sockets
|
||||
github.com/docker/go-connections/tlsconfig
|
||||
# github.com/docker/go-units v0.5.0
|
||||
## explicit
|
||||
github.com/docker/go-units
|
||||
@@ -153,14 +199,17 @@ github.com/docker/go-units
|
||||
## explicit; go 1.14
|
||||
github.com/elastic/gosigar
|
||||
github.com/elastic/gosigar/sys/windows
|
||||
# github.com/felixge/httpsnoop v1.0.4
|
||||
## explicit; go 1.13
|
||||
github.com/felixge/httpsnoop
|
||||
# github.com/flynn/noise v1.0.0
|
||||
## explicit; go 1.16
|
||||
github.com/flynn/noise
|
||||
# github.com/francoispqt/gojay v1.2.13
|
||||
## explicit; go 1.12
|
||||
github.com/francoispqt/gojay
|
||||
# github.com/go-logr/logr v1.2.4
|
||||
## explicit; go 1.16
|
||||
# github.com/go-logr/logr v1.4.3
|
||||
## explicit; go 1.18
|
||||
github.com/go-logr/logr
|
||||
github.com/go-logr/logr/funcr
|
||||
# github.com/go-logr/stdr v1.2.2
|
||||
@@ -451,6 +500,9 @@ github.com/mikioh/tcpopt
|
||||
# github.com/minio/sha256-simd v1.0.1
|
||||
## explicit; go 1.17
|
||||
github.com/minio/sha256-simd
|
||||
# github.com/moby/docker-image-spec v1.3.1
|
||||
## explicit; go 1.18
|
||||
github.com/moby/docker-image-spec/specs-go/v1
|
||||
# github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
|
||||
## explicit
|
||||
github.com/modern-go/concurrent
|
||||
@@ -532,6 +584,13 @@ github.com/onsi/ginkgo/v2/internal/interrupt_handler
|
||||
github.com/onsi/ginkgo/v2/internal/parallel_support
|
||||
github.com/onsi/ginkgo/v2/reporters
|
||||
github.com/onsi/ginkgo/v2/types
|
||||
# github.com/opencontainers/go-digest v1.0.0
|
||||
## explicit; go 1.13
|
||||
github.com/opencontainers/go-digest
|
||||
# github.com/opencontainers/image-spec v1.1.1
|
||||
## explicit; go 1.18
|
||||
github.com/opencontainers/image-spec/specs-go
|
||||
github.com/opencontainers/image-spec/specs-go/v1
|
||||
# github.com/opencontainers/runtime-spec v1.1.0
|
||||
## explicit
|
||||
github.com/opencontainers/runtime-spec/specs-go
|
||||
@@ -620,7 +679,7 @@ github.com/sony/gobreaker
|
||||
# github.com/spaolacci/murmur3 v1.1.0
|
||||
## explicit
|
||||
github.com/spaolacci/murmur3
|
||||
# github.com/stretchr/testify v1.10.0
|
||||
# github.com/stretchr/testify v1.11.1
|
||||
## explicit; go 1.17
|
||||
github.com/stretchr/testify/assert
|
||||
github.com/stretchr/testify/assert/yaml
|
||||
@@ -659,24 +718,39 @@ go.opencensus.io/stats
|
||||
go.opencensus.io/stats/internal
|
||||
go.opencensus.io/stats/view
|
||||
go.opencensus.io/tag
|
||||
# go.opentelemetry.io/otel v1.16.0
|
||||
## explicit; go 1.19
|
||||
# go.opentelemetry.io/auto/sdk v1.1.0
|
||||
## explicit; go 1.22.0
|
||||
go.opentelemetry.io/auto/sdk
|
||||
go.opentelemetry.io/auto/sdk/internal/telemetry
|
||||
# go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0
|
||||
## explicit; go 1.23.0
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv
|
||||
# go.opentelemetry.io/otel v1.38.0
|
||||
## explicit; go 1.23.0
|
||||
go.opentelemetry.io/otel
|
||||
go.opentelemetry.io/otel/attribute
|
||||
go.opentelemetry.io/otel/attribute/internal
|
||||
go.opentelemetry.io/otel/baggage
|
||||
go.opentelemetry.io/otel/codes
|
||||
go.opentelemetry.io/otel/internal
|
||||
go.opentelemetry.io/otel/internal/attribute
|
||||
go.opentelemetry.io/otel/internal/baggage
|
||||
go.opentelemetry.io/otel/internal/global
|
||||
go.opentelemetry.io/otel/propagation
|
||||
# go.opentelemetry.io/otel/metric v1.16.0
|
||||
## explicit; go 1.19
|
||||
go.opentelemetry.io/otel/semconv/v1.26.0
|
||||
go.opentelemetry.io/otel/semconv/v1.37.0
|
||||
go.opentelemetry.io/otel/semconv/v1.37.0/httpconv
|
||||
# go.opentelemetry.io/otel/metric v1.38.0
|
||||
## explicit; go 1.23.0
|
||||
go.opentelemetry.io/otel/metric
|
||||
go.opentelemetry.io/otel/metric/embedded
|
||||
# go.opentelemetry.io/otel/trace v1.16.0
|
||||
## explicit; go 1.19
|
||||
go.opentelemetry.io/otel/metric/noop
|
||||
# go.opentelemetry.io/otel/trace v1.38.0
|
||||
## explicit; go 1.23.0
|
||||
go.opentelemetry.io/otel/trace
|
||||
go.opentelemetry.io/otel/trace/embedded
|
||||
go.opentelemetry.io/otel/trace/internal/telemetry
|
||||
go.opentelemetry.io/otel/trace/noop
|
||||
# go.uber.org/dig v1.17.1
|
||||
## explicit; go 1.20
|
||||
go.uber.org/dig
|
||||
@@ -758,8 +832,8 @@ golang.org/x/net/route
|
||||
# golang.org/x/sync v0.10.0
|
||||
## explicit; go 1.18
|
||||
golang.org/x/sync/errgroup
|
||||
# golang.org/x/sys v0.29.0
|
||||
## explicit; go 1.18
|
||||
# golang.org/x/sys v0.35.0
|
||||
## explicit; go 1.23.0
|
||||
golang.org/x/sys/cpu
|
||||
golang.org/x/sys/unix
|
||||
golang.org/x/sys/windows
|
||||
@@ -800,8 +874,8 @@ gonum.org/v1/gonum/mathext
|
||||
gonum.org/v1/gonum/mathext/internal/amos
|
||||
gonum.org/v1/gonum/mathext/internal/cephes
|
||||
gonum.org/v1/gonum/mathext/internal/gonum
|
||||
# google.golang.org/protobuf v1.33.0
|
||||
## explicit; go 1.17
|
||||
# google.golang.org/protobuf v1.34.2
|
||||
## explicit; go 1.20
|
||||
google.golang.org/protobuf/cmd/protoc-gen-go
|
||||
google.golang.org/protobuf/cmd/protoc-gen-go/internal_gengo
|
||||
google.golang.org/protobuf/compiler/protogen
|
||||
@@ -812,6 +886,7 @@ google.golang.org/protobuf/internal/descfmt
|
||||
google.golang.org/protobuf/internal/descopts
|
||||
google.golang.org/protobuf/internal/detrand
|
||||
google.golang.org/protobuf/internal/editiondefaults
|
||||
google.golang.org/protobuf/internal/editionssupport
|
||||
google.golang.org/protobuf/internal/encoding/defval
|
||||
google.golang.org/protobuf/internal/encoding/messageset
|
||||
google.golang.org/protobuf/internal/encoding/tag
|
||||
|
||||
Reference in New Issue
Block a user