tony/CHORUS
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9dbd361cafec332f0bb55ff3b9eddc23f36d2bdb
CHORUS/vendor/google.golang.org/protobuf/internal/impl/checkinit.go
anthonyrawlins 8d9b62daf3 Phase 2: Implement Execution Environment Abstraction (v0.3.0) 
This commit implements Phase 2 of the CHORUS Task Execution Engine development plan,
providing a comprehensive execution environment abstraction layer with Docker
container sandboxing support.

## New Features

### Core Sandbox Interface
- Comprehensive ExecutionSandbox interface with isolated task execution
- Support for command execution, file I/O, environment management
- Resource usage monitoring and sandbox lifecycle management
- Standardized error handling with SandboxError types and categories

### Docker Container Sandbox Implementation
- Full Docker API integration with secure container creation
- Transparent repository mounting with configurable read/write access
- Advanced security policies with capability dropping and privilege controls
- Comprehensive resource limits (CPU, memory, disk, processes, file handles)
- Support for tmpfs mounts, masked paths, and read-only bind mounts
- Container lifecycle management with proper cleanup and health monitoring

### Security & Resource Management
- Configurable security policies with SELinux, AppArmor, and Seccomp support
- Fine-grained capability management with secure defaults
- Network isolation options with configurable DNS and proxy settings
- Resource monitoring with real-time CPU, memory, and network usage tracking
- Comprehensive ulimits configuration for process and file handle limits

### Repository Integration
- Seamless repository mounting from local paths to container workspaces
- Git configuration support with user credentials and global settings
- File inclusion/exclusion patterns for selective repository access
- Configurable permissions and ownership for mounted repositories

### Testing Infrastructure
- Comprehensive test suite with 60+ test cases covering all functionality
- Docker integration tests with Alpine Linux containers (skipped in short mode)
- Mock sandbox implementation for unit testing without Docker dependencies
- Security policy validation tests with read-only filesystem enforcement
- Resource usage monitoring and cleanup verification tests

## Technical Details

### Dependencies Added
- github.com/docker/docker v28.4.0+incompatible - Docker API client
- github.com/docker/go-connections v0.6.0 - Docker connection utilities
- github.com/docker/go-units v0.5.0 - Docker units and formatting
- Associated Docker API dependencies for complete container management

### Architecture
- Interface-driven design enabling multiple sandbox implementations
- Comprehensive configuration structures for all sandbox aspects
- Resource usage tracking with detailed metrics collection
- Error handling with retryable error classification
- Proper cleanup and resource management throughout sandbox lifecycle

### Compatibility
- Maintains backward compatibility with existing CHORUS architecture
- Designed for future integration with Phase 3 Core Task Execution Engine
- Extensible design supporting additional sandbox implementations (VM, process)

This Phase 2 implementation provides the foundation for secure, isolated task
execution that will be integrated with the AI model providers from Phase 1
in the upcoming Phase 3 development.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-25 14:28:08 +10:00

142 lines
3.5 KiB
Go
Raw Blame History

// Copyright 2019 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package impl
import (
"sync"
"google.golang.org/protobuf/internal/errors"
"google.golang.org/protobuf/reflect/protoreflect"
"google.golang.org/protobuf/runtime/protoiface"
)
func (mi *MessageInfo) checkInitialized(in protoiface.CheckInitializedInput) (protoiface.CheckInitializedOutput, error) {
var p pointer
if ms, ok := in.Message.(*messageState); ok {
p = ms.pointer()
} else {
p = in.Message.(*messageReflectWrapper).pointer()
}
return protoiface.CheckInitializedOutput{}, mi.checkInitializedPointer(p)
}
func (mi *MessageInfo) checkInitializedPointer(p pointer) error {
mi.init()
if !mi.needsInitCheck {
return nil
}
if p.IsNil() {
for _, f := range mi.orderedCoderFields {
if f.isRequired {
return errors.RequiredNotSet(string(mi.Desc.Fields().ByNumber(f.num).FullName()))
}
}
return nil
}
if mi.extensionOffset.IsValid() {
e := p.Apply(mi.extensionOffset).Extensions()
if err := mi.isInitExtensions(e); err != nil {
return err
}
}
for _, f := range mi.orderedCoderFields {
if !f.isRequired && f.funcs.isInit == nil {
continue
}
fptr := p.Apply(f.offset)
if f.isPointer && fptr.Elem().IsNil() {
if f.isRequired {
return errors.RequiredNotSet(string(mi.Desc.Fields().ByNumber(f.num).FullName()))
}
continue
}
if f.funcs.isInit == nil {
continue
}
if err := f.funcs.isInit(fptr, f); err != nil {
return err
}
}
return nil
}
func (mi *MessageInfo) isInitExtensions(ext *map[int32]ExtensionField) error {
if ext == nil {
return nil
}
for _, x := range *ext {
ei := getExtensionFieldInfo(x.Type())
if ei.funcs.isInit == nil || x.isUnexpandedLazy() {
continue
}
v := x.Value()
if !v.IsValid() {
continue
}
if err := ei.funcs.isInit(v); err != nil {
return err
}
}
return nil
}
var (
needsInitCheckMu sync.Mutex
needsInitCheckMap sync.Map
)
// needsInitCheck reports whether a message needs to be checked for partial initialization.
//
// It returns true if the message transitively includes any required or extension fields.
func needsInitCheck(md protoreflect.MessageDescriptor) bool {
if v, ok := needsInitCheckMap.Load(md); ok {
if has, ok := v.(bool); ok {
return has
}
}
needsInitCheckMu.Lock()
defer needsInitCheckMu.Unlock()
return needsInitCheckLocked(md)
}
func needsInitCheckLocked(md protoreflect.MessageDescriptor) (has bool) {
if v, ok := needsInitCheckMap.Load(md); ok {
// If has is true, we've previously determined that this message
// needs init checks.
//
// If has is false, we've previously determined that it can never
// be uninitialized.
//
// If has is not a bool, we've just encountered a cycle in the
// message graph. In this case, it is safe to return false: If
// the message does have required fields, we'll detect them later
// in the graph traversal.
has, ok := v.(bool)
return ok && has
}
needsInitCheckMap.Store(md, struct{}{}) // avoid cycles while descending into this message
defer func() {
needsInitCheckMap.Store(md, has)
}()
if md.RequiredNumbers().Len() > 0 {
return true
}
if md.ExtensionRanges().Len() > 0 {
return true
}
for i := 0; i < md.Fields().Len(); i++ {
fd := md.Fields().Get(i)
// Map keys are never messages, so just consider the map value.
if fd.IsMap() {
fd = fd.MapValue()
}
fmd := fd.Message()
if fmd != nil && needsInitCheckLocked(fmd) {
return true
}
}
return false
}
Reference in New Issue View Git Blame Copy Permalink