Security Hardening: Docker Sandboxing & Network Policy Enforcement

[proffesor-for-testing]

Security Hardening: Docker Sandboxing & Network Policy Enforcement

Overview

Extracted from: #51 (MCP Server Performance Optimization - Phase 3)
Priority: P2 - Medium
Type: Security & Infrastructure

These items were deferred from the original MCP optimization epic. They focus on security hardening rather than performance optimization.

---

📋 Tasks

SP-1: Docker-Based Agent Sandboxing

Goal: Implement actual process isolation with resource limits enforced by cgroups.

Current State:

• Generic Dockerfile exists for deployment
• No agent-specific sandboxing
• No resource limit enforcement

Required Implementation:

1. Create infrastructure/sandbox-manager.ts:

interface SandboxConfig {
  cpuLimit: number;      // CPU cores (e.g., 2)
  memoryLimit: string;   // Memory limit (e.g., "2g")
  diskLimit: string;     // Disk quota (e.g., "512m")
  networkMode: 'isolated' | 'whitelisted' | 'host';
  allowedDomains?: string[];
}

class SandboxManager {
  async createSandbox(agentId: string, config: SandboxConfig): Promise<Container>;
  async destroySandbox(containerId: string): Promise<void>;
  async getResourceUsage(containerId: string): Promise<ResourceStats>;
}

2. Create sandboxes/agent.Dockerfile:

FROM node:18-alpine
# Read-only root filesystem
# Non-root user
# Resource limits via Docker HostConfig

3. Agent-specific resource profiles:

const AGENT_PROFILES = {
  'qe-test-generator': { cpu: 2, memory: '2g', disk: '512m' },
  'qe-coverage-analyzer': { cpu: 1, memory: '1g', disk: '256m' },
  'qe-security-scanner': { cpu: 2, memory: '4g', disk: '1g' },
};

Success Criteria:

• Zero OOM crashes (enforced by cgroup)
• 100% process isolation (enforced by Docker)
• CPU/Memory limits verified via docker stats
• SOC2 compliance readiness

---

SP-2: Dedicated Embedding Cache

Goal: Standalone embedding cache with 24-hour TTL for semantic search optimization.

Current State:

• CachedHNSWVectorMemory.ts provides integrated caching
• No standalone embedding cache as originally specified

Required Implementation:

Create utils/embedding-cache.ts:

interface EmbeddingCacheConfig {
  maxSize: number;        // Max cached embeddings (e.g., 10000)
  ttlMs: number;          // TTL in milliseconds (e.g., 86400000 = 24h)
  storageBackend: 'memory' | 'redis' | 'sqlite';
}

class EmbeddingCache {
  async get(contentHash: string): Promise<number[] | null>;
  async set(contentHash: string, embedding: number[]): Promise<void>;
  async getStats(): Promise<CacheStats>;
  async prune(): Promise<number>; // Returns pruned count
}

Success Criteria:

• 80-90% cache hit rate for repeated searches
• Embedding latency: 500ms → 50ms on cache hit
• Memory usage: <100MB for 10K embeddings
• 24-hour TTL expiration working

---

SP-3: Network Policy Enforcement

Goal: Agent-specific network access control with domain whitelisting and rate limiting.

Required Implementation:

Create infrastructure/network-policy.ts:

interface NetworkPolicy {
  agentType: string;
  allowedDomains: string[];
  rateLimit: {
    requestsPerMinute: number;
    requestsPerHour: number;
  };
  auditLogging: boolean;
}

const NETWORK_POLICIES: Record<string, NetworkPolicy> = {
  'qe-test-generator': {
    allowedDomains: ['api.anthropic.com', 'registry.npmjs.org'],
    rateLimit: { requestsPerMinute: 60, requestsPerHour: 1000 },
    auditLogging: true
  },
  'qe-coverage-analyzer': {
    allowedDomains: ['api.anthropic.com'],
    rateLimit: { requestsPerMinute: 30, requestsPerHour: 500 },
    auditLogging: true
  },
  'default': {
    allowedDomains: ['api.anthropic.com'],
    rateLimit: { requestsPerMinute: 10, requestsPerHour: 100 },
    auditLogging: true
  }
};

Success Criteria:

• 100% network request auditing
• 0 unauthorized domain requests blocked
• Rate limit violations logged and blocked
• Audit logs include: timestamp, agent, domain, allowed/blocked

---

📚 References

• Original Epic: [EPIC] MCP Server Performance Optimization - 3 Month Implementation #51 (closed as substantially complete)
• Implementation Plan: docs/planning/mcp-improvement-plan-revised.md (SP-1, SP-2, SP-3 sections)
• Docker Resource Limits: https://docs.docker.com/config/containers/resource_constraints/

---

🎯 Acceptance Criteria

• All three components implemented with tests
• Documentation for security configurations
• Integration with existing agent lifecycle
• No regression in existing functionality

---

Created: 2025-12-16
Extracted From: #51 Phase 3

[proffesor-for-testing]

📊 Implementation Status Analysis (v2.8.1)

Analyzed: 2026-01-05 | Current Version: v2.8.1

---

SP-1: Docker-Based Agent Sandboxing

Status: ❌ NOT STARTED

No SandboxManager class or cgroups enforcement exists. Docker references in codebase are only for C4 diagram generation (parsing docker-compose for architecture visualization), not agent sandboxing.

Remaining Work: Full implementation required as specified.

---

SP-2: Dedicated Embedding Cache

Status: ⚠️ PARTIALLY IMPLEMENTED (~60%)

src/code-intelligence/embeddings/EmbeddingCache.ts now exists:

Requirement	Status
Content hash-based deduplication (SHA-256)	✅ Done
LRU eviction policy	✅ Done
Cache statistics tracking	✅ Done
`evictOlderThan()` method	✅ Done
Export/import for persistence	✅ Done
Batch operations	✅ Done
Memory backend	✅ Done
Redis backend	❌ Missing
SQLite backend	❌ Missing
Default 24h TTL auto-pruning	❌ Missing

Remaining Work:

• Add Redis storage backend adapter
• Add SQLite storage backend adapter
• Implement automatic TTL-based pruning (24-hour default)
• Add backend factory pattern for configuration

---

SP-3: Network Policy Enforcement

Status: ⚠️ PARTIALLY IMPLEMENTED (~40%)

src/edge/p2p/protocol/ProtocolHandler.ts provides foundation:

Requirement	Status
Token bucket rate limiting	✅ Done
Burst size configuration	✅ Done
Messages per second limit	✅ Done
Bytes per second limit	✅ Done
Rate limit status API	✅ Done
Per-agent-type rate limits	❌ Missing
Domain whitelisting	❌ Missing
Comprehensive audit logging	❌ Missing
Agent-specific policies	❌ Missing

Existing Implementation Reference: src/edge/p2p/protocol/ProtocolHandler.ts:920-978

Remaining Work:

• Create NetworkPolicyManager with agent-type-specific policies
• Implement domain whitelist enforcement layer
• Add audit logging for all network requests
• Integrate with existing rate limiter

---

🔄 Context Since Issue Creation

Major additions in v2.8.0 and v2.8.1 that provide foundation:

1. P2P Security Infrastructure (src/edge/p2p/)

   • Ed25519 cryptographic identity
   • WebRTC with STUN/TURN
   • CRDT-based conflict resolution
   • Message signing/verification

2. Supabase Cloud Persistence

   • Row-Level Security policies
   • Vector similarity search

3. Nervous System Integration

   • BTSP learning, HDC memory, Circadian controller

---

📋 Recommended Priority Adjustment

Task	Original	Suggested	Rationale
SP-1	P2	P1	Only unstarted task, critical for SOC2
SP-2	P2	P2	60% done, incremental work
SP-3	P2	P2	Foundation exists, needs agent integration

---

Next: Detailed GOAP implementation plan being created at docs/plans/GOAP-SECURITY-HARDENING.md

[proffesor-for-testing]

📋 Implementation Plan Created

Document: docs/plans/GOAP-SECURITY-HARDENING.md

Plan Summary

Phase 1: SP-1 Docker-Based Agent Sandboxing (P1)

• Milestone 1.1: SandboxManager Core - SandboxManager class with Docker SDK
• Milestone 1.2: Agent Dockerfile - Secure container with non-root user
• Milestone 1.3: Integration - BaseAgent sandbox support + CLI commands

Phase 2: SP-2 Embedding Cache Completion (P2)

• Milestone 2.1: Storage Backend Abstraction - Interface for pluggable backends
• Milestone 2.2: Redis Backend - With 24h TTL auto-expiration
• Milestone 2.3: SQLite Backend - Persistent local cache
• Milestone 2.4: Cache Factory & Auto-Pruning

Phase 3: SP-3 Network Policy Enforcement (P2)

• Milestone 3.1: NetworkPolicyManager Core - Agent-type policies
• Milestone 3.2: Domain Whitelist Enforcement - HTTP interceptor
• Milestone 3.3: Audit Logging - Full request auditing
• Milestone 3.4: Integration with P2P Protocol

New Dependencies Required

{
  "dockerode": "^4.0.0",
  "ioredis": "^5.3.0", 
  "better-sqlite3": "^9.0.0"
}

Success Metrics

Metric	Target
OOM crashes	0
Cache hit rate	80-90%
Latency improvement	10x (500→50ms)
Audit coverage	100%
Rate limit accuracy	99%+

---

Ready for implementation. Should this be broken into sub-issues?