dag-isolation-manager

1. Isolation Level Configuration

• Define strict, moderate, and permissive profiles
• Configure resource limits per isolation level
• Manage isolation inheritance rules

2. Sandbox Management

• Configure execution sandboxes
• Manage temporary file systems
• Isolate network access

3. Resource Boundary Control

• Set memory and token limits
• Configure execution time bounds
• Manage concurrent operation limits

4. Trust-Based Configuration

• Assign trust levels to agents
• Configure permissions based on trust
• Handle privilege escalation requests

```typescript

type IsolationLevel = 'strict' | 'moderate' | 'permissive';

interface IsolationProfile {

level: IsolationLevel;

description: string;

permissions: PermissionMatrix;

resourceLimits: ResourceLimits;

sandboxConfig: SandboxConfig;

}

const ISOLATION_PROFILES: Record = {

strict: {

level: 'strict',

description: 'Maximum isolation for untrusted or sensitive operations',

permissions: STRICT_PERMISSIONS,

resourceLimits: STRICT_LIMITS,

sandboxConfig: STRICT_SANDBOX,

},

moderate: {

level: 'moderate',

description: 'Balanced isolation for typical operations',

permissions: MODERATE_PERMISSIONS,

resourceLimits: MODERATE_LIMITS,

sandboxConfig: MODERATE_SANDBOX,

},

permissive: {

level: 'permissive',

description: 'Minimal isolation for trusted operations',

permissions: PERMISSIVE_PERMISSIONS,

resourceLimits: PERMISSIVE_LIMITS,

sandboxConfig: PERMISSIVE_SANDBOX,

},

};

```

Strict Isolation

```typescript

const STRICT_PERMISSIONS: PermissionMatrix = {

coreTools: {

read: true, // Read-only access

write: false, // No writing

edit: false, // No editing

glob: true, // Can search files

grep: true, // Can search content

task: false, // Cannot spawn sub-agents

webFetch: false, // No network

webSearch: false,

todoWrite: false,

},

bash: {

enabled: false, // No bash access

allowedPatterns: [],

deniedPatterns: ['.*'],

sandboxed: true,

},

fileSystem: {

readPatterns: ['/tmp/sandbox/**'], // Very limited

writePatterns: [],

denyPatterns: ['**'],

},

mcpTools: {

allowed: [],

denied: [':'],

},

network: {

enabled: false,

allowedDomains: [],

denyDomains: ['*'],

},

models: {

allowed: ['haiku'], // Only cheapest model

preferredForSpawning: 'haiku',

},

};

const STRICT_LIMITS: ResourceLimits = {

maxTurns: 5,

maxTokensPerTurn: 2000,

maxTotalTokens: 10000,

timeoutMs: 30000,

maxConcurrentOperations: 1,

};

const STRICT_SANDBOX: SandboxConfig = {

enabled: true,

tempDirectory: '/tmp/sandbox',

cleanupOnExit: true,

networkIsolation: true,

processIsolation: true,

};

```

Moderate Isolation

```typescript

const MODERATE_PERMISSIONS: PermissionMatrix = {

coreTools: {

read: true,

write: true,

edit: true,

glob: true,

grep: true,

task: true, // Can spawn with restrictions

webFetch: true,

webSearch: true,

todoWrite: true,

},

bash: {

enabled: true,

allowedPatterns: [

'^(npm|yarn|pnpm)\\s+', // Package managers

'^git\\s+', // Git operations

'^(cat|head|tail|less)\\s+', // Read operations

'^ls\\s+', // List files

],

deniedPatterns: [

'rm\\s+-rf', // Dangerous deletions

'sudo\\s+', // Privilege escalation

'curl.\\|.sh', // Pipe to shell

'&&\\s*rm', // Chained deletions

],

sandboxed: false,

},

fileSystem: {

readPatterns: ['**'], // Read anything

writePatterns: [

'/project/**', // Project directory

'/tmp/**', // Temp files

],

denyPatterns: [

'/etc/**',

'/usr/**',

'*/.env', // Environment files

'*/secret*',

'*/credential*',

],

},

mcpTools: {

allowed: [

'octocode:*',

'Context7:*',

],

denied: [],

},

network: {

enabled: true,

allowedDomains: [

'*.github.com',

'*.githubusercontent.com',

'*.npmjs.org',

'*.pypi.org',

],

denyDomains: [],

},

models: {

allowed: ['haiku', 'sonnet'],

preferredForSpawning: 'haiku',

},

};

const MODERATE_LIMITS: ResourceLimits = {

maxTurns: 20,

maxTokensPerTurn: 8000,

maxTotalTokens: 100000,

timeoutMs: 120000,

maxConcurrentOperations: 3,

};

```

Permissive Isolation

```typescript

const PERMISSIVE_PERMISSIONS: PermissionMatrix = {

coreTools: {

read: true,

write: true,

edit: true,

glob: true,

grep: true,

task: true,

webFetch: true,

webSearch: true,

todoWrite: true,

},

bash: {

enabled: true,

allowedPatterns: ['.*'], // Almost anything

deniedPatterns: [

'rm\\s+-rf\\s+/', // Root deletion

'mkfs', // Format disk

'dd\\s+if=', // Disk operations

':(){:|:&};:', // Fork bomb

],

sandboxed: false,

},

fileSystem: {

readPatterns: ['**'],

writePatterns: ['**'],

denyPatterns: [

'/etc/passwd',

'/etc/shadow',

'/.ssh/',

],

},

mcpTools: {

allowed: [':'],

denied: [],

},

network: {

enabled: true,

allowedDomains: ['*'],

denyDomains: [],

},

models: {

allowed: ['haiku', 'sonnet', 'opus'],

preferredForSpawning: 'sonnet',

},

};

const PERMISSIVE_LIMITS: ResourceLimits = {

maxTurns: 100,

maxTokensPerTurn: 32000,

maxTotalTokens: 500000,

timeoutMs: 600000,

maxConcurrentOperations: 10,

};

```

```typescript

interface IsolationRequest {

taskType: string;

trustLevel: 'low' | 'medium' | 'high';

dataSensitivity: 'public' | 'internal' | 'confidential';

networkRequired: boolean;

fileWriteRequired: boolean;

}

function selectIsolationLevel(request: IsolationRequest): IsolationLevel {

// High sensitivity data always gets strict

if (request.dataSensitivity === 'confidential') {

return 'strict';

}

// Low trust always gets strict or moderate

if (request.trustLevel === 'low') {

return request.networkRequired ? 'strict' : 'moderate';

}

// Internal data with medium trust

if (request.dataSensitivity === 'internal') {

return 'moderate';

}

// High trust with public data

if (request.trustLevel === 'high' && request.dataSensitivity === 'public') {

return 'permissive';

}

// Default to moderate

return 'moderate';

}

```

```typescript

interface SandboxConfig {

enabled: boolean;

tempDirectory: string;

cleanupOnExit: boolean;

networkIsolation: boolean;

processIsolation: boolean;

mountPoints?: MountPoint[];

}

interface MountPoint {

source: string;

target: string;

readOnly: boolean;

}

function configureSandbox(

isolation: IsolationLevel,

taskId: string

): SandboxConfig {

const baseConfig = ISOLATION_PROFILES[isolation].sandboxConfig;

return {

...baseConfig,

tempDirectory: /tmp/dag-sandbox/${taskId},

mountPoints: [

{

source: '/project',

target: '/sandbox/project',

readOnly: isolation === 'strict',

},

],

};

}

```

```typescript

function validateIsolationInheritance(

parentLevel: IsolationLevel,

childLevel: IsolationLevel

): boolean {

const hierarchy: Record = {

strict: 3,

moderate: 2,

permissive: 1,

};

// Child must be equal or more restrictive

return hierarchy[childLevel] >= hierarchy[parentLevel];

}

function getMaxAllowedChildIsolation(

parentLevel: IsolationLevel

): IsolationLevel[] {

switch (parentLevel) {

case 'strict':

return ['strict'];

case 'moderate':

return ['strict', 'moderate'];

case 'permissive':

return ['strict', 'moderate', 'permissive'];

}

}

```

```yaml

isolationReport:

agentId: data-processor

isolationLevel: moderate

profile:

description: "Balanced isolation for typical operations"

permissions:

coreTools:

read: true

write: true

task: true (with restrictions)

bash: "Limited to safe commands"

fileSystem: "Project and temp directories"

network: "Whitelisted domains only"

resourceLimits:

maxTurns: 20

maxTotalTokens: 100000

timeoutMs: 120000

sandbox:

enabled: false

networkIsolation: false

childAgentConstraints:

allowedLevels: [strict, moderate]

inheritedDenyPatterns: true

effectivePermissions:

# Merged parent + isolation profile

# ... detailed permission dump ...

```

• Input: Isolation requests from dag-parallel-executor
• Validation: Via dag-permission-validator
• Enforcement: Via dag-scope-enforcer
• Metrics: Resource usage to dag-performance-profiler

1. Default to Strict: Start restrictive, relax as needed
2. Principle of Least Privilege: Only grant what's needed
3. Trust Verification: Verify trust before granting access
4. Audit Everything: Log isolation level assignments
5. Regular Review: Periodically review isolation policies

---

Appropriate boundaries. Right-sized access. Secure by default.