feat: implement network and resource enforcement in policy engine (#5)

Author: yanurag-dev

ROADMAP.md

@@ -9,8 +9,8 @@ This roadmap tracks the progress of the Sandforge Agent Sandbox based on [ARCHIT
 - [x] **1.2 Core API Contracts**: Define `SandboxSpec`, `ExecRequest`, and `SandboxBackend` interfaces.
 - [ ] **1.3 Policy Engine**:
     - [x] Filesystem path validation (whitelist logic) [#1](https://github.com/yanurag-dev/sandforge/issues/1).
-    - [ ] Network mode enforcement (Offline/Fetch/Full) [#2](https://github.com/yanurag-dev/sandforge/issues/2).
-    - [ ] Resource limit validation (CPU/Memory/Disk) [#2](https://github.com/yanurag-dev/sandforge/issues/2).
+    - [x] Network mode enforcement (Offline/Fetch/Full) [#2](https://github.com/yanurag-dev/sandforge/issues/2).
+    - [x] Resource limit validation (CPU/Memory/Disk) [#2](https://github.com/yanurag-dev/sandforge/issues/2).
     - [ ] Command family filtering [#3](https://github.com/yanurag-dev/sandforge/issues/3).
 - [ ] **1.4 Testing**: Unit tests for policy enforcement.
 

internal/policy/engine.go

@@ -9,13 +9,19 @@ import (
 )
 
 var (
-	ErrForbiddenHostPath = errors.New("requested host path is forbidden by policy")
-	ErrPathNotAbs        = errors.New("host path must be an absolute path")
+	ErrForbiddenHostPath     = errors.New("requested host path is forbidden by policy")
+	ErrPathNotAbs            = errors.New("host path must be an absolute path")
+	ErrResourceLimitExceeded = errors.New("requested resource exceeds policy limits")
+	ErrInvalidNetworkMode    = errors.New("requested network mode is not allowed")
 )
 
 type Engine struct {
 	AllowedHostPrefixes []string
 	BlockedHostPatterns []string
+	MaxCPU              int
+	MaxMemoryMb         int
+	MaxDiskGb           int
+	AllowedNetworkModes []string
 }
 
 func (e *Engine) EvaluateMount(mount api.WorkspaceMount) error {
@@ -59,3 +65,28 @@ func (e *Engine) EvaluateMount(mount api.WorkspaceMount) error {
 	}
 	return nil
 }
+
+func (e *Engine) EvaluateSandbox(spec api.SandboxSpec) error {
+	if spec.CPU > e.MaxCPU {
+		return ErrResourceLimitExceeded
+	}
+	if spec.MemoryMb > e.MaxMemoryMb {
+		return ErrResourceLimitExceeded
+	}
+	if spec.DiskGb > e.MaxDiskGb {
+		return ErrResourceLimitExceeded
+	}
+
+	allowed := false
+	for _, mode := range e.AllowedNetworkModes {
+		if spec.NetworkMode == mode {
+			allowed = true
+			break
+		}
+	}
+
+	if !allowed {
+		return ErrInvalidNetworkMode
+	}
+	return nil
+}

internal/policy/engine_test.go

@@ -115,3 +115,72 @@ func TestEvaluateMount(t *testing.T) {
 		})
 	}
 }
+
+func TestEvaluateSandbox(t *testing.T) {
+	engine := &Engine{
+		MaxCPU:              2,
+		MaxMemoryMb:         2048,
+		MaxDiskGb:           10,
+		AllowedNetworkModes: []string{"offline", "fetch"},
+	}
+
+	tests := []struct {
+		name      string
+		spec      api.SandboxSpec
+		wantError error
+	}{
+		{
+			name: "Valid spec",
+			spec: api.SandboxSpec{
+				CPU:         1,
+				MemoryMb:    1024,
+				DiskGb:      5,
+				NetworkMode: "offline",
+			},
+			wantError: nil,
+		},
+		{
+			name: "CPU limit exceeded",
+			spec: api.SandboxSpec{
+				CPU: 4,
+			},
+			wantError: ErrResourceLimitExceeded,
+		},
+		{
+			name: "Memory limit exceeded",
+			spec: api.SandboxSpec{
+				CPU:      1,
+				MemoryMb: 4096,
+			},
+			wantError: ErrResourceLimitExceeded,
+		},
+		{
+			name: "Disk limit exceeded",
+			spec: api.SandboxSpec{
+				CPU:      1,
+				MemoryMb: 1024,
+				DiskGb:   20,
+			},
+			wantError: ErrResourceLimitExceeded,
+		},
+		{
+			name: "Forbidden network mode",
+			spec: api.SandboxSpec{
+				CPU:         1,
+				MemoryMb:    1024,
+				DiskGb:      5,
+				NetworkMode: "full",
+			},
+			wantError: ErrInvalidNetworkMode,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := engine.EvaluateSandbox(tt.spec)
+			if err != tt.wantError {
+				t.Errorf("EvaluateSandbox() error = %v, wantError %v", err, tt.wantError)
+			}
+		})
+	}
+}