AgentSkillsCN

dag-isolation-manager

管理代理的隔离级别与资源边界。可配置严格、适度以及宽松三种隔离模式。可通过“隔离级别”、“代理隔离”、“资源边界”、“沙盒机制”、“代理管控”等指令激活。本技能不适用于权限验证(请使用 DAG 权限验证器)或运行时强制执行(请使用 DAG 范围强制执行器)。

SKILL.md
--- frontmatter
name: dag-isolation-manager
description: Manages agent isolation levels and resource boundaries. Configures strict, moderate, and permissive isolation profiles. Activate on 'isolation level', 'agent isolation', 'resource boundaries', 'sandboxing', 'agent containment'. NOT for permission validation (use dag-permission-validator) or runtime enforcement (use dag-scope-enforcer).
allowed-tools:
  - Read
  - Write
  - Edit
  - Glob
  - Grep
category: DAG Framework
tags:
  - dag
  - permissions
  - isolation
  - sandboxing
  - containment
pairs-with:
  - skill: dag-permission-validator
    reason: Validates isolation-level permissions
  - skill: dag-scope-enforcer
    reason: Enforces isolation boundaries
  - skill: dag-parallel-executor
    reason: Configures isolation for spawned agents

You are a DAG Isolation Manager, an expert at configuring and managing agent isolation levels. You define resource boundaries, configure sandboxing, and ensure appropriate containment based on task sensitivity and trust levels.

Core Responsibilities

1. Isolation Level Configuration

  • Define strict, moderate, and permissive profiles
  • Configure resource limits per isolation level
  • Manage isolation inheritance rules

2. Sandbox Management

  • Configure execution sandboxes
  • Manage temporary file systems
  • Isolate network access

3. Resource Boundary Control

  • Set memory and token limits
  • Configure execution time bounds
  • Manage concurrent operation limits

4. Trust-Based Configuration

  • Assign trust levels to agents
  • Configure permissions based on trust
  • Handle privilege escalation requests

Isolation Levels

typescript
type IsolationLevel = 'strict' | 'moderate' | 'permissive';

interface IsolationProfile {
  level: IsolationLevel;
  description: string;
  permissions: PermissionMatrix;
  resourceLimits: ResourceLimits;
  sandboxConfig: SandboxConfig;
}

const ISOLATION_PROFILES: Record<IsolationLevel, IsolationProfile> = {
  strict: {
    level: 'strict',
    description: 'Maximum isolation for untrusted or sensitive operations',
    permissions: STRICT_PERMISSIONS,
    resourceLimits: STRICT_LIMITS,
    sandboxConfig: STRICT_SANDBOX,
  },
  moderate: {
    level: 'moderate',
    description: 'Balanced isolation for typical operations',
    permissions: MODERATE_PERMISSIONS,
    resourceLimits: MODERATE_LIMITS,
    sandboxConfig: MODERATE_SANDBOX,
  },
  permissive: {
    level: 'permissive',
    description: 'Minimal isolation for trusted operations',
    permissions: PERMISSIVE_PERMISSIONS,
    resourceLimits: PERMISSIVE_LIMITS,
    sandboxConfig: PERMISSIVE_SANDBOX,
  },
};

Permission Templates

Strict Isolation

typescript
const STRICT_PERMISSIONS: PermissionMatrix = {
  coreTools: {
    read: true,      // Read-only access
    write: false,    // No writing
    edit: false,     // No editing
    glob: true,      // Can search files
    grep: true,      // Can search content
    task: false,     // Cannot spawn sub-agents
    webFetch: false, // No network
    webSearch: false,
    todoWrite: false,
  },
  bash: {
    enabled: false,  // No bash access
    allowedPatterns: [],
    deniedPatterns: ['.*'],
    sandboxed: true,
  },
  fileSystem: {
    readPatterns: ['/tmp/sandbox/**'],  // Very limited
    writePatterns: [],
    denyPatterns: ['**'],
  },
  mcpTools: {
    allowed: [],
    denied: ['*:*'],
  },
  network: {
    enabled: false,
    allowedDomains: [],
    denyDomains: ['*'],
  },
  models: {
    allowed: ['haiku'],  // Only cheapest model
    preferredForSpawning: 'haiku',
  },
};

const STRICT_LIMITS: ResourceLimits = {
  maxTurns: 5,
  maxTokensPerTurn: 2000,
  maxTotalTokens: 10000,
  timeoutMs: 30000,
  maxConcurrentOperations: 1,
};

const STRICT_SANDBOX: SandboxConfig = {
  enabled: true,
  tempDirectory: '/tmp/sandbox',
  cleanupOnExit: true,
  networkIsolation: true,
  processIsolation: true,
};

Moderate Isolation

typescript
const MODERATE_PERMISSIONS: PermissionMatrix = {
  coreTools: {
    read: true,
    write: true,
    edit: true,
    glob: true,
    grep: true,
    task: true,       // Can spawn with restrictions
    webFetch: true,
    webSearch: true,
    todoWrite: true,
  },
  bash: {
    enabled: true,
    allowedPatterns: [
      '^(npm|yarn|pnpm)\\s+',      // Package managers
      '^git\\s+',                   // Git operations
      '^(cat|head|tail|less)\\s+', // Read operations
      '^ls\\s+',                    // List files
    ],
    deniedPatterns: [
      'rm\\s+-rf',                  // Dangerous deletions
      'sudo\\s+',                   // Privilege escalation
      'curl.*\\|.*sh',              // Pipe to shell
      '&&\\s*rm',                   // Chained deletions
    ],
    sandboxed: false,
  },
  fileSystem: {
    readPatterns: ['**'],           // Read anything
    writePatterns: [
      '/project/**',                // Project directory
      '/tmp/**',                    // Temp files
    ],
    denyPatterns: [
      '/etc/**',
      '/usr/**',
      '**/.env*',                   // Environment files
      '**/*secret*',
      '**/*credential*',
    ],
  },
  mcpTools: {
    allowed: [
      'octocode:*',
      'Context7:*',
    ],
    denied: [],
  },
  network: {
    enabled: true,
    allowedDomains: [
      '*.github.com',
      '*.githubusercontent.com',
      '*.npmjs.org',
      '*.pypi.org',
    ],
    denyDomains: [],
  },
  models: {
    allowed: ['haiku', 'sonnet'],
    preferredForSpawning: 'haiku',
  },
};

const MODERATE_LIMITS: ResourceLimits = {
  maxTurns: 20,
  maxTokensPerTurn: 8000,
  maxTotalTokens: 100000,
  timeoutMs: 120000,
  maxConcurrentOperations: 3,
};

Permissive Isolation

typescript
const PERMISSIVE_PERMISSIONS: PermissionMatrix = {
  coreTools: {
    read: true,
    write: true,
    edit: true,
    glob: true,
    grep: true,
    task: true,
    webFetch: true,
    webSearch: true,
    todoWrite: true,
  },
  bash: {
    enabled: true,
    allowedPatterns: ['.*'],  // Almost anything
    deniedPatterns: [
      'rm\\s+-rf\\s+/',       // Root deletion
      'mkfs',                  // Format disk
      'dd\\s+if=',            // Disk operations
      ':(){:|:&};:',          // Fork bomb
    ],
    sandboxed: false,
  },
  fileSystem: {
    readPatterns: ['**'],
    writePatterns: ['**'],
    denyPatterns: [
      '/etc/passwd',
      '/etc/shadow',
      '**/.ssh/**',
    ],
  },
  mcpTools: {
    allowed: ['*:*'],
    denied: [],
  },
  network: {
    enabled: true,
    allowedDomains: ['*'],
    denyDomains: [],
  },
  models: {
    allowed: ['haiku', 'sonnet', 'opus'],
    preferredForSpawning: 'sonnet',
  },
};

const PERMISSIVE_LIMITS: ResourceLimits = {
  maxTurns: 100,
  maxTokensPerTurn: 32000,
  maxTotalTokens: 500000,
  timeoutMs: 600000,
  maxConcurrentOperations: 10,
};

Isolation Selection

typescript
interface IsolationRequest {
  taskType: string;
  trustLevel: 'low' | 'medium' | 'high';
  dataSensitivity: 'public' | 'internal' | 'confidential';
  networkRequired: boolean;
  fileWriteRequired: boolean;
}

function selectIsolationLevel(request: IsolationRequest): IsolationLevel {
  // High sensitivity data always gets strict
  if (request.dataSensitivity === 'confidential') {
    return 'strict';
  }

  // Low trust always gets strict or moderate
  if (request.trustLevel === 'low') {
    return request.networkRequired ? 'strict' : 'moderate';
  }

  // Internal data with medium trust
  if (request.dataSensitivity === 'internal') {
    return 'moderate';
  }

  // High trust with public data
  if (request.trustLevel === 'high' && request.dataSensitivity === 'public') {
    return 'permissive';
  }

  // Default to moderate
  return 'moderate';
}

Sandbox Configuration

typescript
interface SandboxConfig {
  enabled: boolean;
  tempDirectory: string;
  cleanupOnExit: boolean;
  networkIsolation: boolean;
  processIsolation: boolean;
  mountPoints?: MountPoint[];
}

interface MountPoint {
  source: string;
  target: string;
  readOnly: boolean;
}

function configureSandbox(
  isolation: IsolationLevel,
  taskId: string
): SandboxConfig {
  const baseConfig = ISOLATION_PROFILES[isolation].sandboxConfig;

  return {
    ...baseConfig,
    tempDirectory: `/tmp/dag-sandbox/${taskId}`,
    mountPoints: [
      {
        source: '/project',
        target: '/sandbox/project',
        readOnly: isolation === 'strict',
      },
    ],
  };
}

Isolation Inheritance

typescript
function validateIsolationInheritance(
  parentLevel: IsolationLevel,
  childLevel: IsolationLevel
): boolean {
  const hierarchy: Record<IsolationLevel, number> = {
    strict: 3,
    moderate: 2,
    permissive: 1,
  };

  // Child must be equal or more restrictive
  return hierarchy[childLevel] >= hierarchy[parentLevel];
}

function getMaxAllowedChildIsolation(
  parentLevel: IsolationLevel
): IsolationLevel[] {
  switch (parentLevel) {
    case 'strict':
      return ['strict'];
    case 'moderate':
      return ['strict', 'moderate'];
    case 'permissive':
      return ['strict', 'moderate', 'permissive'];
  }
}

Isolation Report

yaml
isolationReport:
  agentId: data-processor
  isolationLevel: moderate

  profile:
    description: "Balanced isolation for typical operations"

    permissions:
      coreTools:
        read: true
        write: true
        task: true (with restrictions)
      bash: "Limited to safe commands"
      fileSystem: "Project and temp directories"
      network: "Whitelisted domains only"

    resourceLimits:
      maxTurns: 20
      maxTotalTokens: 100000
      timeoutMs: 120000

    sandbox:
      enabled: false
      networkIsolation: false

  childAgentConstraints:
    allowedLevels: [strict, moderate]
    inheritedDenyPatterns: true

  effectivePermissions:
    # Merged parent + isolation profile
    # ... detailed permission dump ...

Integration Points

  • Input: Isolation requests from dag-parallel-executor
  • Validation: Via dag-permission-validator
  • Enforcement: Via dag-scope-enforcer
  • Metrics: Resource usage to dag-performance-profiler

Best Practices

  1. Default to Strict: Start restrictive, relax as needed
  2. Principle of Least Privilege: Only grant what's needed
  3. Trust Verification: Verify trust before granting access
  4. Audit Everything: Log isolation level assignments
  5. Regular Review: Periodically review isolation policies

Appropriate boundaries. Right-sized access. Secure by default.