dev-dami · dev-dami · Jan 25, 2026 · Jan 25, 2026 · Jan 25, 2026 · Jan 25, 2026
diff --git a/docs/api.md b/docs/api.md
@@ -99,6 +99,7 @@ ignite run <path> [options]
 | `--skip-preflight` | `false` | Skip safety checks |
 | `--json` | `false` | Output results as JSON |
 | `--audit` | `false` | Run with security audit (blocks network, read-only filesystem) |
+| `--audit-output <file>` | - | Write security audit to a JSON file |
 
 **Examples:**
 
@@ -151,6 +152,8 @@ Filesystem
 ✗ Security Status: 2 VIOLATION(S) BLOCKED
 ```
 
+When `--json` is used with `--audit`, the JSON output includes a `securityAudit` field.
+
 **Output:**
 
 ```
@@ -574,14 +577,17 @@ Execute a service.
     "data": [1, 2, 3],
     "operation": "sum"
   },
-  "skipPreflight": false
+  "skipPreflight": false,
+  "audit": true
 }
 ```
 
 | Field | Type | Required | Description |
 |-------|------|----------|-------------|
 | `input` | object | No | Input data passed to service |
 | `skipPreflight` | boolean | No | Skip safety checks |
+| `skipBuild` | boolean | No | Skip image build if already built |
+| `audit` | boolean | No | Run with security audit |
 
 **Response:**
 
@@ -597,6 +603,8 @@ Execute a service.
 }
 ```
 
+When `audit` is true, the response includes `securityAudit`.
+
 **Errors:**
 
 | Status | Description |
@@ -636,6 +644,23 @@ service:
   timeoutMs: number      # Timeout (default: 30000)
   env: object            # Environment variables
   dependencies: array    # Explicit dependencies (auto-detected by default)
+
+preflight:
+  memory:
+    baseMb: number            # Base memory estimate (default: 50)
+    perDependencyMb: number   # Memory per dependency (default: 2)
+    warnRatio: number         # Warning threshold ratio (default: 1)
+    failRatio: number         # Failure threshold ratio (default: 0.8)
+  dependencies:
+    warnCount: number         # Warn if dependency count exceeds (default: 100)
+    infoCount: number         # Info threshold for moderate count (default: 50)
+  image:
+    warnMb: number            # Image size warn threshold (default: 500)
+    failMb: number            # Image size fail threshold (default: 1000)
+  timeout:
+    minMs: number             # Minimum timeout (default: 100)
+    maxMs: number             # Maximum recommended timeout (default: 30000)
+    coldStartBufferMs: number # Cold start buffer (default: 500)
 ```
 
 **Supported Runtimes:**
@@ -699,20 +724,9 @@ Create an `ignite.policy.yaml` file to customize security settings:
 security:
   network:
     enabled: false              # Block all network (default)
-    allowedHosts:               # Optional: allow specific hosts
-      - api.example.com
-    allowedPorts:               # Optional: allow specific ports
-      - 443
 
   filesystem:
     readOnly: true              # Read-only root filesystem
-    allowedWritePaths:          # Paths that can be written to
-      - /tmp
-    blockedReadPaths:           # Paths blocked from reading
-      - /etc/passwd
-      - /etc/shadow
-      - /proc
-      - /sys
 
   process:
     allowSpawn: false           # Block spawning child processes

diff --git a/docs/preflight.md b/docs/preflight.md
@@ -59,12 +59,26 @@ Each check returns:
 
 ## Customizing Thresholds
 
-Thresholds are currently hardcoded. Future versions will support configuration via `service.yaml`:
+Thresholds can be configured via `service.yaml`:
 
 ```yaml
 service:
   name: my-service
-  preflight:
-    memory_buffer: 1.5
-    max_dependencies: 150
+
+preflight:
+  memory:
+    baseMb: 60
+    perDependencyMb: 3
+    warnRatio: 1
+    failRatio: 0.85
+  dependencies:
+    warnCount: 120
+    infoCount: 60
+  image:
+    warnMb: 600
+    failMb: 1200
+  timeout:
+    minMs: 200
+    maxMs: 45000
+    coldStartBufferMs: 750
 ```
diff --git a/examples/hello-bun/service.yaml b/examples/hello-bun/service.yaml
@@ -3,6 +3,6 @@ service:
   runtime: bun
   entry: index.ts
   memoryMb: 128
-  timeoutMs: 5000
+  timeoutMs: 30000
   env:
     NODE_ENV: production
diff --git a/packages/cli/src/commands/run.ts b/packages/cli/src/commands/run.ts
@@ -1,4 +1,6 @@
-import { loadService, executeService, runPreflight, createReport, formatReportAsText, getImageName, buildServiceImage, parseAuditFromOutput, formatSecurityAudit, DEFAULT_POLICY, isValidRuntime } from '@ignite/core';
+import { writeFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import { loadService, executeService, runPreflight, createReport, formatReportAsText, getImageName, buildServiceImage, parseAuditFromOutput, formatSecurityAudit, DEFAULT_POLICY, isValidRuntime, loadPolicyFile } from '@ignite/core';
 import { logger, ConfigError } from '@ignite/shared';
 
 interface RunOptions {
@@ -7,6 +9,7 @@ interface RunOptions {
   json?: boolean;
   audit?: boolean;
   runtime?: string;
+  auditOutput?: string;
 }
 
 export async function runCommand(servicePath: string, options: RunOptions): Promise<void> {
@@ -45,18 +48,31 @@ export async function runCommand(servicePath: string, options: RunOptions): Prom
       process.exit(1);
     }
 
-    const metrics = await executeService(service, { input, skipBuild: true, audit: options.audit });
+    const policy = options.audit
+      ? (await loadPolicyFile(service.servicePath)) ?? DEFAULT_POLICY
+      : undefined;
+
+    const metrics = await executeService(service, { input, skipBuild: true, audit: options.audit, policy });
 
     const report = createReport(preflightResult, metrics);
+    const audit = options.audit && policy
+      ? parseAuditFromOutput(metrics.stdout, metrics.stderr, policy)
+      : undefined;
+
+    if (options.auditOutput && audit) {
+      const outputPath = join(process.cwd(), options.auditOutput);
+      await writeFile(outputPath, JSON.stringify(audit, null, 2));
+      logger.success(`Audit saved to ${outputPath}`);
+    }
-    if (options.auditOutput && audit) {
-      const outputPath = join(process.cwd(), options.auditOutput);
-      await writeFile(outputPath, JSON.stringify(audit, null, 2));
-      logger.success(`Audit saved to ${outputPath}`);
-    }
+    if (options.auditOutput && audit) {
+      const outputPath = resolve(options.auditOutput);
+      await writeFile(outputPath, JSON.stringify(audit, null, 2));
+      logger.success(`Audit saved to ${outputPath}`);
+    }
-    if (options.auditOutput && audit) {
-      const outputPath = join(process.cwd(), options.auditOutput);
-      await writeFile(outputPath, JSON.stringify(audit, null, 2));
-      logger.success(`Audit saved to ${outputPath}`);
-    }
+    if (options.auditOutput && audit) {
+      const outputPath = resolve(options.auditOutput);
+      await writeFile(outputPath, JSON.stringify(audit, null, 2));
+      logger.success(`Audit saved to ${outputPath}`);
+    }
 
     if (options.json) {
-      console.log(JSON.stringify(report, null, 2));
+      const payload = audit ? { ...report, securityAudit: audit } : report;
+      console.log(JSON.stringify(payload, null, 2));
     } else {
       console.log(formatReportAsText(report));
     }
 
-    if (options.audit) {
-      const audit = parseAuditFromOutput(metrics.stdout, metrics.stderr, DEFAULT_POLICY);
+    if (options.audit && audit && !options.json) {
       console.log(formatSecurityAudit(audit));
     }
 

diff --git a/packages/cli/src/index.ts b/packages/cli/src/index.ts
@@ -30,6 +30,7 @@ program
   .option('--skip-preflight', 'Skip preflight checks before execution')
   .option('--json', 'Output results as JSON')
   .option('--audit', 'Run with security audit (blocks network, read-only filesystem)')
+  .option('--audit-output <file>', 'Write security audit to a JSON file')
   .action(runCommand);
 
 program

diff --git a/packages/core/src/__tests__/load-service.test.ts b/packages/core/src/__tests__/load-service.test.ts
@@ -13,7 +13,7 @@ describe('loadService', () => {
       expect(service.config.service.runtime).toBe('bun');
       expect(service.config.service.entry).toBe('index.ts');
       expect(service.config.service.memoryMb).toBe(128);
-      expect(service.config.service.timeoutMs).toBe(5000);
+      expect(service.config.service.timeoutMs).toBe(30000);
       expect(service.servicePath).toBe(servicePath);
     });
 

diff --git a/packages/core/src/execution/execute.ts b/packages/core/src/execution/execute.ts
@@ -6,6 +6,8 @@ import type { LoadedService } from '../service/service.types.js';
 import { dockerBuild, dockerRun, isDockerAvailable } from '../runtime/docker-runtime.js';
 import { getRuntimeConfig } from '../runtime/runtime-registry.js';
 import { parseMetrics } from './metrics.js';
+import { DEFAULT_POLICY, loadPolicyFile, policyToDockerOptions } from '../security/index.js';
+import type { SecurityPolicy } from '../security/security.types.js';
 
 
 
@@ -14,6 +16,7 @@ export interface ExecuteOptions {
   env?: Record<string, string>;
   skipBuild?: boolean;
   audit?: boolean;
+  policy?: SecurityPolicy;
 }
 
 interface ExecutionState {
@@ -45,6 +48,13 @@ export async function executeService(
 
   logger.info(`Executing ${serviceName}...`);
 
+  let policy: SecurityPolicy | undefined;
+  if (options.audit) {
+    policy = options.policy ?? (await loadPolicyFile(service.servicePath)) ?? DEFAULT_POLICY;
+  }
+
+  const securityOptions = policy ? policyToDockerOptions(policy) : undefined;
+
   const runResult = await dockerRun({
     imageName,
     containerName,
@@ -65,13 +75,7 @@ export async function executeService(
       IGNITE_INPUT: options.input ? JSON.stringify(options.input) : '',
       NODE_ENV: 'production',
     },
-    security: options.audit ? {
-      networkDisabled: true,
-      readOnlyRootfs: true,
-      dropCapabilities: true,
-      noNewPrivileges: true,
-      tmpfsPaths: ['/tmp'],
-    } : undefined,
+    security: options.audit ? securityOptions : undefined,
   });
 
   const metrics = parseMetrics(runResult, isColdStart);

diff --git a/packages/core/src/preflight/analyze-image.ts b/packages/core/src/preflight/analyze-image.ts
@@ -1,11 +1,21 @@
 import type { PreflightCheck } from '@ignite/shared';
 import { getImageInfo } from '../runtime/docker-runtime.js';
 
-const IMAGE_SIZE_WARN_THRESHOLD_MB = 500;
-const IMAGE_SIZE_FAIL_THRESHOLD_MB = 1000;
+const DEFAULT_IMAGE_SIZE_WARN_MB = 500;
+const DEFAULT_IMAGE_SIZE_FAIL_MB = 1000;
 
-export async function analyzeImage(imageName: string): Promise<PreflightCheck> {
+export interface ImagePreflightConfig {
+  warnMb?: number;
+  failMb?: number;
+}
+
+export async function analyzeImage(
+  imageName: string,
+  config?: ImagePreflightConfig
+): Promise<PreflightCheck> {
   const imageInfo = await getImageInfo(imageName);
+  const warnThresholdMb = config?.warnMb ?? DEFAULT_IMAGE_SIZE_WARN_MB;
+  const failThresholdMb = config?.failMb ?? DEFAULT_IMAGE_SIZE_FAIL_MB;
 
   if (!imageInfo) {
     return {
@@ -17,23 +27,23 @@ export async function analyzeImage(imageName: string): Promise<PreflightCheck> {
 
   const sizeMb = Math.round(imageInfo.size / 1024 / 1024);
 
-  if (sizeMb > IMAGE_SIZE_FAIL_THRESHOLD_MB) {
+  if (sizeMb > failThresholdMb) {
     return {
       name: 'image-size',
       status: 'fail',
-      message: `Image size ${sizeMb}MB exceeds ${IMAGE_SIZE_FAIL_THRESHOLD_MB}MB limit`,
+      message: `Image size ${sizeMb}MB exceeds ${failThresholdMb}MB limit`,
       value: sizeMb,
-      threshold: IMAGE_SIZE_FAIL_THRESHOLD_MB,
+      threshold: failThresholdMb,
     };
   }
 
-  if (sizeMb > IMAGE_SIZE_WARN_THRESHOLD_MB) {
+  if (sizeMb > warnThresholdMb) {
     return {
       name: 'image-size',
       status: 'warn',
-      message: `Image size ${sizeMb}MB exceeds recommended ${IMAGE_SIZE_WARN_THRESHOLD_MB}MB`,
+      message: `Image size ${sizeMb}MB exceeds recommended ${warnThresholdMb}MB`,
       value: sizeMb,
-      threshold: IMAGE_SIZE_WARN_THRESHOLD_MB,
+      threshold: warnThresholdMb,
     };
   }
 
@@ -42,6 +52,6 @@ export async function analyzeImage(imageName: string): Promise<PreflightCheck> {
     status: 'pass',
     message: `Image size ${sizeMb}MB is within limits`,
     value: sizeMb,
-    threshold: IMAGE_SIZE_WARN_THRESHOLD_MB,
+    threshold: warnThresholdMb,
   };
 }