Add audit export, policy enforcement, and preflight config

[dev-dami]

Summary

• Apply policy-based security options during audit runs
• Export security audit in CLI/HTTP responses and add configurable preflight thresholds
• Bump versions to 0.7.1 and align hello-bun timeout/test

Testing

• bun run typecheck
• bun run lint
• bun run test

Summary by CodeRabbit

• New Features

  • Added --audit-output CLI option to write security audit results to a JSON file
  • Added configurable preflight thresholds for memory, dependencies, image size, and execution timeout in service configuration
  • Added security audit reporting in API responses when audit mode is enabled

• Documentation

  • Updated API and configuration documentation to reflect new audit and preflight capabilities

• Chores

  • Version bumped to 0.7.1

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes add security auditing capabilities and configurable preflight checks to the Ignite system. A new --audit-output CLI flag enables writing security audits to files. The HTTP API for service execution is extended to accept audit and skipBuild request parameters and return securityAudit in responses. A new preflight configuration section is introduced in service.yaml to make previously hardcoded thresholds configurable across memory, dependencies, image analysis, and timeout settings. Security policies are simplified by removing allowedHosts, allowedPorts, allowedWritePaths, and blockedReadPaths. All packages are versioned to 0.7.1.

Changes

Cohort / File(s)	Summary
Version Bumps package.json, packages/cli/package.json, packages/core/package.json, packages/http/package.json, packages/shared/package.json	Version bumped from 0.6.x to 0.7.1 across all packages.
Documentation & API Specifications docs/api.md, docs/preflight.md	API documentation extended with new audit and skipBuild request fields, securityAudit response field. Preflight documentation updated with configurable threshold schema for memory, dependencies, image, and timeout.
CLI Implementation packages/cli/src/index.ts, packages/cli/src/commands/run.ts	Added --audit-output <file> option to run command. Extended RunOptions to include auditOutput; integrated policy loading, audit parsing, and file writing when audit is enabled.
Preflight Configuration & Validation packages/shared/src/types.ts, packages/core/src/service/load-service.ts	Introduced PreflightConfig interface with nested memory, dependencies, image, and timeout sections. Added comprehensive validation for preflight settings including cross-field consistency checks (warnRatio vs. failRatio, warnMb vs. failMb).
Configurable Preflight Analysis packages/core/src/preflight/analyze-memory.ts, packages/core/src/preflight/analyze-image.ts, packages/core/src/preflight/analyze-timeout.ts, packages/core/src/preflight/preflight.ts	Replaced hardcoded thresholds with configurable values from service.config.preflight. Each analyzer now accepts optional config parameters; thresholds computed dynamically instead of using constants.
Core Execution & Policy packages/core/src/execution/execute.ts	Extended ExecuteOptions to include optional policy field. When auditing is enabled, policy-derived security options replace hardcoded security object in container startup.
HTTP Server Integration packages/http/src/server.ts, packages/http/src/types.ts	Updated service execution flow to load policy and pass it to executeService when audit requested. Extended ServiceExecutionResponse type to include optional securityAudit field.
Configuration Updates examples/hello-bun/service.yaml, packages/core/src/__tests__/load-service.test.ts	Updated hello-bun service timeout from 5000 ms to 30000 ms; corresponding test expectation updated.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat(security): add authentication, rate limiting, and container hardening #9: Adds audit flag and propagates auditing through HTTP execution path (ServiceExecutionRequest/response, server execution flow).
• feat(preflight): add pre-execution safety analysis system #2: Extends and configures the preflight analysis system (memory, image, timeout modules) that this PR modularizes and makes configurable.

Poem

🐰 Audit trails now configurable, so neat,
Security policies dance to the beat,
Preflight thresholds no longer are stone,
Each service now claims a configuration zone,
From memory to timeouts, all under command,
The rabbit approves—this change is quite grand! 🌟

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the three main changes in the pull request: audit export functionality, policy enforcement during audits, and configurable preflight thresholds.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

docs/api.md (2)

97-103: Clarify whether --audit-output requires --audit

The option description doesn’t specify behavior when --audit is omitted. Please clarify whether it implies --audit or is ignored/errored without it.

✏️ Suggested wording

-| `--audit-output <file>` | - | Write security audit to a JSON file |
+| `--audit-output <file>` | - | Write security audit to a JSON file (requires `--audit`) |

---

125-132: Audit sandboxing is policy‑driven—document defaults

With policy-based enforcement, network/filesystem/process rules can be overridden by ignite.policy.yaml. The bullet list should be framed as defaults.

✏️ Suggested wording

-When running with `--audit`, the service runs in a hardened sandbox:
+When running with `--audit`, the service runs in a hardened sandbox by default (policy overrides may apply):
 
-- Network completely disabled (`--network=none`)
-- Read-only root filesystem (`--read-only`)
-- Writable `/tmp` only (`--tmpfs /tmp`)
-- All Linux capabilities dropped (`--cap-drop=ALL`)
-- No privilege escalation (`--security-opt=no-new-privileges`)
+- Network disabled (`--network=none`)
+- Read-only root filesystem (`--read-only`)
+- Writable `/tmp` only (`--tmpfs /tmp`)
+- All Linux capabilities dropped (`--cap-drop=ALL`)
+- No privilege escalation (`--security-opt=no-new-privileges`)

🤖 Fix all issues with AI agents

In `@packages/cli/src/commands/run.ts`:
- Around line 62-66: Wrap the audit file write in a try/catch to handle
filesystem errors when calling writeFile with the resolved outputPath (used when
options.auditOutput && audit), so failures (permission, disk, invalid path) are
caught; on error log a clear message via logger.error including the outputPath
and error details and avoid letting the unhandled rejection propagate (either
return a non-fatal error status or rethrow after logging depending on command
semantics). Ensure the success log (logger.success(`Audit saved to
${outputPath}`)) remains inside the try block and reference the existing symbols
options.auditOutput, audit, outputPath, writeFile, and logger in your changes.

In `@packages/core/src/preflight/analyze-memory.ts`:
- Around line 55-70: Add a validation in the load-service preflight parsing to
ensure preflight.dependencies.warnCount > preflight.dependencies.infoCount:
after extracting dependencyConfig and the numeric warnCount and infoCount (the
same way memory/image/timeout validations do), check both are numbers and push
an error message via errors.push('preflight.dependencies.warnCount must be
greater than preflight.dependencies.infoCount') when warnCount <= infoCount;
reference the dependencyConfig/warnCount/infoCount variables and the errors
array used in load-service.ts so the preflight tiering logic remains consistent
with other sections.

In `@packages/core/src/service/load-service.ts`:
- Around line 139-142: Add a cross-field validation after the existing call to
validatePreflightSection for pf['dependencies']: when both
pf['dependencies'].infoCount and pf['dependencies'].warnCount are defined, check
that infoCount < warnCount and push an appropriate error into the errors array
(use the same error key/namespace 'preflight.dependencies' or
'preflight.dependencies.infoCount' to match existing validations). Modify the
block around validatePreflightSection(pf['dependencies'],
'preflight.dependencies', errors, { ... }) to perform this additional check and
append a descriptive error if the ordering is violated.

🧹 Nitpick comments (2)

packages/core/src/preflight/analyze-image.ts (1)

7-10: Consider reusing the type from @ignite/shared.

The ImagePreflightConfig interface duplicates the shape of PreflightConfig['image'] from @ignite/shared. Consider importing and reusing the shared type to maintain a single source of truth and avoid drift between definitions.

♻️ Suggested refactor

-export interface ImagePreflightConfig {
-  warnMb?: number;
-  failMb?: number;
-}
+import type { PreflightConfig } from '@ignite/shared';
+
+export type ImagePreflightConfig = PreflightConfig['image'];

docs/api.md (1)

575-590: Add skipBuild to request example for parity

The table documents skipBuild, but the example JSON omits it. Adding it would reduce ambiguity.

✏️ Example update

 {
   "input": {
     "data": [1, 2, 3],
     "operation": "sum"
   },
   "skipPreflight": false,
+  "skipBuild": false,
   "audit": true
 }

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add error handling for audit file write operation.

The writeFile call can fail (e.g., permission denied, disk full, invalid path) but errors aren't caught. This could cause the command to fail with an unhandled rejection after successful execution.

🛡️ Proposed fix

     if (options.auditOutput && audit) {
       const outputPath = resolve(process.cwd(), options.auditOutput);
-      await writeFile(outputPath, JSON.stringify(audit, null, 2));
-      logger.success(`Audit saved to ${outputPath}`);
+      try {
+        await writeFile(outputPath, JSON.stringify(audit, null, 2));
+        logger.success(`Audit saved to ${outputPath}`);
+      } catch (writeErr) {
+        logger.warn(`Failed to save audit to ${outputPath}: ${(writeErr as Error).message}`);
+      }
     }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if (options.auditOutput && audit) {
	const outputPath = resolve(process.cwd(), options.auditOutput);
	await writeFile(outputPath, JSON.stringify(audit, null, 2));
	logger.success(`Audit saved to ${outputPath}`);
	}
	if (options.auditOutput && audit) {
	const outputPath = resolve(process.cwd(), options.auditOutput);
	try {
	await writeFile(outputPath, JSON.stringify(audit, null, 2));
	logger.success(`Audit saved to ${outputPath}`);
	} catch (writeErr) {
	logger.warn(`Failed to save audit to ${outputPath}: ${(writeErr as Error).message}`);
	}
	}

🤖 Prompt for AI Agents

In `@packages/cli/src/commands/run.ts` around lines 62 - 66, Wrap the audit file
write in a try/catch to handle filesystem errors when calling writeFile with the
resolved outputPath (used when options.auditOutput && audit), so failures
(permission, disk, invalid path) are caught; on error log a clear message via
logger.error including the outputPath and error details and avoid letting the
unhandled rejection propagate (either return a non-fatal error status or rethrow
after logging depending on command semantics). Ensure the success log
(logger.success(`Audit saved to ${outputPath}`)) remains inside the try block
and reference the existing symbols options.auditOutput, audit, outputPath,
writeFile, and logger in your changes.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the file mentioned in the review
cat -n packages/core/src/preflight/analyze-memory.ts | head -100

Repository: dev-dami/ignite

Length of output: 3754

---

🏁 Script executed:

# Search for where preflight dependencies config is defined/validated
rg -n "preflight.*dependencies|warnCount|infoCount" -g '*.ts' -g '*.json' --max-count=50

Repository: dev-dami/ignite

Length of output: 1169

---

🏁 Script executed:

# Look for config schema or type definitions related to preflight
rg -n "type.*preflight|interface.*preflight" -g '*.ts' -A 10 --max-count=30

Repository: dev-dami/ignite

Length of output: 1729

---

🏁 Script executed:

# Find the validatePreflightSection function to see what validation is actually done
rg -n "validatePreflightSection" -g '*.ts' -A 30 | head -80

Repository: dev-dami/ignite

Length of output: 6407

---

🏁 Script executed:

# Also check the type definitions in shared to see if there's any constraint
cat -n packages/shared/src/types.ts | grep -A 5 -B 5 "warnCount\|infoCount"

Repository: dev-dami/ignite

Length of output: 356

---

Add validation for warnCount > infoCount to dependencies config

The other preflight sections (memory, image, timeout) validate ordering constraints—warnRatio must be less than failRatio, warnMb must be less than failMb, minMs must be less than maxMs. The dependencies validation (lines 139-142 in load-service.ts) currently only checks that both values are positive and doesn't enforce warnCount > infoCount. If a user provides infoCount ≥ warnCount, the tiering logic breaks: a dependency count above infoCount will incorrectly trigger a 'warn' status instead of 'pass'.

Add a validation check in load-service.ts after line 142 (following the pattern used for memory, image, and timeout configs):

const dependencyConfig = pf['dependencies'] as Record<string, unknown> | undefined;
const warnCount = dependencyConfig?.['warnCount'];
const infoCount = dependencyConfig?.['infoCount'];
if (typeof warnCount === 'number' && typeof infoCount === 'number') {
  if (warnCount <= infoCount) {
    errors.push('preflight.dependencies.warnCount must be greater than preflight.dependencies.infoCount');
  }
}

🤖 Prompt for AI Agents

In `@packages/core/src/preflight/analyze-memory.ts` around lines 55 - 70, Add a
validation in the load-service preflight parsing to ensure
preflight.dependencies.warnCount > preflight.dependencies.infoCount: after
extracting dependencyConfig and the numeric warnCount and infoCount (the same
way memory/image/timeout validations do), check both are numbers and push an
error message via errors.push('preflight.dependencies.warnCount must be greater
than preflight.dependencies.infoCount') when warnCount <= infoCount; reference
the dependencyConfig/warnCount/infoCount variables and the errors array used in
load-service.ts so the preflight tiering logic remains consistent with other
sections.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# First, let's examine the file around the mentioned lines
wc -l packages/core/src/service/load-service.ts

Repository: dev-dami/ignite

Length of output: 104

---

🏁 Script executed:

#!/bin/bash
# View the relevant sections of the file
sed -n '116,210p' packages/core/src/service/load-service.ts

Repository: dev-dami/ignite

Length of output: 3219

---

🏁 Script executed:

#!/bin/bash
# Search for how infoCount and warnCount are used across the codebase
rg -n "infoCount|warnCount" --type=ts -C 2

Repository: dev-dami/ignite

Length of output: 2979

---

Add cross-field validation for dependencies thresholds.

The preflight.dependencies section allows both warnCount and infoCount but lacks validation for their logical ordering. The actual usage in analyze-memory.ts (lines 56-75) shows the expected relationship: infoCount triggers informational checks, warnCount triggers warnings. This requires infoCount < warnCount semantically—equivalent to the ordering validations applied to other preflight sections (e.g., warnRatio < failRatio for memory, warnMb < failMb for image).

Add a cross-field check ensuring infoCount < warnCount when both are defined, similar to the validations for other sections.

🤖 Prompt for AI Agents

In `@packages/core/src/service/load-service.ts` around lines 139 - 142, Add a
cross-field validation after the existing call to validatePreflightSection for
pf['dependencies']: when both pf['dependencies'].infoCount and
pf['dependencies'].warnCount are defined, check that infoCount < warnCount and
push an appropriate error into the errors array (use the same error
key/namespace 'preflight.dependencies' or 'preflight.dependencies.infoCount' to
match existing validations). Modify the block around
validatePreflightSection(pf['dependencies'], 'preflight.dependencies', errors, {
... }) to perform this additional check and append a descriptive error if the
ordering is violated.