mirror of https://github.com/bahdotsh/wrkflw.git synced 2026-02-24 03:49:45 +01:00

Files

bahdotsh 460357d9fe feat: Add comprehensive sandboxing for secure emulation mode

Security Features:
- Implement secure emulation runtime with command sandboxing
- Add command validation, filtering, and dangerous pattern detection
- Block harmful commands like 'rm -rf /', 'sudo', 'dd', etc.
- Add resource limits (CPU, memory, execution time, process count)
- Implement filesystem isolation and access controls
- Add environment variable sanitization
- Support shell operators (&&, ||, |, ;) with proper parsing

New Runtime Mode:
- Add 'secure-emulation' runtime option to CLI
- Update UI to support new runtime mode with green security indicator
- Mark legacy 'emulation' mode as unsafe in help text
- Default to secure mode for local development safety

Documentation:
- Create comprehensive security documentation (README_SECURITY.md)
- Update main README with security mode information
- Add example workflows demonstrating safe vs dangerous commands
- Include migration guide and best practices

Testing:
- Add comprehensive test suite for sandbox functionality
- Include security demo workflows for testing
- Test dangerous command blocking and safe command execution
- Verify resource limits and timeout functionality

Code Quality:
- Fix all clippy warnings with proper struct initialization
- Add proper error handling and user-friendly security messages
- Implement comprehensive logging for security events
- Follow Rust best practices throughout

This addresses security concerns by preventing accidental harmful
commands while maintaining full compatibility with legitimate CI/CD
workflows. Users can now safely run untrusted workflows locally
without risk to their host system.

2025-08-13 14:30:51 +05:30

evaluator

docs(readme): add per-crate READMEs and enhance wrkflw crate README

2025-08-12 15:09:38 +05:30

executor

feat: Add comprehensive sandboxing for secure emulation mode

2025-08-13 14:30:51 +05:30

github

docs(readme): add per-crate READMEs and enhance wrkflw crate README

2025-08-12 15:09:38 +05:30

gitlab

docs(readme): add per-crate READMEs and enhance wrkflw crate README

2025-08-12 15:09:38 +05:30

logging

docs(readme): add per-crate READMEs and enhance wrkflw crate README

2025-08-12 15:09:38 +05:30

matrix

docs(readme): add per-crate READMEs and enhance wrkflw crate README

2025-08-12 15:09:38 +05:30

models

docs(readme): add per-crate READMEs and enhance wrkflw crate README

2025-08-12 15:09:38 +05:30

parser

fix: Support array format for runs-on field in GitHub Actions workflows

2025-08-13 13:21:58 +05:30

runtime

feat: Add comprehensive sandboxing for secure emulation mode

2025-08-13 14:30:51 +05:30

feat: Add comprehensive sandboxing for secure emulation mode

2025-08-13 14:30:51 +05:30

utils

docs(readme): add per-crate READMEs and enhance wrkflw crate README

2025-08-12 15:09:38 +05:30

validators

docs(readme): add per-crate READMEs and enhance wrkflw crate README

2025-08-12 15:09:38 +05:30

wrkflw

feat: Add comprehensive sandboxing for secure emulation mode

2025-08-13 14:30:51 +05:30

README.md

Refactor: Migrate modules to workspace crates

2025-05-02 12:53:41 +05:30

README.md

Wrkflw Crates

This directory contains the Rust crates that make up the Wrkflw project. The project has been restructured to use a workspace-based approach with individual crates for better modularity and maintainability.

Crate Structure

wrkflw: Main binary crate and entry point for the application
models: Data models and structures used throughout the application
evaluator: Workflow evaluation functionality
executor: Workflow execution engine
github: GitHub API integration
gitlab: GitLab API integration
logging: Logging functionality
matrix: Matrix-based parallelization support
parser: Workflow parsing functionality
runtime: Runtime execution environment
ui: User interface components
utils: Utility functions
validators: Validation functionality

Dependencies

Each crate has its own Cargo.toml file that defines its dependencies. The root Cargo.toml file defines the workspace and shared dependencies.

Build Instructions

To build the entire project:

cargo build

To build a specific crate:

cargo build -p <crate-name>

Testing

To run tests for the entire project:

cargo test

To run tests for a specific crate:

cargo test -p <crate-name>

Rust Best Practices

When contributing to wrkflw, please follow these Rust best practices:

Code Organization

Place modules in their respective crates to maintain separation of concerns
Use pub selectively to expose only the necessary APIs
Follow the Rust module system conventions (use mod and pub mod appropriately)

Errors and Error Handling

Prefer using the thiserror crate for defining custom error types
Use the ? operator for error propagation instead of match statements when appropriate
Implement custom error types that provide context for the error
Avoid using .unwrap() and .expect() in production code

Performance

Profile code before optimizing using tools like cargo flamegraph
Use Arc and Mutex judiciously for shared mutable state
Leverage Rust's zero-cost abstractions (iterators, closures)
Consider adding benchmark tests using the criterion crate for performance-critical code

Security

Validate all input, especially from external sources
Avoid using unsafe code unless absolutely necessary
Handle secrets securely using environment variables
Check for integer overflows with checked_ operations

Testing

Write unit tests for all public functions
Use integration tests to verify crate-to-crate interactions
Consider property-based testing for complex logic
Structure tests with clear preparation, execution, and verification phases

Tooling

Run cargo clippy before committing changes to catch common mistakes
Use cargo fmt to maintain consistent code formatting
Enable compiler warnings with #![warn(clippy::all)]

For more detailed guidance, refer to the project's best practices documentation.