ci: harden workflows, document audit hardening, and add security tests by TrentPierce · Pull Request #3 · TrentPierce/Koda

TrentPierce · 2026-02-10T14:47:03Z

Make GitHub CI deterministic and fail-fast when lockfile drift or install issues occur by removing fallback npm install and using consistent npm ci --omit=optional --legacy-peer-deps flags.
Surface and document recent runtime hardening from the audit so downstream consumers and contributors can see what was implemented.
Reduce cross-platform CI flakes and improve security posture for outbound network and filesystem tool usage.

Normalized and hardened CI workflows by updating .github/workflows/ci.yml, .github/workflows/ci-minimal.yml, and .github/workflows/diagnostic.yml to use npm ci --omit=optional --legacy-peer-deps and removed masking fallbacks to ensure lockfile consistency and deterministic installs.
Updated package.json to stop swallowing failures by making test, lint, and build scripts strict and added "*.js" into files to ensure root-level runtime modules are packaged.
Implemented runtime hardening: added in-memory rate-limiting and safer host default (127.0.0.1) in src/api/RestAPIServer.js, added URL validation/allowlist and private-host blocking in src/tools/APITool.js, and strengthened path normalization, boundary checks, and symlink rejection in src/tools/FileTool.js.
Added focused unit tests tests/unit/api.rateLimit.test.js, tests/unit/tools/apiToolSecurity.test.js, and tests/unit/tools/fileToolSecurity.test.js, and adjusted the symlink test to skip on Windows to avoid CI permission flakiness, plus README and audit report updates documenting implemented items.

Ran node -c syntax checks on modified runtime and test files and they passed (src/api/RestAPIServer.js, src/tools/APITool.js, src/tools/FileTool.js, bin/koda.js, and new test files passed).
Performed npm ci --omit=optional --legacy-peer-deps --dry-run which completed successfully to validate deterministic install behavior in CI context.
Executed npm pack --dry-run to validate package contents and confirm root-level runtime modules are included (success).
Attempted npm test / real Jest runs but they could not be executed in this environment due to registry / binary availability constraints, so unit tests are present but could not be run here (unable to execute in-runner jest).

ci: harden workflows and document implemented improvements

9bda813

TrentPierce added the codex label Feb 10, 2026 — with ChatGPT Codex Connector

TrentPierce merged commit e2e2ea5 into main Feb 10, 2026
9 of 10 checks passed

TrentPierce deleted the codex/audit-project-for-browser-automation-improvements branch February 10, 2026 14:48

Provide feedback