Skip to content

feat(cli): add --memory-limit flag with 2g default #322

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat(cli): add --memory-limit flag with 2g default #322

Copilot wants to merge 2 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Jan 17, 2026
edited
Loading

Reduces default container memory limit from 4GB to 2GB to prevent resource exhaustion DoS in shared CI/CD environments. Adds --memory-limit flag for workloads requiring more memory.

Changes

  • src/types.ts: Add memoryLimit field to WrapperConfig
  • src/cli.ts: Add --memory-limit flag with format validation (<number>m or <number>g)
  • src/docker-manager.ts: Use config.memoryLimit || '2g' for container resource limits
  • docs/usage.md: Document flag with recommended limits for different workloads

Usage

# Default: 2GB (sufficient for most commands)
sudo awf --allow-domains github.com -- curl https://api.github.com

# AI workload needing more memory
sudo awf --memory-limit 8g --allow-domains api.openai.com \
  -- 'npx @github/copilot@latest -p "analyze large codebase"'

# Conservative limit for untrusted code
sudo awf --memory-limit 1g --allow-domains registry.npmjs.org -- npm install

Invalid formats (-1g, abc, 0m) are rejected with clear error messages.

Original prompt

This section details on the original issue you should resolve

<issue_title>[plan] reduce default memory limit with configurable override</issue_title>
<issue_description>## Objective

Reduce default memory limit from 4GB to 2GB to prevent resource exhaustion DoS in shared environments, with --memory-limit flag for override.

Context

Current state: Agent container limited to 4GB memory (line 234 in src/docker-manager.ts)

Risk: In shared CI/CD environments, malicious code could exhaust memory and impact other jobs.

Risk level: 🟡 MEDIUM - Resource exhaustion DoS

Trade-off: AI workloads (LLM inference, code analysis) may require higher memory limits for legitimate use cases.

Implementation Approach

  1. Add --memory-limit CLI flag accepting values like 2g, 4g, 8g
  2. Change default from 4g to 2g for better DoS protection
  3. Validate input format (positive integer with unit suffix)
  4. Update Docker Compose memory limit configuration
  5. Document when higher limits needed (AI agents, large repos)

Files to Modify

  • src/cli.ts - Add --memory-limit flag with validation
  • src/docker-manager.ts - Line 234: Use config value instead of hardcoded 4g
  • src/types.ts - Add memoryLimit to WrapperConfig interface
  • README.md - Document flag and appropriate values for different workloads
  • AGENTS.md - Update documentation of resource limits

Examples

# Use default 2GB (sufficient for most commands)
awf --allow-domains github.com 'curl https://api.github.com'

# AI agent workload needs more memory
awf --memory-limit 8g --allow-domains api.openai.com \
  'npx @github/copilot@latest -p "analyze large codebase"'

# Explicitly set conservative limit for untrusted code
awf --memory-limit 1g --allow-domains registry.npmjs.org 'npm install'

Testing

  • Verify default is 2GB when flag not specified
  • Test custom values (1g, 4g, 8g)
  • Validate error on invalid formats (-1g, abc, 2x)
  • Confirm Docker container respects limit (check docker stats)

Acceptance Criteria

  • Default memory limit reduced to 2GB
  • --memory-limit flag accepts values with unit suffix
  • Invalid formats rejected with clear error message
  • Docker container memory limit matches specified value
  • Documentation explains appropriate limits for different workloads
  • No breaking changes (users can override back to 4GB)
    Related to [plan] security improvements from threat model review #306

AI generated by Plan Command for discussion #302

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@Mossaka
feat(cli): add --memory-limit flag with 2g default
1582906 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Copilot AI changed the title [WIP] Reduce default memory limit to 2GB with configurable override feat(cli): add --memory-limit flag with 2g default Jan 17, 2026
Copilot AI requested a review from Mossaka January 17, 2026 21:29
@Mossaka Mossaka marked this pull request as ready for review January 18, 2026 01:35
@github-actions
Copy link

github-actions bot commented Jan 18, 2026

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric Base PR Delta
Lines 77.88% 77.84% 📉 -0.04%
Statements 77.94% 77.90% 📉 -0.04%
Functions 77.29% 77.41% 📈 +0.12%
Branches 71.00% 71.05% 📈 +0.05%
📁 Per-file Coverage Changes (1 files)
File Lines (Before → After) Statements (Before → After)
src/cli.ts 35.5% → 37.6% (+2.09%) 35.5% → 37.6% (+2.09%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mossaka Mossaka Awaiting requested review from Mossaka

Assignees

@Mossaka Mossaka

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[plan] reduce default memory limit with configurable override

2 participants

@Mossaka