Skip to content

feat(cli): add --with-policy flag#101

Merged
feloy merged 1 commit into
openkaiden:mainfrom
feloy:no-policies
Jun 18, 2026
Merged

feat(cli): add --with-policy flag#101
feloy merged 1 commit into
openkaiden:mainfrom
feloy:no-policies

Conversation

@feloy

@feloy feloy commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

policy.yaml is now opt-in: the file is built and copied into the image only when --with-policy is passed. Without the flag no policy file is staged and the COPY instruction is omitted from the Containerfile.

@codecov

codecov Bot commented Jun 18, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 99.24242% with 1 line in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
src/main.rs 96.00% 1 Missing ⚠️

📢 Thoughts on this report? Let us know!

@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@feloy, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 33 minutes and 48 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a33778a7-e80e-4f68-a4d7-3f25fb00c0b1

📥 Commits

Reviewing files that changed from the base of the PR and between b1a56be and ac2eff7.

📒 Files selected for processing (4)
  • README.md
  • src/containerfile.rs
  • src/main.rs
  • tests/integration_test.rs
📝 Walkthrough

Walkthrough

A new --with-policy boolean CLI flag is introduced. When set, run() builds policy.yaml and writes it to the build context, and containerfile::generate / final_stage conditionally emits a COPY policy.yaml /etc/openshell/policy.yaml instruction. When absent, no policy file is written and no COPY is emitted. All call sites, tests, and README docs are updated accordingly.

Changes

--with-policy flag for optional sandbox policy inclusion

Layer / File(s) Summary
Conditional policy injection in generate/final_stage
src/containerfile.rs
generate gains with_policy: bool, passes it to final_stage, which builds a conditional policy_section string (COPY policy.yaml ... or empty) and interpolates it into the containerfile output.
CLI flag and run() conditional policy build
src/main.rs
Cli gains --with-policy, main() passes it to run(), and run() conditionally calls build_policy / writes policy.yaml before calling containerfile::generate with the flag.
README docs for --with-policy
README.md
Layer list, sandbox policy section, and full option reference table updated to describe that policy.yaml is only included when --with-policy is passed.
containerfile.rs unit test signature updates and policy assertions
src/containerfile.rs
build_cf test helper accepts with_policy; all distro-focused tests supply false; policy-placement tests supply true and assert COPY ordering relative to USER sandbox.
main.rs unit test updates and new policy flag test
src/main.rs
Existing run() call sites updated to pass with_policy: false; new run_with_policy_flag_succeeds test calls run() with with_policy=true and asserts Ok.
Integration test image builders and with_policy test module
tests/integration_test.rs
All base image helpers updated to pass --with-policy; new UBUNTU_NO_POLICY_IMAGE singleton and ubuntu_no_policy_image() helper build without the flag; new with_policy test module asserts policy.yaml presence, ownership, and absence; cleanup_images extended.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The PR title 'feat(cli): add --with-policy flag' accurately and concisely summarizes the main change: adding a CLI flag for controlling policy.yaml inclusion in built images.
Description check ✅ Passed The PR description clearly explains the purpose of the change: making policy.yaml opt-in via --with-policy flag, with behavior specified for both flag presence and absence.
Docstring Coverage ✅ Passed Docstring coverage is 91.67% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/containerfile.rs`:
- Around line 278-282: The COPY instruction in the policy_section variable is
missing the --chown flag to set proper file ownership. When the COPY command
executes before the USER directive, the file is owned by root:root, but the
integration test policy_yaml_owned_by_sandbox expects it to be owned by
sandbox:sandbox. Add --chown=sandbox:sandbox to the COPY instruction in the
policy_section string to ensure the policy.yaml file has the correct ownership
set during the container build.

In `@tests/integration_test.rs`:
- Around line 2575-2583: The test function policy_yaml_owned_by_sandbox is
asserting that the policy.yaml file is owned by "sandbox", but the containerfile
copy command does not specify --chown, so the file is actually owned by "root"
by default. Update the assertion in policy_yaml_owned_by_sandbox to expect
"root" as the owner instead of "sandbox" to match the current containerfile
behavior, or alternatively update the containerfile.rs copy command to include
--chown=sandbox to make the test assertion correct.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ec7d6769-1bdb-4fc7-9673-633261cf4c40

📥 Commits

Reviewing files that changed from the base of the PR and between a6c800c and b1a56be.

📒 Files selected for processing (4)
  • README.md
  • src/containerfile.rs
  • src/main.rs
  • tests/integration_test.rs

Comment thread src/containerfile.rs
Comment thread tests/integration_test.rs Outdated
policy.yaml is now opt-in: the file is built and copied into the
image only when --with-policy is passed. Without the flag no
policy file is staged and the COPY instruction is omitted from
the Containerfile.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Philippe Martin <phmartin@redhat.com>
@feloy feloy merged commit 75b5905 into openkaiden:main Jun 18, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant