Skip to content

fix: apply unresolved PR2 review suggestions#3

Merged
SMSDAO merged 4 commits intomainfrom
copilot/fix-suggested-changes-from-pr2
May 7, 2026
Merged

fix: apply unresolved PR2 review suggestions#3
SMSDAO merged 4 commits intomainfrom
copilot/fix-suggested-changes-from-pr2

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 7, 2026
edited
Loading

Five unresolved Copilot review comments from PR #2 were never acted on before merge. This addresses all of them, plus follow-up improvements based on subsequent review feedback.

Changes

README.md

  • Replace corrupted •• (bad encoding) with 🤖 on line 25

Dockerfile + Kubernetes

  • Set USER node before WORKDIR /app in the runner stage so Docker creates /app already owned by the node user — no extra chown layer needed
  • Use COPY --chown=node:node for all artifacts in the runner stage; npm ci --omit=dev runs as node
  • Add runAsUser: 1000 / runAsGroup: 1000 to the pod-level securityContext in the K8s Deployment to satisfy runAsNonRoot: true

core/wasm/workerPool.ts

  • Validate maxQueueSize is a non-negative safe integer; throws on -1, NaN, Infinity, etc.
if (!Number.isSafeInteger(rawMaxQueueSize) || rawMaxQueueSize < 0) {
  throw new Error('WorkerPool: maxQueueSize must be a non-negative safe integer');
}

core/wasm/wasmRunner.ts

  • Validate defaultTimeoutMs and maxTimeoutMs are positive finite numbers
  • Enforce maxTimeoutMs >= defaultTimeoutMs at construction time
if (!Number.isFinite(defaultTimeoutMs) || defaultTimeoutMs <= 0) {
  throw new Error('WasmRunner: defaultTimeoutMs must be a positive finite number');
}
if (!Number.isFinite(maxTimeoutMs) || maxTimeoutMs <= 0) {
  throw new Error('WasmRunner: maxTimeoutMs must be a positive finite number');
}
if (maxTimeoutMs < defaultTimeoutMs) {
  throw new Error('WasmRunner: maxTimeoutMs must be >= defaultTimeoutMs');
}

tests/workerPool.load.test.ts

  • Add unit tests asserting invalid maxQueueSize values (-1, NaN, Infinity, fractional) throw the expected error

tests/wasm.determinism.test.ts

  • Add WasmRunner constructor validation suite covering non-positive/non-finite defaultTimeoutMs, non-positive/non-finite maxTimeoutMs, and maxTimeoutMs < defaultTimeoutMs

@SMSDAO
fix: apply PR2 review suggestions (emoji, k8s non-root user, timeout/…
a6e64c2 
…queue validation)"

Agent-Logs-Url: https://github.com/Algodons/agentos/sessions/5c427c7f-c6a3-407b-860f-916d0b08a58b

Co-authored-by: SMSDAO <144380926+SMSDAO@users.noreply.github.com>
@SMSDAO SMSDAO requested review from SMSDAO and Copilot May 7, 2026 16:57
Copilot AI reviewed May 7, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses previously unacted Copilot review items by fixing a README encoding artifact, aligning container/Kubernetes non-root execution settings, and adding stricter runtime option validation in the WASM execution utilities.

Changes:

  • Fix a corrupted character in the README feature list.
  • Run the Docker image as the node user and align Kubernetes securityContext with UID/GID 1000.
  • Add input validation for WorkerPool.maxQueueSize and WasmRunner timeout configuration.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
README.md Replaces corrupted glyph with the intended emoji in the feature list.
Dockerfile Ensures runtime is non-root by chowning /app and switching to USER node.
deploy/k8s/base/deployment.yaml Sets runAsUser/runAsGroup to match the container’s non-root user.
core/wasm/workerPool.ts Validates maxQueueSize as a non-negative safe integer before assignment.
core/wasm/wasmRunner.ts Validates timeout options and enforces maxTimeoutMs >= defaultTimeoutMs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Dockerfile Outdated
Comment on lines +24 to +25
RUN chown -R node:node /app
USER node
Comment thread core/wasm/workerPool.ts
Comment on lines +29 to +33
const rawMaxQueueSize = normalized.maxQueueSize ?? concurrency * 100;
if (!Number.isSafeInteger(rawMaxQueueSize) || rawMaxQueueSize < 0) {
throw new Error('WorkerPool: maxQueueSize must be a non-negative safe integer');
}
this.maxQueueSize = rawMaxQueueSize;
Comment thread core/wasm/wasmRunner.ts
Comment on lines +32 to +43
const defaultTimeoutMs = options.defaultTimeoutMs ?? 10_000;
const maxTimeoutMs = options.maxTimeoutMs ?? 60_000;

if (!Number.isFinite(defaultTimeoutMs) || defaultTimeoutMs <= 0) {
throw new Error('WasmRunner: defaultTimeoutMs must be a positive finite number');
}
if (!Number.isFinite(maxTimeoutMs) || maxTimeoutMs <= 0) {
throw new Error('WasmRunner: maxTimeoutMs must be a positive finite number');
}
if (maxTimeoutMs < defaultTimeoutMs) {
throw new Error('WasmRunner: maxTimeoutMs must be >= defaultTimeoutMs');
}
@SMSDAO
Copy link
Copy Markdown
Contributor

SMSDAO commented May 7, 2026

@copilot apply changes based on the comments in this thread

Copy link
Copy Markdown
Contributor Author

Copilot AI commented May 7, 2026

@copilot apply changes based on the comments in this thread

Applied all three review comments in commit 860f400 (with a follow-up cde4cfa to revert an unintentional package-lock.json change):

  1. Dockerfile — removed RUN chown -R node:node /app. All COPY lines in the runner stage now use --chown=node:node, and USER node is set before npm ci --omit=dev so node_modules is also created with the correct ownership.

  2. tests/workerPool.load.test.ts — added a test case asserting that -1, NaN, Infinity, and 1.5 all throw 'WorkerPool: maxQueueSize must be a non-negative safe integer'.

  3. tests/wasm.determinism.test.ts — added a WasmRunner constructor validation suite covering: non-positive/non-finite defaultTimeoutMs, non-positive/non-finite maxTimeoutMs, and maxTimeoutMs < defaultTimeoutMs.

Copilot finished work on behalf of SMSDAO May 7, 2026 18:09
@SMSDAO
fix: set USER node before WORKDIR so /app is owned by node without ex…
7a95ba0 
…tra chown layer

Agent-Logs-Url: https://github.com/Algodons/agentos/sessions/66b4d71e-9b39-41cc-98ba-f3fd4b3f8018

Co-authored-by: SMSDAO <144380926+SMSDAO@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented May 7, 2026

@copilot apply changes based on the comments in this thread

Done in commit 7a95ba0. Here's what was applied from the three review comments:

  1. Dockerfile — replaced RUN chown -R node:node /app with a zero-overhead approach: USER node is now set before WORKDIR /app, so Docker creates /app already owned by node. All COPY instructions use --chown=node:node and npm ci --omit=dev runs as node. No extra chown layer.

  2. workerPool tests — added rejects invalid maxQueueSize configuration covering -1, NaN, Infinity, and fractional values.

  3. wasmRunner tests — added WasmRunner constructor validation suite covering non-positive/non-finite defaultTimeoutMs, non-positive/non-finite maxTimeoutMs, and maxTimeoutMs < defaultTimeoutMs.

Copilot finished work on behalf of SMSDAO May 7, 2026 18:12
@SMSDAO SMSDAO marked this pull request as ready for review May 7, 2026 18:31
@SMSDAO SMSDAO merged commit 9fbd6be into main May 7, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@SMSDAO SMSDAO SMSDAO approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@SMSDAO SMSDAO

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SMSDAO