Skip to content

feat: Add dockerguard kit#203

Open
justbeingsniper wants to merge 21 commits into
Lamatic:mainfrom
justbeingsniper:feat/dockerguard
Open

feat: Add dockerguard kit#203
justbeingsniper wants to merge 21 commits into
Lamatic:mainfrom
justbeingsniper:feat/dockerguard

Conversation

@justbeingsniper

@justbeingsniper justbeingsniper commented Jul 9, 2026

Copy link
Copy Markdown

DockerGuard — a Dockerfile & docker-compose security auditor

DockerGuard reviews a Dockerfile or docker-compose file and returns a scored audit. For every issue it shows the exact line, why it matters, and the fix, plus an overall score and letter grade. It catches problems at build-definition time — hardcoded secrets, running as root, latest base tags, cache-busting layer order, missing multi-stage builds, and more.

What's included

  • flows/dockerguard-audit.ts — API Request (trigger) → Generate Text (LLM, strict JSON) → API Response, exported from Lamatic Studio
  • Externalized prompts, model config, and constitution
  • A Next.js app with light and dark themes: score gauge, severity breakdown, annotated source with per-line markers, findings grouped by severity, and report export (JSON / Markdown / PDF)

Notes

  • Static analysis only — never builds, runs, or fetches anything
  • Detected secrets are redacted in the output
  • npm install and npm run build pass; deployed and verified on Vercel

Unique problem statement — no existing kit audits Dockerfiles or compose files.

  • Added DockerGuard kit + docs/scaffolding (kits/dockerguard/)

    • kits/dockerguard/.env.example
    • kits/dockerguard/.gitignore
    • kits/dockerguard/README.md
    • kits/dockerguard/agent.md
    • kits/dockerguard/constitutions/default.md
    • kits/dockerguard/lamatic.config.ts
    • kits/dockerguard/model-configs/dockerguard-audit_llmnode-540_generative-model-name.ts
    • kits/dockerguard/prompts/dockerguard-audit_llmnode-540_system_0.md
    • kits/dockerguard/prompts/dockerguard-audit_llmnode-540_user_1.md
    • kits/dockerguard/flows/dockerguard-audit.ts
    • kits/dockerguard/assets/dockerguard-input.png
    • kits/dockerguard/assets/dockerguard-overview.png
    • kits/dockerguard/assets/dockerguard-light.png
    • kits/dockerguard/assets/dockerguard-dark.png
  • Added Lamatic DockerGuard audit flow (kits/dockerguard/flows/)

    • What it does: static-only Dockerfile/docker-compose auditing; takes raw text and returns a structured JSON report (score/grade/summary, severity-sorted findings with line-level fixes, and passed checks). No execution/build/pull/fetch.
    • Nodes (node types introduced) + wiring
      • triggerNode_1triggerNode (graphqlNode) API request trigger with advance_schema exposing:
        • required: dockerfile: string
        • optional: file_type: string, filename: string
      • LLMNode_540dynamicNode (LLMNode) “Generate Text” using:
        • system/user prompts from @prompts/...
        • model config from @model-configs/...
        • emits output.generatedResponse
      • responseNode_triggerNode_1responseNode (graphqlResponseNode) sets content-type: application/json and maps:
        • report: {{LLMNode_540.output.generatedResponse}}
      • Edges
        • triggerNode_1 → LLMNode_540 (defaultEdge)
        • LLMNode_540 → responseNode_triggerNode_1 (defaultEdge)
        • triggerNode_1 → responseNode_triggerNode_1 (responseEdge)
  • Added DockerGuard Next.js audit UI (kits/dockerguard/apps/)

    • kits/dockerguard/apps/.env.example
    • kits/dockerguard/apps/.gitignore
    • kits/dockerguard/apps/package.json
    • kits/dockerguard/apps/package-lock.json
    • kits/dockerguard/apps/next.config.mjs
    • kits/dockerguard/apps/postcss.config.mjs
    • kits/dockerguard/apps/tailwind.config.ts
    • kits/dockerguard/apps/tsconfig.json
    • kits/dockerguard/apps/orchestrate.js (app config: API endpoint/keys + flows.audit.workflowId from DOCKERGUARD_AUDIT)
    • kits/dockerguard/apps/actions/orchestrate.ts (server action: runs the Lamatic flow and strictly parses/normalizes the JSON report)
    • kits/dockerguard/apps/app/globals.css (Tailwind + design tokens including severity color variables)
    • kits/dockerguard/apps/app/layout.tsx (root layout + fonts + theme pre-application script)
    • kits/dockerguard/apps/app/page.tsx (editor + “Run audit” UI, report display, and export entry)
    • UI/components/libs:
      • kits/dockerguard/apps/components/annotated-dockerfile.tsx
      • kits/dockerguard/apps/components/audit-report.tsx
      • kits/dockerguard/apps/components/copy-button.tsx
      • kits/dockerguard/apps/components/export-menu.tsx (JSON/Markdown/PDF export)
      • kits/dockerguard/apps/components/score-ring.tsx
      • kits/dockerguard/apps/components/theme-toggle.tsx
      • kits/dockerguard/apps/lib/types.ts
      • kits/dockerguard/apps/lib/severity.ts
      • kits/dockerguard/apps/lib/sample.ts
      • kits/dockerguard/apps/lib/lamatic-client.ts
      • kits/dockerguard/apps/lib/report-format.ts

Copilot AI review requested due to automatic review settings July 9, 2026 20:48
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

DockerGuard adds a Lamatic audit flow and a Next.js application for submitting Dockerfiles or compose files, normalizing and displaying audit reports, exporting results, configuring local deployment, and documenting setup and safety constraints.

Changes

DockerGuard AgentKit

Layer / File(s) Summary
Lamatic flow, prompts, model config, and kit config
kits/dockerguard/flows/dockerguard-audit.ts, kits/dockerguard/prompts/*, kits/dockerguard/model-configs/*, kits/dockerguard/lamatic.config.ts, kits/dockerguard/constitutions/default.md
Defines the dockerguard-audit flow, strict JSON prompt contract, model configuration, kit metadata, and constitution.
Shared types and server audit action
kits/dockerguard/apps/lib/types.ts, kits/dockerguard/apps/lib/lamatic-client.ts, kits/dockerguard/apps/orchestrate.js, kits/dockerguard/apps/actions/orchestrate.ts
Defines audit data shapes, Lamatic configuration and client initialization, flow execution, response extraction, validation, normalization, and error handling.
Severity helpers and report export formats
kits/dockerguard/apps/lib/severity.ts, kits/dockerguard/apps/lib/report-format.ts, kits/dockerguard/apps/lib/sample.ts
Adds severity and score-band helpers, JSON/Markdown/printable HTML serialization, and the sample Dockerfile.
Report UI components
kits/dockerguard/apps/components/*
Adds report summaries, severity groups, finding details, annotated source lines, copy actions, export actions, score visualization, and theme switching.
App page, layout, and global styling
kits/dockerguard/apps/app/*
Implements the audit input/results flow, root metadata and theme initialization, and global design tokens and base styles.
App build and tooling configuration
kits/dockerguard/apps/package.json, kits/dockerguard/apps/tsconfig.json, kits/dockerguard/apps/next.config.mjs, kits/dockerguard/apps/tailwind.config.ts, kits/dockerguard/apps/postcss.config.mjs, kits/dockerguard/apps/.env.example, kits/dockerguard/apps/.gitignore
Adds app scripts, dependencies, compiler and framework configuration, Tailwind/PostCSS setup, environment placeholders, and local artifact exclusions.
Kit docs and top-level templates
kits/dockerguard/.env.example, kits/dockerguard/.gitignore, kits/dockerguard/README.md, kits/dockerguard/agent.md
Documents DockerGuard usage, deployment, report output, structure, safety constraints, environment variables, and kit-level local files.

Suggested reviewers: amanintech, d-pamneja

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 22.22% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check ⚠️ Warning The description covers the kit, but it does not follow the repository’s PR checklist template or confirm several required checklist items. Rewrite the PR description using the provided checklist sections and explicitly confirm the required template items, validation, and file-structure checks.
✅ Passed checks (3 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title is concise and accurately names the main change: adding the DockerGuard kit.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

:robot_face: AgentKit Structural Validation

New Contributions Detected

  • Kit: kits/dockerguard

Check Results

Check Status
No edits to existing kits ✅ Pass
Required root files present ✅ Pass
Flow .ts files present ✅ Pass
lamatic.config.ts valid ✅ Pass
No changes outside kits/ ✅ Pass

🎉 All checks passed! This contribution follows the AgentKit structure.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new DockerGuard kit to AgentKit: a Lamatic flow that statically audits Dockerfiles/docker-compose files and a Next.js UI to run audits and render/export a scored report.

Changes:

  • Introduces the dockerguard-audit Lamatic flow with externalized prompts/constitution/model config and strict JSON output contract.
  • Adds a standalone Next.js app (Tailwind-based) to submit input, display an annotated report, and export JSON/Markdown/printable PDF.
  • Adds kit metadata, docs, and environment templates for local and Vercel deployment.

Reviewed changes

Copilot reviewed 33 out of 38 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
kits/dockerguard/README.md Kit documentation, screenshots, and setup instructions.
kits/dockerguard/agent.md Agent/flow behavior spec and integration notes.
kits/dockerguard/lamatic.config.ts Kit metadata (name, tags, links, required env step).
kits/dockerguard/flows/dockerguard-audit.ts Exported Lamatic flow definition (trigger → LLM → response).
kits/dockerguard/prompts/dockerguard-audit_llmnode-540_system_0.md System prompt defining rules, scoring, and strict JSON schema.
kits/dockerguard/prompts/dockerguard-audit_llmnode-540_user_1.md User prompt injecting file contents and returning strict JSON.
kits/dockerguard/constitutions/default.md Safety/handling constitution (no execution, redact secrets, strict output).
kits/dockerguard/model-configs/dockerguard-audit_llmnode-540_generative-model-name.ts Default model/provider configuration for the LLM node.
kits/dockerguard/.gitignore Kit-level ignore rules (env/build artifacts).
kits/dockerguard/.env.example Kit-level env template pointing to apps/.env.local.
kits/dockerguard/apps/package.json Next.js app package definition and dependencies.
kits/dockerguard/apps/package-lock.json Dependency lockfile for the app.
kits/dockerguard/apps/tsconfig.json TypeScript configuration for the Next.js app.
kits/dockerguard/apps/tailwind.config.ts Tailwind theme/token configuration.
kits/dockerguard/apps/postcss.config.mjs PostCSS setup for Tailwind + autoprefixer.
kits/dockerguard/apps/next.config.mjs Next.js configuration (strict mode).
kits/dockerguard/apps/.gitignore App-level ignore rules (node_modules, .next, env files).
kits/dockerguard/apps/.env.example App env template for flow ID + Lamatic API credentials.
kits/dockerguard/apps/orchestrate.js Centralized env-driven runtime config for flow invocation.
kits/dockerguard/apps/actions/orchestrate.ts Server action to call Lamatic flow and parse/normalize the JSON report.
kits/dockerguard/apps/lib/lamatic-client.ts Lamatic SDK client initialization for server-side calls.
kits/dockerguard/apps/lib/types.ts Shared TypeScript types for report/findings.
kits/dockerguard/apps/lib/severity.ts Severity normalization, labels/icons, score band colors.
kits/dockerguard/apps/lib/sample.ts Sample Dockerfile used by “Load example”.
kits/dockerguard/apps/lib/report-format.ts JSON/Markdown/printable HTML exporters for the report.
kits/dockerguard/apps/components/theme-toggle.tsx Client-side light/dark mode toggle.
kits/dockerguard/apps/components/score-ring.tsx Score ring visualization component.
kits/dockerguard/apps/components/export-menu.tsx Export menu (copy/download/print).
kits/dockerguard/apps/components/copy-button.tsx Reusable copy-to-clipboard UI control.
kits/dockerguard/apps/components/audit-report.tsx Main report view (severity groups, passed checks, annotation).
kits/dockerguard/apps/components/annotated-dockerfile.tsx Annotated source viewer with per-line severity markers.
kits/dockerguard/apps/app/layout.tsx App shell + early theme init script + metadata.
kits/dockerguard/apps/app/page.tsx Main UI page (input → run audit → results view).
kits/dockerguard/apps/app/globals.css Design tokens + base styles + severity theming.
Files not reviewed (1)
  • kits/dockerguard/apps/package-lock.json: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

ADD . /app
WORKDIR /app

ENV API_KEY=sk-live-abc123secret
"tags": ["devops", "security", "generative"],
"testInput": {
"dockerfile":
"FROM node:latest\nADD . /app\nWORKDIR /app\nENV API_KEY=sk-live-123456\nRUN apt-get update\nRUN npm install\nEXPOSE 3000\nCMD npm start",
Comment on lines +9 to +18
if (!config.api.endpoint || !config.api.apiKey) {
throw new Error(
"Lamatic API credentials are not set. Check your .env.local file."
);
}
client = new Lamatic({
endpoint: config.api.endpoint,
projectId: config.api.projectId ?? null,
apiKey: config.api.apiKey,
});

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 8

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@kits/dockerguard/apps/actions/orchestrate.ts`:
- Around line 48-61: The findings array in parseReport is still passed through
unnormalized, so partial LLM output can break the report and produce undefined
fields in toMarkdown. Update orchestrate.ts so parseReport validates each item
in parsed.findings and maps them through normalizeFinding, giving default values
for missing Finding fields like id, why, and fix instead of returning raw
objects. Keep the existing top-level normalization intact and ensure
normalizeFinding is used consistently for all findings.
- Line 4: The orchestration action is still importing step metadata from the
app-level orchestrate module instead of the kit-level config. Update the import
in orchestrate.ts to read the step definition from the kit’s lamatic.config
source while keeping the app config for env/API values, and verify the wiring in
the orchestrate flow stays aligned through the config symbol being used.

In `@kits/dockerguard/apps/app/page.tsx`:
- Around line 93-99: The textarea in the page component lacks an accessible
name, so add a proper label via the existing textarea element in app/page.tsx by
giving it an aria-label or connecting it to a visible label with
aria-labelledby; update the textarea used with content/setContent so assistive
technologies can announce its purpose.
- Around line 93-99: Disable the textarea in the page component while the async
audit is in progress. Update the textarea in page.tsx to use the existing
audit-running state (or add one around the audit trigger) so the content field
cannot be edited during the in-flight call, and re-enable it once the audit
completes or fails. Keep the fix centered on the textarea element and the audit
action handler so the UI reflects the locked state consistently.
- Around line 67-81: The file-type toggle buttons in the segmented control need
to expose their selected state to assistive technology. Update the button
rendering inside the FileType map in page.tsx so each button uses an
aria-pressed state that reflects whether fileType matches the current option.
Keep the existing visual styling and selection logic, and ensure the change is
applied on the button element created in the toggle group.

In `@kits/dockerguard/apps/components/export-menu.tsx`:
- Around line 82-103: The custom dropdown in export-menu.tsx needs proper menu
semantics and focus handling; the current container and actions in the open
block lack role="menu" and role="menuitem", and Escape can leave focus on body
instead of returning to the trigger. Update the export menu markup around the
open state in the export-menu component to add the missing ARIA roles and
restore focus to the trigger when the menu closes, or preferably replace the
custom implementation with shadcn/ui’s DropdownMenu so keyboard navigation,
Escape behavior, and focus management are handled correctly.

In `@kits/dockerguard/apps/package.json`:
- Line 28: Tailwind CSS is still pinned to v3 in the app package, which violates
the kit guideline and requires a v4 migration. Update the app’s dependency to
Tailwind v4+, then align the related setup by replacing the current
Tailwind/PostCSS wiring in tailwind.config.ts and postcss.config.mjs with the v4
CSS-based approach and `@tailwindcss/postcss` plugin. Move any theme extensions
from the Tailwind config into CSS `@theme` blocks in globals.css and ensure the
app’s style imports follow the v4 syntax.

In `@kits/dockerguard/README.md`:
- Around line 85-88: The README flow setup hard-codes a transient LLM node id in
the API Response mapping, which can mismatch the checked-in export. Update the
dockerguard-audit instructions to reference the exported LLM node generically or
use the committed node id used by the flow export, so the report mapping in the
API Response node points to the correct generatedResponse output.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: d443d12d-c224-45b2-a00f-0a78bf9edd37

📥 Commits

Reviewing files that changed from the base of the PR and between dafde4c and 2e5b2dd.

⛔ Files ignored due to path filters (5)
  • kits/dockerguard/apps/package-lock.json is excluded by !**/package-lock.json
  • kits/dockerguard/assets/dockerguard-dark.png is excluded by !**/*.png
  • kits/dockerguard/assets/dockerguard-input.png is excluded by !**/*.png
  • kits/dockerguard/assets/dockerguard-light.png is excluded by !**/*.png
  • kits/dockerguard/assets/dockerguard-overview.png is excluded by !**/*.png
📒 Files selected for processing (33)
  • kits/dockerguard/.env.example
  • kits/dockerguard/.gitignore
  • kits/dockerguard/README.md
  • kits/dockerguard/agent.md
  • kits/dockerguard/apps/.env.example
  • kits/dockerguard/apps/.gitignore
  • kits/dockerguard/apps/actions/orchestrate.ts
  • kits/dockerguard/apps/app/globals.css
  • kits/dockerguard/apps/app/layout.tsx
  • kits/dockerguard/apps/app/page.tsx
  • kits/dockerguard/apps/components/annotated-dockerfile.tsx
  • kits/dockerguard/apps/components/audit-report.tsx
  • kits/dockerguard/apps/components/copy-button.tsx
  • kits/dockerguard/apps/components/export-menu.tsx
  • kits/dockerguard/apps/components/score-ring.tsx
  • kits/dockerguard/apps/components/theme-toggle.tsx
  • kits/dockerguard/apps/lib/lamatic-client.ts
  • kits/dockerguard/apps/lib/report-format.ts
  • kits/dockerguard/apps/lib/sample.ts
  • kits/dockerguard/apps/lib/severity.ts
  • kits/dockerguard/apps/lib/types.ts
  • kits/dockerguard/apps/next.config.mjs
  • kits/dockerguard/apps/orchestrate.js
  • kits/dockerguard/apps/package.json
  • kits/dockerguard/apps/postcss.config.mjs
  • kits/dockerguard/apps/tailwind.config.ts
  • kits/dockerguard/apps/tsconfig.json
  • kits/dockerguard/constitutions/default.md
  • kits/dockerguard/flows/dockerguard-audit.ts
  • kits/dockerguard/lamatic.config.ts
  • kits/dockerguard/model-configs/dockerguard-audit_llmnode-540_generative-model-name.ts
  • kits/dockerguard/prompts/dockerguard-audit_llmnode-540_system_0.md
  • kits/dockerguard/prompts/dockerguard-audit_llmnode-540_user_1.md

Comment thread kits/dockerguard/apps/actions/orchestrate.ts Outdated
Comment thread kits/dockerguard/apps/actions/orchestrate.ts
Comment thread kits/dockerguard/apps/app/page.tsx
Comment thread kits/dockerguard/apps/app/page.tsx
Comment thread kits/dockerguard/apps/components/export-menu.tsx
Comment thread kits/dockerguard/apps/package.json Outdated
Comment thread kits/dockerguard/README.md Outdated
@justbeingsniper

Copy link
Copy Markdown
Author

hey, thanks for the review; went through everything and pushed fixes.

what i changed:

  • moved the app to tailwind v4 (was on v3)
  • normalized each finding in parseReport so partial model output can't render undefined anywhere
  • added aria-label on the textarea, aria-pressed on the file-type toggle, and role="menu"/role="menuitem" + focus return on the export dropdown
  • validate projectId now, removed that dead ?? null
  • made the readme setup step use a generic node id instead of hardcoding one

couple of things i kept on purpose;

  • the sample dockerfile still has that sk-live-... looking value; it's a dummy, not a real key; i want the demo to actually show dockerguard catching + redacting a "secret" so it stays
  • didn't move the export menu to shadcn/ui; kept the small custom one but gave it the proper aria roles + focus handling so it's still accessible

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor
🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
gh pr view 203 --repo Lamatic/AgentKit --json files,commits -q '.files[].path' | grep -i dockerguard | head -50
echo "---"
gh pr diff 203 --repo Lamatic/AgentKit -- kits/dockerguard/apps/actions/orchestrate.ts | head -200

Length of output: 2227


🏁 Script executed:

#!/bin/bash
set -euo pipefail
gh pr diff 203 --repo Lamatic/AgentKit > /tmp/pr203.diff
wc -l /tmp/pr203.diff
echo "---orchestrate.ts---"
awk '/^diff --git a\/kits\/dockerguard\/apps\/actions\/orchestrate.ts/{flag=1} /^diff --git/{if(flag && !/orchestrate.ts/) exit} flag' /tmp/pr203.diff | head -250
echo "---package.json (tailwind)---"
awk '/^diff --git a\/kits\/dockerguard\/apps\/package.json/{flag=1} /^diff --git/{if(flag && !/package.json/) exit} flag' /tmp/pr203.diff
echo "---tailwind.config---"
awk '/^diff --git a\/kits\/dockerguard\/apps\/tailwind.config.ts/{flag=1} /^diff --git/{if(flag && !/tailwind.config.ts/) exit} flag' /tmp/pr203.diff

Length of output: 8184


🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "---export-menu---"
awk '/^diff --git a\/kits\/dockerguard\/apps\/components\/export-menu.tsx/{flag=1} /^diff --git/{if(flag && !/export-menu.tsx/) exit} flag' /tmp/pr203.diff
echo "---lamatic-client---"
awk '/^diff --git a\/kits\/dockerguard\/apps\/lib\/lamatic-client.ts/{flag=1} /^diff --git/{if(flag && !/lamatic-client.ts/) exit} flag' /tmp/pr203.diff
echo "---page.tsx aria---"
awk '/^diff --git a\/kits\/dockerguard\/apps\/app\/page.tsx/{flag=1} /^diff --git/{if(flag && !/page.tsx/) exit} flag' /tmp/pr203.diff | grep -n "aria-" 
echo "---readme node id---"
awk '/^diff --git a\/kits\/dockerguard\/README.md/{flag=1} /^diff --git/{if(flag && !/README.md/) exit} flag' /tmp/pr203.diff | grep -n -i "node"

Length of output: 7214


All the fixes check out, Agent. Confirmed on the ground:

  • Tailwind v4package.json now pulls tailwindcss@^4.1.9 with @tailwindcss/postcss, and tailwind.config.ts is on the v4-friendly CSS-variable pattern. Clean migration.
  • parseReport hardeningorchestrate.ts now has normalizeFinding() coercing every field (id, severity, category, title, line, instruction, why, fix, reference) to safe defaults, plus score clamping and input_type allow-listing. No more undefined/NaN leaking into the UI.
  • Accessibility on export menu & controlsexport-menu.tsx has role="menu" / role="menuitem", aria-haspopup, aria-expanded, Escape-to-close, and focus returns to the trigger button via triggerRef in close(). page.tsx has aria-label on the textarea and aria-pressed on the file-type toggle. Solid.
  • projectId validationlamatic-client.ts now throws if config.api.projectId is missing, alongside endpoint/apiKey — dead ?? null is gone.
  • README node id — setup step now says <LLMNodeId> generically instead of a hardcoded id.

On the two things you kept intentionally — agreed, both are reasonable calls:

  • The dummy sk-live-... value in the sample Dockerfile only proves the redaction path works in the demo; as long as it stays a fake, non-functional string it's fine to keep.
  • Custom export menu with proper role/aria/focus handling is a legitimate alternative to pulling in shadcn/ui for something this small — no objection.

Kicking off a fresh full review pass now to double check nothing else needs attention.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@kits/dockerguard/apps/actions/orchestrate.ts`:
- Line 47: The line normalization in the annotated source view is treating
missing values as valid line 0 because Number(null) and other falsy inputs pass
Number.isFinite; update the logic around the lineNum handling in orchestrate.ts
to reject null, empty, and non-positive values before rendering. Use the
existing lineNum check to return null unless the parsed value is a finite
integer greater than 0, so absent lines never become line 0 in the source
annotation output.
- Line 44: The severity mapping in orchestrate should normalize the LLM-provided
value before validation, since SEVERITIES.includes(f.severity as Severity) only
matches exact casing and can incorrectly fall back to "info". Update the
severity assignment in the findings mapping to lowercase the incoming f.severity
before checking against SEVERITIES, and keep the fallback behavior only for
truly unrecognized values.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0c9b4566-ba70-4207-84c3-767a3834419a

📥 Commits

Reviewing files that changed from the base of the PR and between 2e5b2dd and f31933b.

⛔ Files ignored due to path filters (1)
  • kits/dockerguard/apps/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (8)
  • kits/dockerguard/README.md
  • kits/dockerguard/apps/actions/orchestrate.ts
  • kits/dockerguard/apps/app/globals.css
  • kits/dockerguard/apps/app/page.tsx
  • kits/dockerguard/apps/components/export-menu.tsx
  • kits/dockerguard/apps/lib/lamatic-client.ts
  • kits/dockerguard/apps/package.json
  • kits/dockerguard/apps/postcss.config.mjs

Comment thread kits/dockerguard/apps/actions/orchestrate.ts Outdated
Comment thread kits/dockerguard/apps/actions/orchestrate.ts Outdated
@justbeingsniper

justbeingsniper commented Jul 9, 2026

Copy link
Copy Markdown
Author

i have done the last two changes; they were small, made the severity match case-insensitive (so "HIGH"/"High" doesn't fall back to info) and stopped a missing line number from showing up as line 0. pls re-review

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor
🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
gh pr diff 203 --repo Lamatic/AgentKit > /tmp/pr203.diff
echo "---severity.ts---"
awk '/^diff --git a\/kits\/dockerguard\/apps\/lib\/severity.ts/{flag=1} /^diff --git/{if(flag && !/severity.ts/) exit} flag' /tmp/pr203.diff
echo "---orchestrate.ts line handling---"
awk '/^diff --git a\/kits\/dockerguard\/apps\/actions\/orchestrate.ts/{flag=1} /^diff --git/{if(flag && !/orchestrate.ts/) exit} flag' /tmp/pr203.diff | grep -n -i "line" 
echo "---audit-report.tsx line handling---"
awk '/^diff --git a\/kits\/dockerguard\/apps\/components\/audit-report.tsx/{flag=1} /^diff --git/{if(flag && !/audit-report.tsx/) exit} flag' /tmp/pr203.diff | grep -n -i "line"

Length of output: 4404


@justbeingsniper Your cover is blown to no one — this message will self-destruct after confirming: both fixes check out.

  • Case-insensitive severitynormalizeSeverity() in severity.ts now lowercases the input before matching against ["critical","high","medium","low","info"], so "HIGH"/"High" resolve correctly instead of falling back to "info".
  • No more phantom "line 0"orchestrate.ts now computes lineNum = f.line == null ? NaN : Number(f.line) and only keeps it when Number.isFinite(lineNum) && lineNum > 0, otherwise setting line: null. audit-report.tsx already gates the line badge on finding.line != null, so this now correctly hides missing/zero line numbers instead of showing "line 0".

Nice, tight fixes — nothing else outstanding from my side. Kicking off a full review pass now, but I don't expect any new findings.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

@justbeingsniper Good evening, Agent. Your mission, which you have already accepted and completed: neutralize the "HIGH"-falls-back-to-"info" bug and the phantom "line 0" leak. Mission status: success, confirmed in the previous transmission — normalizeSeverity() lowercases before matching, and orchestrate.ts now nulls out any non-finite or non-positive line number instead of coercing to 0.

This message, and this review cycle, will self-destruct in five seconds. No further action required on my end. As always, should you choose to accept another mission, I'll be listening.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@justbeingsniper

Copy link
Copy Markdown
Author

thanks for confirming; both were fixed in the last commit and the inline comments went outdated. the review count still shows the old number though — can you do a fresh full pass so it refreshes?

@coderabbitai full review

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

@justbeingsniper Copy that. Full review requested — initiating a complete re-scan of the mission files so the count reflects reality. This tape will not self-destruct until the scan completes.

✅ Action performed

Full review finished.


Your plan includes PR reviews subject to rate limits. More reviews will be available in 23 minutes.

@justbeingsniper

Copy link
Copy Markdown
Author

quota should be back now; can you run the full review please?

@coderabbitai full review

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

@justbeingsniper Acknowledged. Quota window should be clear now — initiating the full review pass on all mission files.

✅ Action performed

Full review finished.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@kits/dockerguard/.gitignore`:
- Around line 4-7: Update the .gitignore environment-file patterns to ignore all
secret-bearing .env variants, including .env.production, .env.development, and
other .env.* files, while preserving the intended allowance for .env.example.
Ensure the patterns cover both root and relevant environment files without
leaving credential-bearing files trackable.

In `@kits/dockerguard/apps/app/page.tsx`:
- Around line 103-111: Add role="alert" to the dynamically rendered error
paragraph in the error display block so screen readers announce audit failures
immediately.

In `@kits/dockerguard/README.md`:
- Around line 122-137: Label the folder-tree fenced block with the text language
identifier by changing the opening fence before kits/dockerguard/ to ```text,
while leaving the tree contents unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: f09a4f1e-5d59-4af8-8b1b-e94b45411e2a

📥 Commits

Reviewing files that changed from the base of the PR and between dafde4c and 4d8c272.

⛔ Files ignored due to path filters (5)
  • kits/dockerguard/apps/package-lock.json is excluded by !**/package-lock.json
  • kits/dockerguard/assets/dockerguard-dark.png is excluded by !**/*.png
  • kits/dockerguard/assets/dockerguard-input.png is excluded by !**/*.png
  • kits/dockerguard/assets/dockerguard-light.png is excluded by !**/*.png
  • kits/dockerguard/assets/dockerguard-overview.png is excluded by !**/*.png
📒 Files selected for processing (33)
  • kits/dockerguard/.env.example
  • kits/dockerguard/.gitignore
  • kits/dockerguard/README.md
  • kits/dockerguard/agent.md
  • kits/dockerguard/apps/.env.example
  • kits/dockerguard/apps/.gitignore
  • kits/dockerguard/apps/actions/orchestrate.ts
  • kits/dockerguard/apps/app/globals.css
  • kits/dockerguard/apps/app/layout.tsx
  • kits/dockerguard/apps/app/page.tsx
  • kits/dockerguard/apps/components/annotated-dockerfile.tsx
  • kits/dockerguard/apps/components/audit-report.tsx
  • kits/dockerguard/apps/components/copy-button.tsx
  • kits/dockerguard/apps/components/export-menu.tsx
  • kits/dockerguard/apps/components/score-ring.tsx
  • kits/dockerguard/apps/components/theme-toggle.tsx
  • kits/dockerguard/apps/lib/lamatic-client.ts
  • kits/dockerguard/apps/lib/report-format.ts
  • kits/dockerguard/apps/lib/sample.ts
  • kits/dockerguard/apps/lib/severity.ts
  • kits/dockerguard/apps/lib/types.ts
  • kits/dockerguard/apps/next.config.mjs
  • kits/dockerguard/apps/orchestrate.js
  • kits/dockerguard/apps/package.json
  • kits/dockerguard/apps/postcss.config.mjs
  • kits/dockerguard/apps/tailwind.config.ts
  • kits/dockerguard/apps/tsconfig.json
  • kits/dockerguard/constitutions/default.md
  • kits/dockerguard/flows/dockerguard-audit.ts
  • kits/dockerguard/lamatic.config.ts
  • kits/dockerguard/model-configs/dockerguard-audit_llmnode-540_generative-model-name.ts
  • kits/dockerguard/prompts/dockerguard-audit_llmnode-540_system_0.md
  • kits/dockerguard/prompts/dockerguard-audit_llmnode-540_user_1.md

Comment thread kits/dockerguard/.gitignore Outdated
Comment thread kits/dockerguard/apps/app/page.tsx
Comment thread kits/dockerguard/README.md Outdated
@justbeingsniper

Copy link
Copy Markdown
Author

pushed fixes for the last three; broadened the env ignore to cover all .env files (kept .env.example), added role=alert on the audit error, and tagged the folder tree code block as text. can you review again?

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor
🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
gh pr diff 203 --repo Lamatic/AgentKit > /tmp/pr203.diff
echo "---gitignore---"
awk '/^diff --git a\/kits\/dockerguard\/\.gitignore/{flag=1} /^diff --git/{if(flag && !/\.gitignore/) exit} flag' /tmp/pr203.diff
echo "---apps gitignore---"
awk '/^diff --git a\/kits\/dockerguard\/apps\/\.gitignore/{flag=1} /^diff --git/{if(flag && !/apps\/\.gitignore/) exit} flag' /tmp/pr203.diff
echo "---page.tsx alert---"
awk '/^diff --git a\/kits\/dockerguard\/apps\/app\/page.tsx/{flag=1} /^diff --git/{if(flag && !/page.tsx/) exit} flag' /tmp/pr203.diff | grep -n -i "alert"
echo "---readme code block lang---"
awk '/^diff --git a\/kits\/dockerguard\/README.md/{flag=1} /^diff --git/{if(flag && !/README.md/) exit} flag' /tmp/pr203.diff | grep -n -B2 -A2 '```'

Length of output: 3090


@justbeingsniper Good to have you back on the line, Agent. Debrief on the three objectives:

  • Env file exposure sealed — both kits/dockerguard/.gitignore and kits/dockerguard/apps/.gitignore now use .env* with a !.env.example exception, so every local env file is covered except the template. Clean.
  • Audit error now announcedpage.tsx Line 111 carries role="alert" on the error banner, so screen readers pick it up the moment it appears.
  • Folder tree properly tagged — the README's folder-structure block is now fenced as ```text instead of untagged, so it renders correctly.

Nothing else outstanding from this end. Initiating the full review pass now — expecting a clean report, but the scanners never lie.

✅ Action performed

Full review finished.


Your plan includes PR reviews subject to rate limits. More reviews will be available in 35 minutes.

@justbeingsniper

Copy link
Copy Markdown
Author

all three points are addressed in the latest commits; can you resolve the open review comments? not asking for a fresh review, just clearing the ones already fixed.

@coderabbitai resolve

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

@justbeingsniper Mission acknowledged. No need for a fresh scan — clearing the comments already confirmed fixed: the env-file ignore coverage, the role="alert" on the audit error banner, and the README folder-tree code fence tag. Resolving those threads now.

✅ Action performed

Comments resolved and changes approved.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 33 out of 38 changed files in this pull request and generated 4 comments.

Files not reviewed (1)
  • kits/dockerguard/apps/package-lock.json: Generated file

Comment on lines +40 to +45
out.push(`### ${SEVERITY_LABEL[sev]} — ${f.title}`);
const meta = [f.category, f.line != null ? `line ${f.line}` : null].filter(Boolean).join(" · ");
if (meta) out.push(`_${meta}_`, "");
if (f.instruction) out.push("```dockerfile", f.instruction, "```", "");
out.push(`**Why:** ${f.why}`);
out.push(`**Fix:** ${f.fix}`);
Comment on lines +47 to +66
<pre className="min-w-full py-2 font-mono text-[13px] leading-relaxed">
{lines.map((line, i) => {
const n = i + 1;
const sev = lineSev.get(n);
return (
<div
key={n}
data-sev={sev}
className="flex items-center px-3"
style={sev ? { background: "var(--sev-bg)", boxShadow: "inset 2px 0 0 var(--sev-solid)" } : undefined}
>
<span className="mr-3 flex w-3 justify-center">
{sev && <span className="h-2 w-2 rounded-full" style={{ background: "var(--sev-solid)" }} />}
</span>
<span className="mr-4 w-6 select-none text-right text-fg-muted">{n}</span>
<code className="whitespace-pre text-fg">{line || " "}</code>
</div>
);
})}
</pre>
ADD . /app
WORKDIR /app

ENV API_KEY=sk-live-abc123secret

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sk-live-abc123secret is an obvious fake placeholder, not a real credential. it's there on purpose so the demo shows dockerguard detecting and redacting a hardcoded secret in the audit output pls be a little aware from the next time

"tags": ["devops", "security", "generative"],
"testInput": {
"dockerfile":
"FROM node:latest\nADD . /app\nWORKDIR /app\nENV API_KEY=sk-live-123456\nRUN apt-get update\nRUN npm install\nEXPOSE 3000\nCMD npm start",

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is the same thing again flagged by you the performance is really poor; cant even differentiate b/w a placeholder and a real key

@justbeingsniper

Copy link
Copy Markdown
Author

@amanintech @akshatvirmani , could you review this PR (all checks are green)
also the live demo - https://agent-kit-roan.vercel.app

@github-actions

Copy link
Copy Markdown
Contributor

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details
putComment timed out

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants