Skip to content

[plan] reduce default memory limit with configurable override #310

Closed
#1243
Closed
[plan] reduce default memory limit with configurable override#310
#1243
Assignees
Mossakacopilot-swe-agent
Labels
ai-generatedenhancementNew feature or requestplansecurity
@github-actions

Description

@github-actions
github-actions
bot
opened on Jan 17, 2026

Objective

Reduce default memory limit from 4GB to 2GB to prevent resource exhaustion DoS in shared environments, with --memory-limit flag for override.

Context

Current state: Agent container limited to 4GB memory (line 234 in src/docker-manager.ts)

Risk: In shared CI/CD environments, malicious code could exhaust memory and impact other jobs.

Risk level: 🟡 MEDIUM - Resource exhaustion DoS

Trade-off: AI workloads (LLM inference, code analysis) may require higher memory limits for legitimate use cases.

Implementation Approach

  1. Add --memory-limit CLI flag accepting values like 2g, 4g, 8g
  2. Change default from 4g to 2g for better DoS protection
  3. Validate input format (positive integer with unit suffix)
  4. Update Docker Compose memory limit configuration
  5. Document when higher limits needed (AI agents, large repos)

Files to Modify

  • src/cli.ts - Add --memory-limit flag with validation
  • src/docker-manager.ts - Line 234: Use config value instead of hardcoded 4g
  • src/types.ts - Add memoryLimit to WrapperConfig interface
  • README.md - Document flag and appropriate values for different workloads
  • AGENTS.md - Update documentation of resource limits

Examples

# Use default 2GB (sufficient for most commands)
awf --allow-domains github.com 'curl https://api.github.com'

# AI agent workload needs more memory
awf --memory-limit 8g --allow-domains api.openai.com \
  'npx @github/copilot@latest -p "analyze large codebase"'

# Explicitly set conservative limit for untrusted code
awf --memory-limit 1g --allow-domains registry.npmjs.org 'npm install'

Testing

  • Verify default is 2GB when flag not specified
  • Test custom values (1g, 4g, 8g)
  • Validate error on invalid formats (-1g, abc, 2x)
  • Confirm Docker container respects limit (check docker stats)

Acceptance Criteria

  • Default memory limit reduced to 2GB
  • --memory-limit flag accepts values with unit suffix
  • Invalid formats rejected with clear error message
  • Docker container memory limit matches specified value
  • Documentation explains appropriate limits for different workloads
  • No breaking changes (users can override back to 4GB)
    Related to [plan] security improvements from threat model review #306

AI generated by Plan Command for discussion #302

Metadata

Metadata

Assignees

Labels

ai-generatedenhancementNew feature or requestplansecurity

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions