Skip to content

Refactor enforcement and remediation modules; remove server components#18

Merged
xoity merged 4 commits into
mainfrom
cuts
Jul 13, 2026
Merged

Refactor enforcement and remediation modules; remove server components#18
xoity merged 4 commits into
mainfrom
cuts

Conversation

@xoity

@xoity xoity commented Jul 10, 2026

Copy link
Copy Markdown
Owner
  • Removed Cisco-style rule handling from EnforcementPlanner.
  • Cleaned up RemediationAction by removing unused dependencies.
  • Simplified RemediationPlan and RemediationExecutor by removing dependency checks.
  • Deleted server-related files including API, auth, and schemas.
  • Updated requirements and removed unused dependencies.
  • Added test devices and test policy YAML files for better testing coverage.
  • Cleaned up tests by removing obsolete test files and methods.

Summary by CodeRabbit

  • New Features
    • Enhanced Linux iptables command generation for protocols, ports, address ranges, actions, direction, and optional logging.
    • Added VM test device and policy examples for end-to-end validation.
    • CLI/version output now reflects the installed release.
  • Documentation
    • Added a full “Verification Workflow” to README (audit → dry-run → live enforcement → SSH verification → re-audit).
  • Bug Fixes
    • More reliable policy-to-device matching when multiple ports/IPs are present (including LOG rules).
  • Changes
    • Removed built-in web authentication and CLI session/login features.
    • Simplified remediation behavior (removed dependency-based gating) and trimmed AI config options.

- Removed Cisco-style rule handling from EnforcementPlanner.
- Cleaned up RemediationAction by removing unused dependencies.
- Simplified RemediationPlan and RemediationExecutor by removing dependency checks.
- Deleted server-related files including API, auth, and schemas.
- Updated requirements and removed unused dependencies.
- Added test devices and test policy YAML files for better testing coverage.
- Cleaned up tests by removing obsolete test files and methods.

Signed-off-by: Mohammad Abu-Khader <mohammad.abukhader@hotmail.com>
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@xoity, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 49 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2887924a-e6b2-48c1-8f26-a4c0d0d09d9d

📥 Commits

Reviewing files that changed from the base of the PR and between 0ba13a6 and d8ffcef.

📒 Files selected for processing (7)
  • audit_agent/ai/config.py
  • audit_agent/audit/engine.py
  • audit_agent/core/logging_config.py
  • audit_agent/core/policy.py
  • audit_agent/devices/base.py
  • audit_agent/devices/linux_iptables.py
  • audit_agent/enforcement/remediation.py
📝 Walkthrough

Walkthrough

The change centralizes Linux iptables command generation, removes authentication and device-management APIs, simplifies policy and remediation models, updates AI configuration and package metadata handling, and adds VM verification configurations and documentation.

Changes

Linux firewall command flow

Layer / File(s) Summary
Centralized iptables command generation
audit_agent/devices/linux_iptables.py, audit_agent/cli.py, tests/test_auto_generate.py, test-*.yaml, README.md
Firewall rules are converted through firewall_rule_to_commands, CLI auto-generation delegates to the shared helper, and command-generation tests plus VM verification documentation/configuration are updated.
Command execution simplification
audit_agent/devices/linux_iptables.py
Command output decoding and shell wrapping are simplified, while script execution and command-safety validation are removed.

Policy and remediation execution

Layer / File(s) Summary
Policy and remediation model changes
audit_agent/core/policy.py, audit_agent/enforcement/remediation.py
Policy convenience APIs and remediation dependency tracking, filtering, caching, and execution gating are removed; policy metadata deserialization is changed.
Audit and enforcement behavior
audit_agent/audit/engine.py, audit_agent/enforcement/engine.py
Rule matching uses any configured port or address, Docker rules are skipped, severity report generation uses an ordered loop, and Cisco access-list removal falls through to the generic fallback.

Public surface and packaging

Layer / File(s) Summary
CLI and device API cleanup
audit_agent/cli.py, audit_agent/core/credentials.py, audit_agent/devices/*
Authentication-related CLI commands, SSH-agent probing, device-manager abstractions, and router/load-balancer base classes are removed.
AI and package configuration cleanup
audit_agent/ai/*, pyproject.toml, requirements.txt, examples/README.md, tests/test_credentials.py, .gitignore, .mise.toml
AI configuration, dependencies, Ruff settings, obsolete examples, and SSH-agent coverage are reduced; installed package metadata supplies the version and AuditAgent configuration is ignored.
Pydantic validator migration
audit_agent/core/objects.py
Object validation decorators are updated to the Pydantic v2 field_validator API.

Estimated code review effort: 5 (Critical) | ~120 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately captures the two main themes: enforcement/remediation refactoring and removal of server components.
Docstring Coverage ✅ Passed Docstring coverage is 89.58% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cuts

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
audit_agent/audit/engine.py (1)

474-480: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Docker-related rules now unconditionally skipped in find_extra_rules.

The previous logic skipped Docker-related rules only when they did not conflict with policy rules. Now all Docker-related rules are skipped unconditionally. If _conflicts_with_policy was a placeholder with no real logic, the practical impact is minimal. However, note that _is_docker_related_rule uses broad indicators like "FORWARD", "PREROUTING", and "MASQUERADE" — non-Docker rules in these chains will also be silently skipped, potentially masking legitimate compliance issues.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@audit_agent/audit/engine.py` around lines 474 - 480, The Docker-rule
filtering in find_extra_rules now skips all matching rules, including non-Docker
rules due to broad _is_docker_related_rule indicators. Restore policy-aware
handling so Docker-related rules are skipped only when they do not conflict with
policy, and ensure legitimate rules in FORWARD, PREROUTING, or MASQUERADE chains
are not silently ignored.
🧹 Nitpick comments (1)
audit_agent/enforcement/remediation.py (1)

644-644: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Dead skipped counter after dependency-gating removal.

skipped is initialized at line 644 and passed to RemediationPlanResult at line 690, but the dependency-skip logic that previously incremented it was removed. It will always be 0. Consider removing the variable and passing a literal 0, or document that skip logic is intentionally deferred.

Also applies to: 690-690

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@audit_agent/enforcement/remediation.py` at line 644, Remove the unused
skipped counter initialized in the remediation flow and replace its
RemediationPlanResult argument with the literal 0, or explicitly document and
implement the intended deferred skip behavior; update related references
consistently.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@audit_agent/__init__.py`:
- Around line 8-10: Make audit_agent.__version__ resilient when the distribution
metadata is unavailable: wrap version("audit-agent") in appropriate
PackageNotFoundError handling and assign a fallback version string for source
checkouts, preserving the installed-package version when metadata exists. Ensure
importing audit_agent and running audit_agent.cli work without installation.

In `@audit_agent/devices/linux_iptables.py`:
- Around line 67-78: The log-rule construction in the rule-building function
mishandles Action.LOG and unquoted prefixes. Preserve the match tokens
explicitly before appending any action target, then build the LOG command from
that match portion instead of slicing cmd_parts; ensure Action.LOG remains valid
without dropping match arguments. Quote or shell-escape the --log-prefix value,
including its trailing space, so rule names containing whitespace remain one
token.
- Around line 467-468: The _build_shell_command method assembles shell commands
containing unescaped rule-derived values such as rule.name. Update the command
construction and its callers to safely quote all interpolated values, especially
the --log-prefix argument, using a shell-escaping utility or structured
execution that avoids shell-string assembly; do not rely on dangerous_patterns
for protection.
- Around line 39-65: The _build_iptables_rule implementation silently ignores
all but the first source/destination IP and port. Update _build_iptables_rule to
expand every value into separate iptables rules, preserving the rule’s other
options, or explicitly reject multi-value inputs with a clear error instead of
truncating them.

In `@tests/test_auto_generate.py`:
- Around line 81-84: The multi-port test for firewall_rule_to_commands only
verifies port 80 and misses regressions involving the second requested port.
Update the assertion in the relevant test to also require port 443, or verify
that every port in rule.destination_ports appears in the generated commands.

---

Outside diff comments:
In `@audit_agent/audit/engine.py`:
- Around line 474-480: The Docker-rule filtering in find_extra_rules now skips
all matching rules, including non-Docker rules due to broad
_is_docker_related_rule indicators. Restore policy-aware handling so
Docker-related rules are skipped only when they do not conflict with policy, and
ensure legitimate rules in FORWARD, PREROUTING, or MASQUERADE chains are not
silently ignored.

---

Nitpick comments:
In `@audit_agent/enforcement/remediation.py`:
- Line 644: Remove the unused skipped counter initialized in the remediation
flow and replace its RemediationPlanResult argument with the literal 0, or
explicitly document and implement the intended deferred skip behavior; update
related references consistently.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5db252c9-2e78-4e90-be8a-08a1f1954bc2

📥 Commits

Reviewing files that changed from the base of the PR and between f51d0f9 and f5ad8a8.

📒 Files selected for processing (35)
  • .audit-agent/sandbox-42.json
  • .github/workflows/lint.yml
  • .github/workflows/test.yml
  • .gitignore
  • .mise.toml
  • README.md
  • audit_agent/__init__.py
  • audit_agent/ai/analyzer.py
  • audit_agent/ai/config.py
  • audit_agent/audit/engine.py
  • audit_agent/cli.py
  • audit_agent/core/credentials.py
  • audit_agent/core/logging_config.py
  • audit_agent/core/policy.py
  • audit_agent/core/token.py
  • audit_agent/devices/__init__.py
  • audit_agent/devices/base.py
  • audit_agent/devices/linux_iptables.py
  • audit_agent/enforcement/engine.py
  • audit_agent/enforcement/remediation.py
  • audit_agent/server/__init__.py
  • audit_agent/server/api.py
  • audit_agent/server/auth.py
  • audit_agent/server/schemas.py
  • examples/README.md
  • examples/clean-linux-policy.yaml
  • pyproject.toml
  • remediation-policy.yaml
  • requirements.txt
  • test-devices.yaml
  • test-policy.yaml
  • tests/run_tests.py
  • tests/test_auto_generate.py
  • tests/test_credentials.py
  • tests/test_server_auth.py
💤 Files with no reviewable changes (18)
  • remediation-policy.yaml
  • .github/workflows/test.yml
  • audit_agent/ai/analyzer.py
  • tests/test_server_auth.py
  • audit_agent/core/token.py
  • audit_agent/server/auth.py
  • audit_agent/server/schemas.py
  • .github/workflows/lint.yml
  • tests/run_tests.py
  • audit_agent/server/api.py
  • .audit-agent/sandbox-42.json
  • examples/README.md
  • audit_agent/ai/config.py
  • pyproject.toml
  • audit_agent/enforcement/engine.py
  • tests/test_credentials.py
  • audit_agent/core/logging_config.py
  • audit_agent/core/credentials.py

Comment thread audit_agent/__init__.py Outdated
Comment thread audit_agent/devices/linux_iptables.py Outdated
Comment thread audit_agent/devices/linux_iptables.py Outdated
Comment thread audit_agent/devices/linux_iptables.py
Comment thread tests/test_auto_generate.py
… update remediation executor to reset skipped actions; refine iptables rule generation; improve tests for multiple ports

Signed-off-by: Mohammad Abu-Khader <mohammad.abukhader@hotmail.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
audit_agent/audit/engine.py (1)

464-467: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Stale comment references removed conflict check.

The comment "Skip Docker-related rules unless they conflict with policy" no longer reflects the code — _conflicts_with_policy was removed and all Docker-related rules are now unconditionally skipped. This could mislead future developers into expecting conditional behavior.

Proposed fix: update comment
-            # Skip Docker-related rules unless they conflict with policy
+            # Skip Docker-related rules (managed by Docker, not policy)
             if self._is_docker_related_rule(
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@audit_agent/audit/engine.py` around lines 464 - 467, Update the comment above
the _is_docker_related_rule check to state that Docker-related rules are
unconditionally skipped, removing the obsolete reference to policy conflicts.
Leave the conditional logic unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@audit_agent/audit/engine.py`:
- Around line 429-434: Update `_log_rule_matches_policy_rule` so `source_ips`
containing `0.0.0.0/0` only matches log rules without a specific `-s` source or
with `-s 0.0.0.0/0`; reject log rules carrying any other explicit source,
matching `_rules_might_match` behavior. Preserve matching for policy-specific
source IPs.

---

Outside diff comments:
In `@audit_agent/audit/engine.py`:
- Around line 464-467: Update the comment above the _is_docker_related_rule
check to state that Docker-related rules are unconditionally skipped, removing
the obsolete reference to policy conflicts. Leave the conditional logic
unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2efb7817-525d-4a7f-9aeb-4221d4e986de

📥 Commits

Reviewing files that changed from the base of the PR and between f5ad8a8 and 0ba13a6.

📒 Files selected for processing (7)
  • audit_agent/__init__.py
  • audit_agent/audit/engine.py
  • audit_agent/core/objects.py
  • audit_agent/devices/linux_iptables.py
  • audit_agent/enforcement/remediation.py
  • requirements.txt
  • tests/test_auto_generate.py
🚧 Files skipped from review as they are similar to previous changes (5)
  • requirements.txt
  • audit_agent/init.py
  • tests/test_auto_generate.py
  • audit_agent/devices/linux_iptables.py
  • audit_agent/enforcement/remediation.py

Comment thread audit_agent/audit/engine.py
xoity added 2 commits July 13, 2026 21:28
Signed-off-by: Mohammad Abu-Khader <mohammad.abukhader@hotmail.com>
Signed-off-by: Mohammad Abu-Khader <mohammad.abukhader@hotmail.com>
@xoity
xoity merged commit fc3b18c into main Jul 13, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant