fix: regenerate lavamoat policy for Docker compatibility

[andreabadesso]

Acceptance Criteria

• Docker image starts successfully with lavamoat entrypoint
• Running from source with production deps works with lavamoat
• make lavamoat_policy regenerates the policy correctly
• README documents how to run (Docker, from source, dev) and how to regenerate the policy

What this PR does

The LavaMoat policy was out of date and the Docker image could not start. Two root causes:

1. The policy was generated against dev node_modules, but the runtime (Docker and recommended from-source setup) uses production-only deps. npm resolves shared transitive packages through different parent chains in each case, so the policy didn't match.
2. settings.js loads config.js via a dynamic import(), so lavamoat's static analysis never discovered yargs and its transitive deps (used in config.js.docker).

This PR:

• Regenerates policy.json from production dependencies, using a shim entrypoint that statically requires config.js so lavamoat sees the full dependency graph.
• Adds scripts/generate-lavamoat-policy.sh and a make lavamoat_policy target to automate policy regeneration (requires Docker). npm run lavamoat:policy should no longer be used.
• Adds README sections for running with Docker, running from source, development, and regenerating the policy.

Security Checklist

• Make sure you do not include new dependencies in the project unless strictly necessary and do not include dev-dependencies as production ones. More dependencies increase the possibility of one of them being hijacked and affecting us.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Updates Lavamoat policy configuration adding many new public entries and reorganizing side-channel mappings (yargs ecosystem, ws, express>qs>side-channel, lavamoat resolve entries) and tightens several browser-like globals; README adds Docker and from-source run instructions. (50 words)

Changes

Cohort / File(s)	Summary
Policy Configuration lavamoat/node/policy.json	Large policy additions and reorganizations: new yargs ecosystem entries (cliui, wrap-ansi, string-width, escalade, require-directory, y18n, yargs, yargs-parser), top-level ws entry with builtins/globals, added lavamoat>resolve>is-core-module>hasown, and many express>qs>side-channel blocks (call-bind, get-intrinsic, define-data-property, set-function-length) with nested package mappings. Multiple globals tightened (WorkerGlobalScope, XMLHttpRequest, document, navigator, location.href, importScripts, http/https, process.exit) across several blocks.
Documentation README.md	Added "Running with Docker" and "Running from source" instructions, including docker run example, environment variables, Node/NPM requirements, install/build/start steps, and a production caution. Minor formatting/section insertion.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• pedroferreira1
• tuliomir

Poem

🐰 I hopped through policies late at night,
Added yargs, ws, and side-channels bright,
Docker dreams and source-run delight,
Globals tucked in snug and tight,
The config thumps a jaunty bite! 🎉

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: regenerating the lavamoat policy to fix Docker compatibility issues. It is concise and directly related to the primary objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/update-lavamoat-policy-for-docker

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.08%. Comparing base (4523cd6) to head (7897e56).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #590   +/-   ##
=======================================
  Coverage   90.08%   90.08%           
=======================================
  Files          56       56           
  Lines        2462     2462           
  Branches      456      456           
=======================================
  Hits         2218     2218           
  Misses        226      226           
  Partials       18       18           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

lavamoat/node/policy.json (1)

901-914: Redundant lru-cache references through both dev and prod paths.

The jsonwebtoken>semver entry references both nodemon>semver>lru-cache (dev path) and jsonwebtoken>semver>lru-cache (prod path). In a production Docker environment without dev dependencies, the nodemon path won't exist.

If the policy was generated correctly in the Docker build stage (as per PR objectives), only the production path should be needed. Consider removing the nodemon reference to avoid confusion.

Proposed cleanup

     "jsonwebtoken>semver": {
       "globals": {
         "console.error": true,
         "process": true
       },
       "packages": {
-        "nodemon>semver>lru-cache": true,
         "jsonwebtoken>semver>lru-cache": true
       }
     },

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lavamoat/node/policy.json` around lines 901 - 914, The policy lists both the
dev and prod paths for lru-cache under "jsonwebtoken>semver"; remove the
dev-only reference "nodemon>semver>lru-cache" from the "packages" object of
"jsonwebtoken>semver" so only the production path
"jsonwebtoken>semver>lru-cache" remains, and then verify there are no other
dev-only references to "nodemon>..." elsewhere in the policy (leave
"jsonwebtoken>semver>lru-cache" and its child
"jsonwebtoken>semver>lru-cache>yallist" intact).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@lavamoat/node/policy.json`:
- Around line 331-349: Remove all dev-only dependency entries that start with
the "eslint-plugin-import>" prefix from the policy object (e.g., keys like
"eslint-plugin-import>array-includes>get-intrinsic" and the nested "packages"
entries referencing "eslint-plugin-import>..."), leaving only production
dependency chains such as "express>qs>side-channel>get-intrinsic"; ensure you
delete the entire key/value block for each eslint-plugin-import entry so no
devDependency chains remain in the runtime policy.

---

Nitpick comments:
In `@lavamoat/node/policy.json`:
- Around line 901-914: The policy lists both the dev and prod paths for
lru-cache under "jsonwebtoken>semver"; remove the dev-only reference
"nodemon>semver>lru-cache" from the "packages" object of "jsonwebtoken>semver"
so only the production path "jsonwebtoken>semver>lru-cache" remains, and then
verify there are no other dev-only references to "nodemon>..." elsewhere in the
policy (leave "jsonwebtoken>semver>lru-cache" and its child
"jsonwebtoken>semver>lru-cache>yallist" intact).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6abb3e94-d535-4166-9f81-175f7ec8ef8c

📥 Commits

Reviewing files that changed from the base of the PR and between 76d7e03 and d39d50b.

📒 Files selected for processing (1)

• lavamoat/node/policy.json

[coderabbitai]

🧹 Nitpick comments (1)

lavamoat/node/policy-override.json (1)

41-243: Consider codifying the merge workflow in CI to avoid policy drift.

Given the two-environment generation/merge requirement, a scripted check in CI would make future policy updates safer and reproducible.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lavamoat/node/policy-override.json` around lines 41 - 243, The repo needs a
CI check that reproduces the two-environment Lavamoat policy generation and
verifies the committed lavamoat/node/policy-override.json is the exact merged
output to prevent drift; add a CI job (e.g., policy:verify) that runs the
existing policy generation script for both environments (invoke the same
generator used to produce policy-override.json), merges them the same way the
manual process does, diff/compare the generated merge with
lavamoat/node/policy-override.json, and fail the job if there are any
differences so future PRs must update the committed file via the generator.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@lavamoat/node/policy-override.json`:
- Around line 41-243: The repo needs a CI check that reproduces the
two-environment Lavamoat policy generation and verifies the committed
lavamoat/node/policy-override.json is the exact merged output to prevent drift;
add a CI job (e.g., policy:verify) that runs the existing policy generation
script for both environments (invoke the same generator used to produce
policy-override.json), merges them the same way the manual process does,
diff/compare the generated merge with lavamoat/node/policy-override.json, and
fail the job if there are any differences so future PRs must update the
committed file via the generator.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3efb5c6f-73e9-4648-8ea7-9d150d41e1fe

📥 Commits

Reviewing files that changed from the base of the PR and between d39d50b and 64e5bb6.

📒 Files selected for processing (2)

• lavamoat/node/policy-override.json
• lavamoat/node/policy.json

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@lavamoat/node/policy.json`:
- Around line 264-277: The policy currently includes entries for
"express>qs>side-channel>call-bind" and
"express>qs>side-channel>call-bind>call-bind-apply-helpers" (and their
"get-intrinsic" children) but is missing the equivalent dev-path variants under
the eslint-plugin-import tree; add matching entries prefixed with
"eslint-plugin-import>qs>side-channel>..." that mirror the existing package
objects for the express entries (i.e., create
"eslint-plugin-import>qs>side-channel>call-bind",
"eslint-plugin-import>qs>side-channel>call-bind>call-bind-apply-helpers", and
the "get-intrinsic" child mappings), and duplicate these additions at the other
ranges mentioned (near lines 372–377, 414–418, 585–603, and 1026–1039) so the
policy contains both express- and eslint-plugin-import-prefixed paths for
call-bind, call-bind-apply-helpers, set-function-length, es-define-property, and
get-intrinsic.

In `@README.md`:
- Around line 20-25: The README currently shows secrets inline in the docker run
example; update it to demonstrate using an env-file or Docker secrets instead of
embedding HEADLESS_SEED_DEFAULT and HEADLESS_API_KEY directly. Replace the -e
HEADLESS_SEED_DEFAULT="your seed words here" and -e
HEADLESS_API_KEY=your_api_key parts in the hathornetwork/hathor-wallet-headless
docker run example with a note to use --env-file path/to/.env (or reference
Docker secrets) and show the .env keys (HEADLESS_SEED_DEFAULT and
HEADLESS_API_KEY) as placeholders, removing any literal secret values from the
example.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 897082ce-f9d6-4220-ad51-b92b27029aeb

📥 Commits

Reviewing files that changed from the base of the PR and between 64e5bb6 and 3bae2b1.

📒 Files selected for processing (2)

• README.md
• lavamoat/node/policy.json