fix: align init start scripts, docs, and security policy

docs: update runtime and security notes

Author: dev-dami

README.md

@@ -51,11 +51,13 @@ Ignite runs JavaScript/TypeScript code in **secure, isolated Docker containers**
 
 | Metric | Value |
 |--------|-------|
-| **Runtimes** | Bun |
+| **Runtimes** | Bun (default), Node, Deno, QuickJS |
 | **Base Images** | Alpine (minimal) |
 | **Platforms** | Linux x64/ARM64, macOS x64/ARM64 |
 | **Dependencies** | Docker only |
 
+Note: Bun is the default runtime. Other runtimes are supported but increase the security attack surface; use them only when required and review service code and dependencies carefully.
+
 <img src="https://raw.githubusercontent.com/andreasbm/readme/master/assets/lines/rainbow.png" alt="rainbow" width="100%">
 
 ## Install

docs/api.md

@@ -647,6 +647,8 @@ service:
 | `deno` | 1.40, 1.41, 1.42, 2.0 | index.ts | Secure by default |
 | `quickjs` | latest | index.js | Ultra-fast cold start (~10ms) |
 
+Security note: Bun is the default runtime. Using other runtimes increases the attack surface; only use them when required and keep runtime versions pinned.
+
 **Runtime Version Syntax:**
 
 ```yaml

docs/architecture.md

@@ -25,7 +25,10 @@ Parses `service.yaml` configuration and validates service structure.
 
 ### Runtime Registry
 Manages runtime configuration for the execution environment:
-- **bun**: Bun runtime with native TypeScript support
+- **bun**: Bun runtime with native TypeScript support (default)
+- **node**: Node.js runtime for JS compatibility
+- **deno**: Deno runtime with secure defaults
+- **quickjs**: QuickJS runtime for minimal overhead
 
 ### Docker Runtime
 Manages Docker image building and container execution.
@@ -55,7 +58,7 @@ service.yaml
          │
          ▼
 ┌─────────────────┐
-│Runtime Registry │──► Select Bun
+│Runtime Registry │──► Select runtime (Bun default)
 └────────┬────────┘
          │
          ▼
@@ -83,13 +86,15 @@ Each service runs in its own Docker container with:
 - Environment variable injection
 - Metrics emission via entrypoint wrapper
 
+Security note: Bun is the default runtime. Supporting additional runtimes increases the attack surface, so use them only when required and keep versions pinned.
+
 ## Runtime Registry
 
 The runtime registry (`packages/core/src/runtime/runtime-registry.ts`) provides:
 
 ```typescript
 interface RuntimeConfig {
-  name: RuntimeName;           // 'bun'
+  name: RuntimeName;           // 'bun' (default), 'node', 'deno', 'quickjs'
   dockerfileDir: string;       // Directory containing Dockerfile
   defaultEntry: string;        // Default entry file
   fileExtensions: string[];    // Supported file extensions

docs/threat-model.md

@@ -20,14 +20,14 @@ Ignite aims to provide **defense-in-depth** for executing untrusted JavaScript/T
 ┌─────────────────────────────────────────────────────────────┐
 │                        HOST SYSTEM                          │
 │  ┌───────────────────────────────────────────────────────┐  │
-│  │                    DOCKER DAEMON                       │  │
+│  │                    DOCKER DAEMON                      │  │
 │  │  ┌─────────────────────────────────────────────────┐  │  │
-│  │  │              IGNITE CONTAINER                    │  │  │
+│  │  │              IGNITE CONTAINER                   │  │  │
 │  │  │  ┌─────────────────────────────────────────────┐│  │  │
 │  │  │  │           UNTRUSTED CODE                    ││  │  │
 │  │  │  │                                             ││  │  │
-│  │  │  │  This is where AI-generated or user code   ││  │  │
-│  │  │  │  executes. Assume fully malicious.         ││  │  │
+│  │  │  │  This is where AI-generated or user code    ││  │  │
+│  │  │  │  executes. Assume fully malicious.          ││  │  │
 │  │  │  └─────────────────────────────────────────────┘│  │  │
 │  │  └─────────────────────────────────────────────────┘  │  │
 │  └───────────────────────────────────────────────────────┘  │

docs/walkthrough.md

@@ -143,7 +143,7 @@ ignite run . --input '{"data": [10, 20, 30], "operation": "average"}'
 service:
   # Required
   name: my-service           # Service identifier
-  runtime: bun               # "bun" or "node"
+  runtime: bun               # bun, node, deno, quickjs (optional version with @)
   entry: index.ts            # Entry file
 
   # Resource Limits
@@ -194,7 +194,12 @@ service:
 
 ### Runtime
 
-Ignite currently supports the Bun runtime for TypeScript and modern ESM modules.
+Ignite supports Bun, Node, Deno, and QuickJS runtimes. Bun is the default and recommended option.
+
+**Security considerations:**
+- Additional runtimes increase the attack surface and dependency complexity.
+- Use non-Bun runtimes only when required by your code or dependencies.
+- Audit dependencies and keep runtime versions pinned (e.g., `node@20`, `deno@2.0`) to reduce drift.
 
 ### Using Dependencies
 

packages/cli/src/commands/init.ts

@@ -2,6 +2,7 @@ import { writeFile, mkdir } from 'node:fs/promises';
 import { join } from 'node:path';
 import { logger } from '@ignite/shared';
 import { isValidRuntime, getRuntimeConfig } from '@ignite/core';
+import { parseRuntime } from '@ignite/shared';
 
 interface InitOptions {
   path?: string;
@@ -21,8 +22,10 @@ function getServiceYamlTemplate(serviceName: string, runtime: string, entry: str
 }
 
 function getPackageJsonTemplate(serviceName: string, runtime: string, entry: string): string {
-  const startCmd = runtime === 'bun' ? `bun run ${entry}` : 
-                   runtime === 'deno' ? `deno run ${entry}` : 
+  const runtimeName = parseRuntime(runtime).name;
+  const startCmd = runtimeName === 'bun' ? `bun run ${entry}` :
+                   runtimeName === 'deno' ? `deno run ${entry}` :
+                   runtimeName === 'quickjs' ? `qjs ${entry}` :
                    `node ${entry}`;
   return JSON.stringify({
     name: serviceName,

packages/core/src/security/audit.ts

@@ -25,6 +25,11 @@ export function parseAuditFromOutput(
     { pattern: /permission denied.*?['"]?([\/\w.-]+)['"]?/gi, action: 'blocked' as const },
   ];
 
+  const processPatterns = [
+    { pattern: /spawn.*EACCES/gi, action: 'spawn' as const },
+    { pattern: /child_process.*blocked/gi, action: 'spawn' as const },
+  ];
+
   const combined = stdout + '\n' + stderr;
 
   for (const { pattern, action } of networkPatterns) {
@@ -56,6 +61,20 @@ export function parseAuditFromOutput(
     }
   }
 
+  for (const { pattern, action } of processPatterns) {
+    const matches = combined.matchAll(pattern);
+    for (const match of matches) {
+      events.push({
+        type: 'process',
+        action,
+        target: extractCommand(match[0]) || 'unknown command',
+        timestamp: now,
+        allowed: false,
+        details: match[0],
+      });
+    }
+  }
+
   const summary = calculateSummary(events);
 
   return { events, summary, policy };
@@ -76,9 +95,15 @@ function extractPath(text: string): string | null {
   return pathMatch?.[1] ?? null;
 }
 
+function extractCommand(text: string): string | null {
+  const cmdMatch = text.match(/spawn\s+['"]?(\w+)['"]?/i);
+  return cmdMatch?.[1] ?? null;
+}
+
 function calculateSummary(events: SecurityEvent[]): SecuritySummary {
   const networkEvents = events.filter(e => e.type === 'network');
   const filesystemEvents = events.filter(e => e.type === 'filesystem');
+  const processEvents = events.filter(e => e.type === 'process');
 
   const hasViolations = events.some(e => !e.allowed);
 
@@ -88,6 +113,8 @@ function calculateSummary(events: SecurityEvent[]): SecuritySummary {
     filesystemReads: filesystemEvents.filter(e => e.action === 'read').length,
     filesystemWrites: filesystemEvents.filter(e => e.action === 'write').length,
     filesystemBlocked: filesystemEvents.filter(e => !e.allowed).length,
+    processSpawns: processEvents.length,
+    processBlocked: processEvents.filter(e => !e.allowed).length,
     overallStatus: hasViolations ? 'violations' : 'clean',
   };
 }
@@ -109,6 +136,7 @@ export function formatSecurityAudit(audit: SecurityAudit): string {
   lines.push(`  ${DIM}Policy:${NC}`);
   lines.push(`    Network: ${audit.policy.network.enabled ? `${YELLOW}enabled${NC}` : `${GREEN}blocked${NC}`}`);
   lines.push(`    Filesystem: ${audit.policy.filesystem.readOnly ? `${GREEN}read-only${NC}` : `${YELLOW}read-write${NC}`}`);
+  lines.push(`    Process spawn: ${audit.policy.process.allowSpawn ? `${YELLOW}allowed${NC}` : `${GREEN}blocked${NC}`}`);
   lines.push('');
 
   if (audit.events.length === 0) {
@@ -119,6 +147,7 @@ export function formatSecurityAudit(audit: SecurityAudit): string {
 
     const networkEvents = audit.events.filter(e => e.type === 'network');
     const fsEvents = audit.events.filter(e => e.type === 'filesystem');
+    const procEvents = audit.events.filter(e => e.type === 'process');
 
     if (networkEvents.length > 0) {
       lines.push('');
@@ -139,6 +168,16 @@ export function formatSecurityAudit(audit: SecurityAudit): string {
         lines.push(`    ${icon} ${event.action}: ${event.target} ${DIM}(${status})${NC}`);
       }
     }
+
+    if (procEvents.length > 0) {
+      lines.push('');
+      lines.push(`  ${BOLD}Process${NC}`);
+      for (const event of procEvents) {
+        const icon = event.allowed ? `${GREEN}✓${NC}` : `${RED}✗${NC}`;
+        const status = event.allowed ? 'allowed' : 'blocked';
+        lines.push(`    ${icon} ${event.action}: ${event.target} ${DIM}(${status})${NC}`);
+      }
+    }
   }
 
   lines.push('');
@@ -148,7 +187,7 @@ export function formatSecurityAudit(audit: SecurityAudit): string {
   if (summary.overallStatus === 'clean') {
     lines.push(`  ${GREEN}✓ Security Status: CLEAN${NC}`);
   } else {
-    const violations = summary.networkBlocked + summary.filesystemBlocked;
+    const violations = summary.networkBlocked + summary.filesystemBlocked + summary.processBlocked;
     lines.push(`  ${RED}✗ Security Status: ${violations} VIOLATION(S) BLOCKED${NC}`);
   }
   lines.push('');

packages/core/src/security/policy.ts

@@ -1,7 +1,7 @@
 import { readFile } from 'node:fs/promises';
 import { resolve } from 'node:path';
 import { parse as parseYaml } from 'yaml';
-import type { SecurityPolicy, NetworkPolicy, FilesystemPolicy } from './security.types.js';
+import type { SecurityPolicy, NetworkPolicy, FilesystemPolicy, ProcessPolicy } from './security.types.js';
 import { DEFAULT_POLICY } from './security.types.js';
 
 export interface PolicyFile {
@@ -12,6 +12,10 @@ export interface PolicyFile {
     filesystem?: {
       readOnly?: boolean;
     };
+    process?: {
+      allowSpawn?: boolean;
+      allowedCommands?: string[];
+    };
   };
 }
 
@@ -47,7 +51,12 @@ function mergePolicies(base: SecurityPolicy, file: PolicyFile): SecurityPolicy {
     readOnly: security.filesystem?.readOnly ?? base.filesystem.readOnly,
   };
 
-  return { network, filesystem };
+  const process: ProcessPolicy = {
+    allowSpawn: security.process?.allowSpawn ?? base.process.allowSpawn,
+    allowedCommands: security.process?.allowedCommands ?? base.process.allowedCommands,
+  };
+
+  return { network, filesystem, process };
 }
 
 export function policyToDockerOptions(policy: SecurityPolicy): {

packages/core/src/security/security.types.ts

@@ -1,6 +1,7 @@
 export interface SecurityPolicy {
   network: NetworkPolicy;
   filesystem: FilesystemPolicy;
+  process: ProcessPolicy;
 }
 
 export interface NetworkPolicy {
@@ -11,9 +12,14 @@ export interface FilesystemPolicy {
   readOnly: boolean;
 }
 
+export interface ProcessPolicy {
+  allowSpawn: boolean;
+  allowedCommands?: string[];
+}
+
 export interface SecurityEvent {
-  type: 'network' | 'filesystem';
-  action: 'read' | 'write' | 'connect' | 'blocked';
+  type: 'network' | 'filesystem' | 'process';
+  action: 'read' | 'write' | 'connect' | 'spawn' | 'blocked';
   target: string;
   timestamp: number;
   allowed: boolean;
@@ -32,6 +38,8 @@ export interface SecuritySummary {
   filesystemReads: number;
   filesystemWrites: number;
   filesystemBlocked: number;
+  processSpawns: number;
+  processBlocked: number;
   overallStatus: 'clean' | 'violations';
 }
 
@@ -42,4 +50,7 @@ export const DEFAULT_POLICY: SecurityPolicy = {
   filesystem: {
     readOnly: true,
   },
+  process: {
+    allowSpawn: false,
+  },
 };