Merge branch 'main' into peterj/substrate

Author: peterj

Makefile

@@ -279,7 +279,7 @@ build-golang-adk-full: buildx-create
 .PHONY: build-skills-init
 build-skills-init: ## Build and push the skills-init image
 build-skills-init: buildx-create
-	$(DOCKER_BUILDER) $(DOCKER_BUILD_ARGS) -t $(SKILLS_INIT_IMG) -f docker/skills-init/Dockerfile docker/skills-init
+	$(DOCKER_BUILDER) $(DOCKER_BUILD_ARGS) -t $(SKILLS_INIT_IMG) -f docker/skills-init/Dockerfile ./go
 	$(DOCKER_PUSH) $(SKILLS_INIT_IMG)
 
 .PHONY: push

docker/skills-init/Dockerfile

@@ -1,24 +1,39 @@
-### Stage 0: build krane
-FROM golang:1.26-alpine AS krane-builder
-
-ENV KRANE_VERSION=v0.21.2
-WORKDIR /build
-
-RUN apk add --no-cache git && \
-    git clone --depth 1 --branch $KRANE_VERSION \
-    https://github.com/google/go-containerregistry.git
-
-WORKDIR /build/go-containerregistry/cmd/krane
-
-RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /build/krane .
-
+### Stage 0: build the skills-init Go binary
+ARG BASE_IMAGE_REGISTRY=cgr.dev
+ARG BUILDPLATFORM
+FROM --platform=$BUILDPLATFORM $BASE_IMAGE_REGISTRY/chainguard/go:latest AS builder
+ARG TARGETARCH
+ARG TARGETOS
+
+WORKDIR /workspace
+
+COPY go.mod go.sum ./
+RUN --mount=type=cache,target=/root/go/pkg/mod,rw \
+    --mount=type=cache,target=/root/.cache/go-build,rw \
+    go mod download
+
+COPY api/ api/
+COPY core/ core/
+COPY adk/ adk/
+
+ARG LDFLAGS
+RUN --mount=type=cache,target=/root/go/pkg/mod,rw \
+    --mount=type=cache,target=/root/.cache/go-build,rw \
+    CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} \
+    go build -a -trimpath -ldflags "$LDFLAGS" -o /skills-init ./core/cmd/skills-init
+
+### Stage 1: runtime
 FROM alpine:3.23
 
 ARG PYTHON_UID=1001
 ARG PYTHON_GID=1001
 
-RUN apk upgrade --no-cache && apk add --no-cache git jq
-COPY --from=krane-builder /build/krane /usr/local/bin/krane
+# git is invoked by skills-init via exec.Command with an argv vector — never
+# through a shell — so the only attack surface here is git itself. OCI fetch
+# uses the in-process go-containerregistry library, so krane and jq are gone.
+RUN apk upgrade --no-cache && apk add --no-cache git openssh-client ca-certificates
+
+COPY --from=builder /skills-init /usr/local/bin/skills-init
 
 # Run as the same UID/GID as the main agent container (python user) so that
 # files written to the shared /skills volume are readable by the main container.
@@ -28,3 +43,5 @@ RUN addgroup -g ${PYTHON_GID} pythongroup && \
     adduser -u ${PYTHON_UID} -G pythongroup -s /bin/sh -D python
 
 USER ${PYTHON_UID}:${PYTHON_GID}
+
+ENTRYPOINT ["/usr/local/bin/skills-init"]

go/api/config/crd/bases/kagent.dev_agents.yaml

@@ -13284,8 +13284,10 @@ spec:
                             URL path segment, without .git).
                           type: string
                         path:
-                          description: Subdirectory within the repo to use as the
-                            skill root.
+                          description: |-
+                            Subdirectory within the repo to use as the skill root. The API validates
+                            this input path, but treats repository contents as trusted: symlinks under
+                            this path are dereferenced when materializing the skill.
                           type: string
                         ref:
                           default: main

go/api/config/crd/bases/kagent.dev_sandboxagents.yaml

@@ -10942,8 +10942,10 @@ spec:
                             URL path segment, without .git).
                           type: string
                         path:
-                          description: Subdirectory within the repo to use as the
-                            skill root.
+                          description: |-
+                            Subdirectory within the repo to use as the skill root. The API validates
+                            this input path, but treats repository contents as trusted: symlinks under
+                            this path are dereferenced when materializing the skill.
                           type: string
                         ref:
                           default: main

go/api/v1alpha2/agent_types.go

@@ -147,7 +147,9 @@ type GitRepo struct {
 	// +kubebuilder:default="main"
 	Ref string `json:"ref,omitempty"`
 
-	// Subdirectory within the repo to use as the skill root.
+	// Subdirectory within the repo to use as the skill root. The API validates
+	// this input path, but treats repository contents as trusted: symlinks under
+	// this path are dereferenced when materializing the skill.
 	// +optional
 	Path string `json:"path,omitempty"`
 

go/core/cmd/skills-init/main.go

@@ -0,0 +1,42 @@
+// Command skills-init is the init container binary that fetches an Agent's
+// skills from git repositories and OCI images before the main agent container
+// starts.
+//
+// It reads its configuration from a ConfigMap-mounted JSON file (see the
+// skillsinit package for the wire format) and performs all subprocess
+// invocations with argv vectors — no user input is ever interpolated into a
+// shell, which is the original design defect that motivated this rewrite.
+package main
+
+import (
+	"log"
+	"os/user"
+
+	"github.com/kagent-dev/kagent/go/core/internal/skillsinit"
+)
+
+func main() {
+	log.SetFlags(log.LstdFlags | log.Lmicroseconds)
+
+	cfg, err := skillsinit.LoadConfig()
+	if err != nil {
+		log.Fatalf("skills-init: %v", err)
+	}
+
+	// Resolve home from /etc/passwd via the current uid rather than $HOME so
+	// the binary behaves consistently regardless of how the container was
+	// invoked. The image's user is created with a fixed home dir, so this is
+	// deterministic in production and overridable in tests via the user db.
+	u, err := user.Current()
+	if err != nil {
+		log.Fatalf("skills-init: lookup current user: %v", err)
+	}
+	home := u.HomeDir
+	if home == "" {
+		log.Fatalf("skills-init: current user %q has no home directory", u.Username)
+	}
+
+	if err := skillsinit.Run(cfg, home); err != nil {
+		log.Fatalf("skills-init: %v", err)
+	}
+}