Merge branch 'main' into support-sap-gen-ai-hub

Author: EItanya

.github/workflows/ci.yaml

@@ -265,6 +265,7 @@ jobs:
           - app
           - cli
           - golang-adk
+          - golang-adk-full
           - skills-init
     runs-on: ubuntu-latest
     services:

.github/workflows/image-scan.yaml

@@ -31,6 +31,7 @@ jobs:
           - app
           - skills-init
           - golang-adk
+          - golang-adk-full
     runs-on: ubuntu-latest
     services:
       registry:

.github/workflows/tag.yaml

@@ -21,6 +21,7 @@ jobs:
           - ui
           - app
           - golang-adk
+          - golang-adk-full
           - skills-init
     runs-on: ubuntu-latest
     permissions:

Makefile

@@ -46,12 +46,14 @@ UI_IMAGE_TAG ?= $(VERSION)
 APP_IMAGE_TAG ?= $(VERSION)
 KAGENT_ADK_IMAGE_TAG ?= $(VERSION)
 GOLANG_ADK_IMAGE_TAG ?= $(VERSION)
+GOLANG_ADK_FULL_IMAGE_TAG ?= $(VERSION)-full
 SKILLS_INIT_IMAGE_TAG ?= $(VERSION)
 CONTROLLER_IMG ?= $(DOCKER_REGISTRY)/$(DOCKER_REPO)/$(CONTROLLER_IMAGE_NAME):$(CONTROLLER_IMAGE_TAG)
 UI_IMG ?= $(DOCKER_REGISTRY)/$(DOCKER_REPO)/$(UI_IMAGE_NAME):$(UI_IMAGE_TAG)
 APP_IMG ?= $(DOCKER_REGISTRY)/$(DOCKER_REPO)/$(APP_IMAGE_NAME):$(APP_IMAGE_TAG)
 KAGENT_ADK_IMG ?= $(DOCKER_REGISTRY)/$(DOCKER_REPO)/$(KAGENT_ADK_IMAGE_NAME):$(KAGENT_ADK_IMAGE_TAG)
 GOLANG_ADK_IMG ?= $(DOCKER_REGISTRY)/$(DOCKER_REPO)/$(GOLANG_ADK_IMAGE_NAME):$(GOLANG_ADK_IMAGE_TAG)
+GOLANG_ADK_FULL_IMG ?= $(DOCKER_REGISTRY)/$(DOCKER_REPO)/$(GOLANG_ADK_IMAGE_NAME):$(GOLANG_ADK_FULL_IMAGE_TAG)
 SKILLS_INIT_IMG ?= $(DOCKER_REGISTRY)/$(DOCKER_REPO)/$(SKILLS_INIT_IMAGE_NAME):$(SKILLS_INIT_IMAGE_TAG)
 
 #take from go/go.mod
@@ -165,6 +167,7 @@ buildx-create:
 build-all: BUILD_ARGS ?= --progress=plain --builder $(BUILDX_BUILDER_NAME) --platform linux/amd64,linux/arm64 --output type=tar,dest=/dev/null
 build-all: buildx-create
 	$(DOCKER_BUILDER) build $(BUILD_ARGS) $(TOOLS_IMAGE_BUILD_ARGS) -f go/Dockerfile     ./go
+	$(DOCKER_BUILDER) build $(BUILD_ARGS) $(TOOLS_IMAGE_BUILD_ARGS) -f go/Dockerfile.full ./go
 	$(DOCKER_BUILDER) build $(BUILD_ARGS) $(TOOLS_IMAGE_BUILD_ARGS) -f ui/Dockerfile     ./ui
 	$(DOCKER_BUILDER) build $(BUILD_ARGS) $(TOOLS_IMAGE_BUILD_ARGS) -f python/Dockerfile ./python
 
@@ -218,13 +221,14 @@ prune-docker-images:
 	docker images --filter dangling=true -q | xargs -r docker rmi || :
 
 .PHONY: build
-build: buildx-create build-controller build-ui build-app build-golang-adk build-skills-init
+build: buildx-create build-controller build-ui build-app build-golang-adk build-golang-adk-full build-skills-init
 	@echo "Build completed successfully."
 	@echo "Controller Image: $(CONTROLLER_IMG)"
 	@echo "UI Image: $(UI_IMG)"
 	@echo "App Image: $(APP_IMG)"
 	@echo "Kagent ADK Image: $(KAGENT_ADK_IMG)"
 	@echo "Golang ADK Image: $(GOLANG_ADK_IMG)"
+	@echo "Golang ADK Full Image: $(GOLANG_ADK_FULL_IMG)"
 	@echo "Skills Init Image: $(SKILLS_INIT_IMG)"
 
 .PHONY: build-monitor
@@ -246,6 +250,8 @@ build-img-versions:
 	@echo ui=$(UI_IMG)
 	@echo app=$(APP_IMG)
 	@echo kagent-adk=$(KAGENT_ADK_IMG)
+	@echo golang-adk=$(GOLANG_ADK_IMG)
+	@echo golang-adk-full=$(GOLANG_ADK_FULL_IMG)
 	@echo skills-init=$(SKILLS_INIT_IMG)
 
 .PHONY: lint
@@ -254,7 +260,7 @@ lint:
 	make -C python lint
 
 .PHONY: push
-push: push-controller push-ui push-app push-kagent-adk push-golang-adk
+push: push-controller push-ui push-app push-kagent-adk push-golang-adk push-golang-adk-full
 
 
 .PHONY: controller-manifests
@@ -282,6 +288,10 @@ build-app: buildx-create build-kagent-adk
 build-golang-adk: buildx-create
 	$(DOCKER_BUILDER) build $(DOCKER_BUILD_ARGS) $(TOOLS_IMAGE_BUILD_ARGS) --build-arg BUILD_PACKAGE=adk/cmd/main.go -t $(GOLANG_ADK_IMG) -f go/Dockerfile ./go
 
+.PHONY: build-golang-adk-full
+build-golang-adk-full: buildx-create
+	$(DOCKER_BUILDER) build $(DOCKER_BUILD_ARGS) $(TOOLS_IMAGE_BUILD_ARGS) --build-arg BUILD_PACKAGE=adk/cmd/main.go -t $(GOLANG_ADK_FULL_IMG) -f go/Dockerfile.full ./go
+
 .PHONY: build-skills-init
 build-skills-init: buildx-create
 	$(DOCKER_BUILDER) build $(DOCKER_BUILD_ARGS) -t $(SKILLS_INIT_IMG) -f docker/skills-init/Dockerfile docker/skills-init

go/Dockerfile.full

@@ -0,0 +1,66 @@
+ARG BASE_IMAGE_REGISTRY=cgr.dev
+ARG BUILDPLATFORM
+FROM --platform=$BUILDPLATFORM $BASE_IMAGE_REGISTRY/chainguard/go:latest AS builder
+ARG TARGETARCH
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG BUILD_PACKAGE=adk/cmd/main.go
+
+WORKDIR /workspace
+COPY go.mod go.sum .
+RUN --mount=type=cache,target=/root/go/pkg/mod,rw \
+    --mount=type=cache,target=/root/.cache/go-build,rw \
+    go mod download
+
+COPY api/ api/
+COPY core/ core/
+COPY adk/ adk/
+
+ARG LDFLAGS
+RUN --mount=type=cache,target=/root/go/pkg/mod,rw \
+    --mount=type=cache,target=/root/.cache/go-build,rw \
+    echo "Building on $BUILDPLATFORM -> linux/$TARGETARCH" && \
+    CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -ldflags "$LDFLAGS" -o /app "$BUILD_PACKAGE"
+
+FROM $BASE_IMAGE_REGISTRY/chainguard/wolfi-base:latest AS srt-builder
+ARG TOOLS_PYTHON_VERSION=3.13
+
+RUN --mount=type=cache,target=/var/cache/apk,rw \
+    apk add --no-cache \
+    bash git ca-certificates nodejs npm node-gyp bubblewrap python-${TOOLS_PYTHON_VERSION} libstdc++
+
+RUN --mount=type=cache,target=/root/.npm \
+    mkdir -p /opt && \
+    cd /opt && \
+    git clone --depth 1 --revision=ef4afdef4d711ba21a507d7f7369e305f7d3dbfa https://github.com/anthropic-experimental/sandbox-runtime.git && \
+    cd sandbox-runtime && \
+    npm install && \
+    npm run build && \
+    npm prune --omit=dev
+
+FROM $BASE_IMAGE_REGISTRY/chainguard/wolfi-base:latest
+ARG TOOLS_PYTHON_VERSION=3.13
+
+RUN --mount=type=cache,target=/var/cache/apk,rw \
+    apk add --no-cache \
+    bash ca-certificates curl nodejs bubblewrap socat python-${TOOLS_PYTHON_VERSION} ripgrep libstdc++
+
+RUN addgroup -g 1001 goagent && \
+    adduser -u 1001 -G goagent -s /bin/bash -D goagent
+
+COPY --from=srt-builder /opt/sandbox-runtime /opt/sandbox-runtime
+
+RUN chmod +x /opt/sandbox-runtime/dist/cli.js && \
+    ln -s /opt/sandbox-runtime/dist/cli.js /usr/bin/srt
+
+WORKDIR /
+COPY --from=builder /app /app
+ENV PATH="/usr/bin:/opt/sandbox-runtime/node_modules/.bin:$PATH"
+ARG VERSION
+
+LABEL org.opencontainers.image.source=https://github.com/kagent-dev/kagent
+LABEL org.opencontainers.image.description="Kagent Go ADK runtime with sandbox execution dependencies."
+LABEL org.opencontainers.image.version="$VERSION"
+
+USER 1001:1001
+ENTRYPOINT ["/app"]

go/adk/pkg/agent/agent.go

@@ -68,23 +68,10 @@ func CreateGoogleADKAgentWithSubagentSessionIDs(ctx context.Context, agentConfig
 		log.Info("Wired remote A2A agent tool", "name", remoteAgent.Name, "url", remoteAgent.Url)
 	}
 
-	// Add memory tools if memory is configured
-	var memoryTools []tool.Tool
-	if agentConfig.Memory != nil {
-		log.Info("Memory configuration detected, adding memory tools")
-		memoryTools = []tool.Tool{
-			preloadmemorytool.New(),
-			loadmemorytool.New(),
-		}
-	}
-	memoryTools = append(memoryTools, remoteAgentTools...)
-	memoryTools = append(memoryTools, extraTools...)
-
-	askUserTool, err := tools.NewAskUserTool()
+	localTools, err := buildAgentTools(agentConfig, remoteAgentTools, extraTools, log)
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to create ask_user tool: %w", err)
+		return nil, nil, err
 	}
-	memoryTools = append(memoryTools, askUserTool)
 
 	if agentConfig.Model == nil {
 		return nil, nil, fmt.Errorf("model configuration is required")
@@ -126,7 +113,7 @@ func CreateGoogleADKAgentWithSubagentSessionIDs(ctx context.Context, agentConfig
 		Instruction:         agentConfig.Instruction,
 		Model:               llmModel,
 		IncludeContents:     llmagent.IncludeContentsDefault,
-		Tools:               memoryTools,
+		Tools:               localTools,
 		Toolsets:            toolsets,
 		BeforeToolCallbacks: beforeToolCallbacks,
 		AfterToolCallbacks: []llmagent.AfterToolCallback{
@@ -156,6 +143,36 @@ func CreateGoogleADKAgentWithSubagentSessionIDs(ctx context.Context, agentConfig
 	return llmAgent, subagentSessionIDs, nil
 }
 
+func buildAgentTools(agentConfig *adk.AgentConfig, remoteAgentTools, extraTools []tool.Tool, log logr.Logger) ([]tool.Tool, error) {
+	var localTools []tool.Tool
+	if agentConfig.Memory != nil {
+		log.Info("Memory configuration detected, adding memory tools")
+		localTools = []tool.Tool{
+			preloadmemorytool.New(),
+			loadmemorytool.New(),
+		}
+	}
+	localTools = append(localTools, remoteAgentTools...)
+	localTools = append(localTools, extraTools...)
+
+	skillsDirectory := strings.TrimSpace(os.Getenv("KAGENT_SKILLS_FOLDER"))
+	if skillsDirectory != "" {
+		skillsTools, err := tools.NewSkillsTools(skillsDirectory)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create skills tools: %w", err)
+		}
+		localTools = append(localTools, skillsTools...)
+		log.Info("Wired local skills tools", "skillsDirectory", skillsDirectory, "toolCount", len(skillsTools))
+	}
+
+	askUserTool, err := tools.NewAskUserTool()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create ask_user tool: %w", err)
+	}
+	localTools = append(localTools, askUserTool)
+	return localTools, nil
+}
+
 // CreateLLM creates an adkmodel.LLM from the model configuration.
 // This is exported to allow reuse of model creation logic (e.g., for memory summarization).
 func CreateLLM(ctx context.Context, m adk.Model, log logr.Logger) (adkmodel.LLM, error) {

go/adk/pkg/agent/agent_test.go

@@ -2,8 +2,11 @@ package agent
 
 import (
 	"encoding/json"
+	"os"
+	"path/filepath"
 	"testing"
 
+	"github.com/go-logr/logr"
 	"github.com/kagent-dev/kagent/go/adk/pkg/models"
 	"github.com/kagent-dev/kagent/go/api/adk"
 )
@@ -283,6 +286,42 @@ func TestConfigDeserialization_Bedrock(t *testing.T) {
 	}
 }
 
+func TestBuildAgentTools_WiresSkillsToolsFromEnv(t *testing.T) {
+	skillsDir := t.TempDir()
+	skillDir := filepath.Join(skillsDir, "csv-to-json")
+	if err := os.MkdirAll(skillDir, 0755); err != nil {
+		t.Fatalf("failed to create skill dir: %v", err)
+	}
+	if err := os.WriteFile(filepath.Join(skillDir, "SKILL.md"), []byte(`---
+name: csv-to-json
+description: Convert CSV into JSON.
+---
+
+Use the script in scripts/convert.py.
+`), 0644); err != nil {
+		t.Fatalf("failed to write SKILL.md: %v", err)
+	}
+
+	t.Setenv("KAGENT_SKILLS_FOLDER", skillsDir)
+	t.Setenv("KAGENT_SRT_SETTINGS_PATH", filepath.Join(t.TempDir(), "srt-settings.json"))
+
+	tools, err := buildAgentTools(&adk.AgentConfig{}, nil, nil, logr.Discard())
+	if err != nil {
+		t.Fatalf("buildAgentTools() error = %v", err)
+	}
+
+	got := map[string]bool{}
+	for _, tool := range tools {
+		got[tool.Name()] = true
+	}
+
+	for _, name := range []string{"skills", "read_file", "write_file", "edit_file", "bash", "ask_user"} {
+		if !got[name] {
+			t.Errorf("expected tool %q to be registered", name)
+		}
+	}
+}
+
 // TestAgentConfigFieldUsage is a smoke test that ensures AgentConfig structures
 // used by agents exercise all relevant fields. This test acts as a canary: if a
 // new field is added to AgentConfig but not reflected in this test configuration,

go/adk/pkg/config/config_usage.go

@@ -35,6 +35,10 @@ import (
 //   - Currently disabled in Go controller (see adk_api_translator.go:533)
 //   - Would enable SandboxedLocalCodeExecutor if true
 //
+// Agent.Spec.Sandbox.Network -> AgentConfig.Network
+//   - Translated into the mounted srt-settings.json consumed by sandboxed execution
+//   - When omitted, sandboxed execution remains deny-by-default for outbound network access
+//
 // Agent.Spec.A2AConfig.Skills -> Not in config.json, handled separately
 //   - Skills are added via SkillsPlugin in Python
 //   - In go-adk, skills are handled via KAGENT_SKILLS_FOLDER env var
@@ -72,6 +76,7 @@ func ValidateAgentConfigUsageWithLogger(config *adk.AgentConfig, logger logr.Log
 			"modelType", config.Model.GetType(),
 			"stream", config.Stream,
 			"executeCode", config.ExecuteCode,
+			"hasNetworkConfig", config.Network != nil,
 			"httpToolsCount", len(config.HttpTools),
 			"sseToolsCount", len(config.SseTools),
 			"remoteAgentsCount", len(config.RemoteAgents))
@@ -116,6 +121,7 @@ func GetAgentConfigSummary(config *adk.AgentConfig) string {
 	summary += fmt.Sprintf("  Instruction: %d chars\n", len(config.Instruction))
 	summary += fmt.Sprintf("  Stream: %v\n", config.Stream)
 	summary += fmt.Sprintf("  ExecuteCode: %v\n", config.ExecuteCode)
+	summary += fmt.Sprintf("  HasNetworkConfig: %v\n", config.Network != nil)
 	summary += fmt.Sprintf("  HttpTools: %d\n", len(config.HttpTools))
 	summary += fmt.Sprintf("  SseTools: %d\n", len(config.SseTools))
 	summary += fmt.Sprintf("  RemoteAgents: %d\n", len(config.RemoteAgents))

go/adk/pkg/skills/discovery_test.go

@@ -252,6 +252,7 @@ func TestLoadSkillContent_NoSkillMD(t *testing.T) {
 func TestSkillExecution_Integration(t *testing.T) {
 	sessionDir, _ := createSkillTestEnv(t)
 	defer os.RemoveAll(filepath.Dir(sessionDir))
+	defer os.RemoveAll(installFakeSRT(t))
 
 	// 1. "Upload" a file for the skill to process
 	inputCSVPath := filepath.Join(sessionDir, "uploads", "data.csv")
@@ -262,7 +263,11 @@ func TestSkillExecution_Integration(t *testing.T) {
 
 	// 2. Execute the skill's core command
 	command := "python skills/csv-to-json/scripts/convert.py uploads/data.csv outputs/result.json"
-	result, err := ExecuteCommand(context.Background(), command, sessionDir)
+	executor, err := NewCommandExecutorFromEnv()
+	if err != nil {
+		t.Fatalf("NewCommandExecutorFromEnv() error = %v", err)
+	}
+	result, err := executor.ExecuteCommand(context.Background(), command, sessionDir)
 	if err != nil {
 		// Python might not be available, skip this test
 		t.Skipf("Python not available or command failed: %v", err)

go/adk/pkg/skills/shell.go

@@ -12,6 +12,12 @@ import (
 	"time"
 )
 
+const srtSettingsPathEnv = "KAGENT_SRT_SETTINGS_PATH"
+
+type CommandExecutor struct {
+	srtArgs []string
+}
+
 // ReadFileContent reads a file with line numbers.
 func ReadFileContent(path string, offset, limit int) (string, error) {
 	file, err := os.Open(path)
@@ -102,8 +108,24 @@ func EditFileContent(path string, oldString, newString string, replaceAll bool)
 	return os.WriteFile(path, []byte(newContent), 0644)
 }
 
+func resolveSRTSettingsArgs() ([]string, error) {
+	settingsPath := strings.TrimSpace(os.Getenv(srtSettingsPathEnv))
+	if settingsPath == "" {
+		return nil, fmt.Errorf("%s is not set", srtSettingsPathEnv)
+	}
+	return []string{"--settings", settingsPath}, nil
+}
+
+func NewCommandExecutorFromEnv() (*CommandExecutor, error) {
+	srtArgs, err := resolveSRTSettingsArgs()
+	if err != nil {
+		return nil, err
+	}
+	return &CommandExecutor{srtArgs: srtArgs}, nil
+}
+
 // ExecuteCommand executes a shell command.
-func ExecuteCommand(ctx context.Context, command string, workingDir string) (string, error) {
+func (e *CommandExecutor) ExecuteCommand(ctx context.Context, command string, workingDir string) (string, error) {
 	timeout := 30 * time.Second
 	if strings.Contains(command, "python") {
 		timeout = 60 * time.Second
@@ -112,9 +134,8 @@ func ExecuteCommand(ctx context.Context, command string, workingDir string) (str
 	ctx, cancel := context.WithTimeout(ctx, timeout)
 	defer cancel()
 
-	// In the python version, it uses 'srt' for sandboxing.
-	// Here we'll execute the command directly but you might want to wrap it in a sandbox.
-	cmd := exec.CommandContext(ctx, "bash", "-c", command)
+	args := append(append([]string{}, e.srtArgs...), "bash", "-c", command)
+	cmd := exec.CommandContext(ctx, "srt", args...)
 	cmd.Dir = workingDir
 
 	var stdout, stderr bytes.Buffer