Conversation
There was a problem hiding this comment.
Pull request overview
Updates kubeoc agent attach to open the OpenCode TUI in the Agent’s configured workspace directory by passing --dir <workspaceDir> to opencode attach.
Changes:
- Build
opencode attachargument list dynamically and append--dirwhenagent.spec.workspaceDiris set (service-proxy mode). - Apply the same
--dirbehavior in the legacykubectl port-forwardattach mode.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // Launch opencode attach from the Agent workspace directory when configured. | ||
| attachArgs := []string{"attach", localURL} | ||
| if agent.Spec.WorkspaceDir != "" { | ||
| attachArgs = append(attachArgs, "--dir", agent.Spec.WorkspaceDir) |
There was a problem hiding this comment.
WorkspaceDir can be inherited via agent.spec.templateRef (AgentTemplate). This code only checks agent.Spec.WorkspaceDir, so attach won’t pass --dir when WorkspaceDir is set on the template (effective workspace differs from what the controller uses). Consider resolving the merged config (e.g., controller.ResolveAgentConfigFromTemplate) and using the resulting workspaceDir instead of reading Agent.Spec directly.
| // Launch opencode attach from the Agent workspace directory when configured. | |
| attachArgs := []string{"attach", localURL} | |
| if agent.Spec.WorkspaceDir != "" { | |
| attachArgs = append(attachArgs, "--dir", agent.Spec.WorkspaceDir) | |
| // Resolve the effective Agent configuration so template-inherited fields such as | |
| // WorkspaceDir are handled consistently with the controller. | |
| resolvedAgentConfig, err := controller.ResolveAgentConfigFromTemplate(ctx, k8sClient, &agent) | |
| if err != nil { | |
| return fmt.Errorf("resolve agent config for attach: %w", err) | |
| } | |
| // Launch opencode attach from the effective Agent workspace directory when configured. | |
| attachArgs := []string{"attach", localURL} | |
| if resolvedAgentConfig.WorkspaceDir != "" { | |
| attachArgs = append(attachArgs, "--dir", resolvedAgentConfig.WorkspaceDir) |
| if agent.Spec.WorkspaceDir != "" { | ||
| attachArgs = append(attachArgs, "--dir", agent.Spec.WorkspaceDir) | ||
| } | ||
| attachCmd := exec.CommandContext(ctx, "opencode", attachArgs...) //nolint:gosec // args are not user-controlled |
There was a problem hiding this comment.
The gosec suppression rationale (“args are not user-controlled”) is no longer accurate: localURL is derived from CLI input (localPort), and WorkspaceDir comes from a cluster CR. Please either update the suppression comment to reflect the actual trust boundary/validation (e.g., WorkspaceDir is validated to an absolute path), or add explicit validation and drop the nolint if possible.
| attachArgs := []string{"attach", localURL} | ||
| if agent.Spec.WorkspaceDir != "" { | ||
| attachArgs = append(attachArgs, "--dir", agent.Spec.WorkspaceDir) | ||
| } |
There was a problem hiding this comment.
Same as above: WorkspaceDir may be inherited via agent.spec.templateRef, but this block only reads agent.Spec.WorkspaceDir. To ensure attach opens in the actual configured workspace, resolve the merged workspaceDir from the template when TemplateRef is set.
| if agent.Spec.WorkspaceDir != "" { | ||
| attachArgs = append(attachArgs, "--dir", agent.Spec.WorkspaceDir) | ||
| } | ||
| attachCmd := exec.CommandContext(ctx, "opencode", attachArgs...) //nolint:gosec // args are not user-controlled |
There was a problem hiding this comment.
Same gosec issue here: the suppression comment claims args are not user-controlled, but localURL is influenced by CLI input and WorkspaceDir is sourced from a CR. Update the suppression rationale and/or validate inputs before exec.
Follow-up for QuantifAI Berlin auth rollout.
kubeoc agent attachnow passes--dir <agent.spec.workspaceDir>toopencode attachso the TUI opens in the configured remote workspace instead of the caller's local cwd.