Skip to content

Use agent workspace for kubeoc attach #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ianrossi merged 1 commit into from
Apr 8, 2026
Merged

Use agent workspace for kubeoc attach #3

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 11 additions & 3 deletions cmd/kubeoc/agent.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -305,8 +305,12 @@ func runAgentAttachServiceProxy(ctx context.Context, namespace, agentName string
heartbeatCancel := startConnectionHeartbeat(ctx, k8sClient, namespace, agentName)
defer heartbeatCancel()

// Launch opencode attach
attachCmd := exec.CommandContext(ctx, "opencode", "attach", localURL) //nolint:gosec // args are not user-controlled
// Launch opencode attach from the Agent workspace directory when configured.
attachArgs := []string{"attach", localURL}
if agent.Spec.WorkspaceDir != "" {
attachArgs = append(attachArgs, "--dir", agent.Spec.WorkspaceDir)
Comment on lines +308 to +311
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WorkspaceDir can be inherited via agent.spec.templateRef (AgentTemplate). This code only checks agent.Spec.WorkspaceDir, so attach won’t pass --dir when WorkspaceDir is set on the template (effective workspace differs from what the controller uses). Consider resolving the merged config (e.g., controller.ResolveAgentConfigFromTemplate) and using the resulting workspaceDir instead of reading Agent.Spec directly.

Suggested change
// Launch opencode attach from the Agent workspace directory when configured.
attachArgs := []string{"attach", localURL}
if agent.Spec.WorkspaceDir != "" {
attachArgs = append(attachArgs, "--dir", agent.Spec.WorkspaceDir)
// Resolve the effective Agent configuration so template-inherited fields such as
// WorkspaceDir are handled consistently with the controller.
resolvedAgentConfig, err := controller.ResolveAgentConfigFromTemplate(ctx, k8sClient, &agent)
if err != nil {
return fmt.Errorf("resolve agent config for attach: %w", err)
}
// Launch opencode attach from the effective Agent workspace directory when configured.
attachArgs := []string{"attach", localURL}
if resolvedAgentConfig.WorkspaceDir != "" {
attachArgs = append(attachArgs, "--dir", resolvedAgentConfig.WorkspaceDir)

Copilot uses AI. Check for mistakes.
}
attachCmd := exec.CommandContext(ctx, "opencode", attachArgs...) //nolint:gosec // args are not user-controlled
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The gosec suppression rationale (“args are not user-controlled”) is no longer accurate: localURL is derived from CLI input (localPort), and WorkspaceDir comes from a cluster CR. Please either update the suppression comment to reflect the actual trust boundary/validation (e.g., WorkspaceDir is validated to an absolute path), or add explicit validation and drop the nolint if possible.

Copilot uses AI. Check for mistakes.
attachCmd.Stdin = os.Stdin
attachCmd.Stdout = os.Stdout
attachCmd.Stderr = os.Stderr
Expand Down Expand Up @@ -411,7 +415,11 @@ func runAgentAttachPortForward(ctx context.Context, namespace, agentName string,
heartbeatCancel := startConnectionHeartbeat(ctx, k8sClient, namespace, agentName)
defer heartbeatCancel()

attachCmd := exec.CommandContext(ctx, "opencode", "attach", localURL) //nolint:gosec // args are not user-controlled
attachArgs := []string{"attach", localURL}
if agent.Spec.WorkspaceDir != "" {
attachArgs = append(attachArgs, "--dir", agent.Spec.WorkspaceDir)
}
Comment on lines +418 to +421
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above: WorkspaceDir may be inherited via agent.spec.templateRef, but this block only reads agent.Spec.WorkspaceDir. To ensure attach opens in the actual configured workspace, resolve the merged workspaceDir from the template when TemplateRef is set.

Copilot uses AI. Check for mistakes.
attachCmd := exec.CommandContext(ctx, "opencode", attachArgs...) //nolint:gosec // args are not user-controlled
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same gosec issue here: the suppression comment claims args are not user-controlled, but localURL is influenced by CLI input and WorkspaceDir is sourced from a CR. Update the suppression rationale and/or validate inputs before exec.

Copilot uses AI. Check for mistakes.
attachCmd.Stdin = os.Stdin
attachCmd.Stdout = os.Stdout
attachCmd.Stderr = os.Stderr
Expand Down