Mount recommended binaries into AWF agent container

[Copilot]

• Understand the problem statement and audit report
• Explore the codebase to find relevant files (copilot_engine_execution.go)
• Review existing tests for mount functionality
• Add essential utilities (Priority 1): cat, curl, date, find, gh, grep, jq, yq
• Add common utilities (Priority 2): cp, cut, diff, head, ls, mkdir, rm, sed, sort, tail, wc, which
• Add tests for the new utility mounts
• Run formatting and linting
• Run code review and address feedback
• Run security scan (0 alerts)
• Merge origin/main and regenerate lock files

Changes Summary:

Based on the Agent Container Utilities Audit (#11970), this PR mounts recommended binaries into the AWF container:

Essential utilities (8): cat, curl, date, find, gh, grep, jq, yq
Common utilities (12): cp, cut, diff, head, ls, mkdir, rm, sed, sort, tail, wc, which

All mounts are read-only (:ro) for security. The binaries execute and operate on the read-write workspace directory inside the container.

Security Summary: No vulnerabilities discovered.

Original prompt

Based on this audit report, work on an implementation to mount recommended binaries into the agent container:

Agent Container Utilities Audit

Last Updated: 2026-01-27
Related Issue: #11970

This document provides a comprehensive audit of /usr/bin utilities used in agentic workflows, with recommendations for mounting into the agent container.

Overview

The agent container currently mounts only three utilities from /usr/bin:

• /usr/bin/date - Date/time operations
• /usr/bin/gh - GitHub CLI
• /usr/bin/yq - YAML processor

This audit identifies additional utilities commonly used in workflows and provides categorized recommendations for container mounting.

Methodology

The audit analyzed:

1. 184 workflow files in .github/workflows/*.md
2. Usage frequency of common utilities via pattern matching
3. Lock file analysis to identify current mounts
4. Ubuntu runner image available utilities (from specs/ubuntulatest.md)

Usage Frequency Analysis

The following table shows utility usage frequency in workflow markdown files:

Utility	Usage Count	Category	Currently Mounted
file	666*	Optional	❌
date	344	Essential	✅
jq	253	Essential	❌
find	172	Common	❌
git	160	Essential	❌ (via PATH)
grep	155	Essential	❌
cat	147	Essential	❌
which	89	Common	❌
mkdir	66	Common	❌
wc	60	Common	❌
head	53	Common	❌
sort	45	Common	❌
diff	41	Common	❌
cp	37	Common	❌
curl	35	Essential	❌
ls	23	Common	❌
yq	17	Essential	✅
awk	15	Common	❌
rm	13	Optional	❌
sed	10	Common	❌
cut	10	Common	❌
chmod	8	Optional	❌
zip	7	Optional	❌
tail	6	Common	❌
mv	6	Optional	❌
stat	4	Optional	❌
tee	4	Optional	❌
ln	4	Optional	❌
xargs	3	Optional	❌
wget	3	Optional	❌
touch	3	Optional	❌
unzip	2	Optional	❌
base64	1	Optional	❌
tr	1	Optional	❌

Categorized Recommendations

Essential Utilities (Required for Most Workflows)

These utilities are fundamental to workflow operation and should be mounted.

1. jq - JSON Processor

• Path: /usr/bin/jq
• Usage: 253 references, 231 direct command invocations
• Purpose: JSON parsing, transformation, and filtering
• Security: Low risk - processes data, no network access
• Recommendation: MOUNT - Critical for API response processing

2. grep - Pattern Matcher

• Path: /usr/bin/grep
• Usage: 155 references
• Purpose: Text searching and filtering
• Security: Low risk - read-only pattern matching
• Recommendation: MOUNT - Essential for log analysis and text processing

3. cat - File Concatenation

• Path: /usr/bin/cat
• Usage: 147 references
• Purpose: Reading and displaying file contents
• Security: Low risk - read-only file access
• Recommendation: MOUNT - Basic file reading capability

4. curl - HTTP Client

• Path: /usr/bin/curl
• Usage: 35 references
• Purpose: HTTP requests, API calls, file downloads
• Security: Medium risk - network access capability
• Mitigations:
  • Already controlled by network firewall rules
  • Workflows define allowed domains in network.allowed
• Recommendation: MOUNT - Required for API integrations

5. find - File Search

• Path: /usr/bin/find
• Usage: 172 references
• Purpose: Locating files by name, type, or attributes
• Security: Low risk - filesystem traversal only
• Recommendation: MOUNT - Essential for file discovery

6. git - Version Control

• Path: /usr/bin/git
• Usage: 160 references
• Purpose: Source control operations
• Security: Medium risk - can fetch from/push to remotes
• Mitigations:
  • Network access controlled by firewall
  • Credentials passed via environment
• Recommendation: MOUNT - Critical for code operations
• Note: May already be available via /opt/hostedtoolcache mount

Common Utilities (Frequently Used)

These utilities are commonly used but workflows can function without them.

7. which - Command Location

• Path: /usr/bin/which
• Usage: 89 references
• Purpose: Finding executable paths
• Security: Low risk - PATH inspection only
• Recommendation: MOUNT - Useful for tool detection

8. mkdir - Directory Creation

• Path: /usr/bin/mkdir
• Usage: 66 references
• Purpose: Creating directories
• Security: Low risk - filesystem write (sandboxed)
• Recommendation: MOUNT - Common file operations

9. wc - Word Count

• Path: /usr/bin/wc
• Usage: 60 references
• Purpose: Count...

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

---

Changeset

• Type: patch
• Description: Read-only mount of the audited essential and common binaries into the AWF agent container so workflows can depend on the expected utilities

Ahoy! This treasure was crafted by 🏴‍☠️ Changeset Generator

[Mossaka]

@copilot why don't you mount every binary from /usr/bin to the agent container?

[Copilot]

@copilot why don't you mount every binary from /usr/bin to the agent container?

The selective mounting approach was chosen based on the audit report's security recommendations:

1. Security concerns: The audit explicitly lists utilities NOT recommended for mounting due to security risks:

   • sudo - Privilege escalation
   • chown - Ownership manipulation
   • mount - Filesystem manipulation
   • passwd - Credential modification
   • ssh - Direct remote access
   • nc/netcat - Raw network access
   • dd - Low-level disk operations

2. Minimal attack surface: Mounting only required utilities follows the principle of least privilege. /usr/bin contains ~1000+ binaries on Ubuntu, most unused by workflows.

3. Audit-driven selection: The 20 utilities selected were based on actual usage analysis across 184 workflow files, ensuring we mount what's needed without exposing unnecessary capabilities.

If you'd prefer mounting the entire directory instead, I can make that change - but it would require documenting the security tradeoff and potentially adding blocklists for dangerous utilities.

[Mossaka]

@copilot merge origin/main and regenerate

[Copilot]

@copilot merge origin/main and regenerate

Merged origin/main and regenerated all lock files in commit f10605a.

[github-actions]

🔍 PR Triage Results

Category: feature | Risk: high | Priority: 47/100

Scores Breakdown

• Impact: 30/50 - New feature - enhances capabilities
• Urgency: 5/30 - Recent PR
• Quality: 12/20 - CI status unknown, ready for review

📋 Recommended Action: batch_review

This PR mounts 20 recommended binaries from the Agent Container Utilities Audit into the AWF agent container:

Essential utilities (8): cat, curl, date, find, gh, grep, jq, yq
Common utilities (12): cp, cut, diff, head, ls, mkdir, rm, sed, sort, tail, wc, which

Status: Ready for review (not draft) ✅

Risk: High due to large scope (235 files, 14K+ additions) but this is a foundational improvement for agent capabilities. All mounts are read-only for security.

Related PRs: Works with #12085 (library mounting) and validated by #12130 (parity tests).

---

Triaged by PR Triage Agent on 2026-01-28T00:34:49Z

AI generated by PR Triage Agent

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

docs: Clarify engine selection in Quick Start guide
Add agent-runner environment parity test suite
GitHub MCP merged PRs ✅
safeinputs-gh PR list ✅
Serena activate ✅
Playwright title ✅
Tavily search ✅
File write+cat ✅
Discussion comment ✅
Overall: PASS

AI generated by Smoke Codex

[github-actions]

Smoke Test Results

• GitHub MCP: ✅ (Remove hardcoded safeoutputs tool list from agent prompt #12132, Add Serena MCP server documentation #12127)
• Safe Inputs GH CLI: ✅ (docs: Clarify engine selection in Quick Start guide #12135, Add agent-runner environment parity test suite #12130)
• Serena MCP: ✅
• Playwright: ✅
• File Writing: ✅
• Bash Tool: ✅
• Discussion Interaction: ✅

Overall Status: PASS

@Mossaka

AI generated by Smoke Copilot

[github-actions]

🤖 Beep boop! The smoke test agent was here! 🎭

Just dropped by to say hi from run §21420605925! All systems are go, tests are passing, and I'm feeling pretty good about it.

Auto-triage looking sharp today! Those classification tables are chef's kiss 👨‍🍳✨

Keep up the excellent work organizing those issues! 🚀

AI generated by Smoke Copilot

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Smoke Test Results ✅

Last 2 Merged PRs:

• Remove hardcoded safeoutputs tool list from agent prompt #12132: Remove hardcoded safeoutputs tool list from agent prompt
• Add Serena MCP server documentation #12127: Add Serena MCP server documentation

Test Results:

• ✅ GitHub MCP
• ✅ Safe Inputs GH CLI
• ✅ Serena MCP
• ✅ Make Build
• ✅ Playwright
• ✅ Tavily Search
• ✅ File Writing
• ✅ Bash Tool
• ✅ Discussion Interaction

Overall Status: PASS ✅

AI generated by Smoke Claude