security: Phase 2 high-priority fixes and UI improvements#42
Merged
initializ-mk merged 4 commits intomainfrom Apr 4, 2026
Merged
security: Phase 2 high-priority fixes and UI improvements#42initializ-mk merged 4 commits intomainfrom
initializ-mk merged 4 commits intomainfrom
Conversation
kubectl fails with "the server has asked for the client to provide credentials" because cli_execute overrides HOME to workDir, so kubectl can't find ~/.kube/config. Fix: - Set KUBECONFIG to real ~/.kube/config for kubectl/helm only (same pattern as GH_CONFIG_DIR for gh) - Set NO_PROXY with K8s API server host extracted from kubeconfig, plus localhost/common local addresses, so kubectl's mTLS/bearer auth isn't broken by the egress proxy - Both env vars scoped to kubectl/helm binaries only
Two fixes: 1. KUBECONFIG/NO_PROXY for kubectl: When HOME is overridden to workDir, kubectl can't find ~/.kube/config. Set KUBECONFIG to the real path (scoped to kubectl/helm only). Also set NO_PROXY with the K8s API server host extracted from kubeconfig so kubectl's mTLS/bearer auth isn't broken by the egress proxy. 2. Skip file part creation for cli_execute: cli_execute is an intermediate tool — the LLM should analyze its output and write a human-readable report. Attaching raw cli_execute JSON as a file causes the LLM to say "see attached" instead of synthesizing a markdown triage report. File parts are still created for file_create and script-backed skill tools.
- Add web_search to no_pii guardrail allow_tools so search results aren't blocked - Suppress continuation nudges for Q&A conversations (no edit/git tools) - Capture stderr and verify PID liveness on agent start for proper error feedback in UI - Extract Error: lines from serve.log instead of showing cobra help text - Add SilenceUsage to run/serve commands to prevent help dump on errors - Load agent .env and encrypted secrets in skill builder provider check - Stream chat text to UI in real-time via status/result SSE events - Show agent start errors in UI card instead of only console.error
41 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Test plan
go test ./...in forge-core, forge-cli, forge-plugins, forge-skills