Audit and document /usr/bin utilities for agent container mounting

[Copilot]

Agent container currently mounts only 3 utilities (date, gh, yq). Many workflows need access to common utilities like jq, curl, grep, etc. This audit documents which utilities should be mounted.

Changes

Created specs/agent-container-utilities.md with:

• Usage analysis of 184 workflow files with frequency counts
• 28 utilities categorized by importance:
  • Essential (6): jq, grep, cat, curl, find, git
  • Common (10): which, mkdir, wc, head, tail, sort, diff, cp, ls, sed, cut
  • Optional (12): file, rm, chmod, zip, unzip, mv, wget, etc.
• Security risk assessment (Low/Medium/High) for each utility
• Implementation recommendations with code examples

Key Findings

jq is most critically needed (253 refs, 231 direct invocations). Recommended additions:

// Priority 1 - Essential utilities
awfArgs = append(awfArgs, "--mount", "/usr/bin/jq:/usr/bin/jq:ro")
awfArgs = append(awfArgs, "--mount", "/usr/bin/grep:/usr/bin/grep:ro")
awfArgs = append(awfArgs, "--mount", "/usr/bin/cat:/usr/bin/cat:ro")
awfArgs = append(awfArgs, "--mount", "/usr/bin/curl:/usr/bin/curl:ro")
awfArgs = append(awfArgs, "--mount", "/usr/bin/find:/usr/bin/find:ro")

Network utilities (curl, git, wget) already controlled by existing firewall rules. All mounts use :ro for security.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Audit and document all essential /usr/bin utilities used by workflows</issue_title>
<issue_description>## Objective

Conduct a comprehensive audit of all essential utilities from /usr/bin that are commonly used in agentic workflows and document which ones should be mounted into the agent container.

Context

Currently, only three binaries from /usr/bin are mounted into the agent container:

• /usr/bin/date
• /usr/bin/gh (GitHub CLI)
• /usr/bin/yq

Many workflows may need access to other common utilities like jq, curl, wget, git, tar, zip, etc.

Approach

1. Review the Ubuntu runner image documentation in specs/ubuntulatest.md to identify commonly available utilities
2. Analyze existing workflow files (.github/workflows/*.md) to identify which /usr/bin utilities are actually being used
3. Use grep to search for common utility names across workflow files
4. Create a prioritized list of utilities that should be mounted, categorized by:
   • Essential (required for most workflows)
   • Common (frequently used)
   • Optional (specialized use cases)
5. Document findings in a new file specs/agent-container-utilities.md

Files to Create/Modify

• Create: specs/agent-container-utilities.md (audit results and recommendations)
• Review: .github/workflows/*.md (identify utility usage patterns)
• Reference: specs/ubuntulatest.md (available utilities)

Acceptance Criteria

• Audit identifies at least 15 commonly used utilities from /usr/bin
• Utilities are categorized by importance (essential/common/optional)
• Document includes usage frequency analysis from existing workflows
• Document provides clear mounting recommendations with rationale
• Document notes any security considerations for each utility
  Related to epic: build/test environment for agentic workflow #11970

AI generated by Plan Command for #11970

Comments on the Issue (you are @copilot in this section)

• Fixes [plan] Audit and document all essential /usr/bin utilities used by workflows #11971

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

---

Changeset

• Type: patch
• Description: Documented the audit of /usr/bin utilities required by agent workflows and provided recommendations for mounting them in the agent container.

Ahoy! This treasure was crafted by 🏴‍☠️ Changeset Generator

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

Smoke Test Results

PRs Tested:

• Fix AWF command quoting to ensure agent runs inside firewall container #11969: Fix AWF command quoting
• Add project frontmatter field for automatic project board tracking #12046: Add project frontmatter field

Test Results:

• ✅ GitHub MCP
• ✅ Safe Inputs GH CLI
• ✅ Serena MCP
• ✅ Playwright
• ✅ File Writing
• ✅ Bash Tool
• ✅ Discussion Interaction

Overall Status: PASS ✅

@Mossaka

AI generated by Smoke Copilot

[github-actions]

Smoke Test Results - Claude Engine

PR #11969: Fix AWF command quoting
PR #12046: Add project frontmatter field

✅ GitHub MCP
✅ GH CLI (safeinputs-gh)
✅ Serena MCP
✅ Make Build
✅ Playwright
✅ Tavily Search
✅ File Write
✅ Bash
✅ Discussion Interaction

Status: ✅ PASS

AI generated by Smoke Claude

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

PR titles:
Fix AWF command quoting to ensure agent runs inside firewall container
Add project frontmatter field for automatic project board tracking
Tests: GitHub MCP ✅ | safeinputs-gh ✅ | Serena ✅ | Playwright ✅ | Tavily ✅ | File write ✅ | Bash cat ✅ | Discussion ✅
Overall: PASS

AI generated by Smoke Codex