From 12cd7d32092bcafb39675df73c7d6feabbe34195 Mon Sep 17 00:00:00 2001 From: Florencio Cano Gabarda Date: Sat, 25 Apr 2026 19:46:58 +0200 Subject: [PATCH 1/3] feat: integrate prodsec-skills for transparent security guidance in every session MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Clone RedHatProductSecurity/prodsec-skills into the runner image and wire it into every session via add_dirs and the system prompt. Agents get transparent access to 128 security skills covering secure development, security testing, security auditing, and developer tooling — no user action or slash commands required. Changes: - Dockerfile: clone prodsec-skills into /app/prodsec-skills at build time - bridge.py: add /app/prodsec-skills to add_dirs so Claude Code can read files - prompts.py: system prompt tells agents where skills are and when to use them Made-with: Cursor --- components/runners/ambient-runner/Dockerfile | 4 ++++ .../ambient_runner/bridges/claude/bridge.py | 7 +++++++ .../ambient_runner/platform/prompts.py | 20 +++++++++++++++++++ 3 files changed, 31 insertions(+) diff --git a/components/runners/ambient-runner/Dockerfile b/components/runners/ambient-runner/Dockerfile index 0d15b77cf..59bd32be7 100755 --- a/components/runners/ambient-runner/Dockerfile +++ b/components/runners/ambient-runner/Dockerfile @@ -46,6 +46,10 @@ RUN npm install -g @google/gemini-cli@${GEMINI_CLI_VERSION} && \ # Install CodeRabbit CLI (official install script, binary for current arch) RUN curl -fsSL https://cli.coderabbit.ai/install.sh | CODERABBIT_INSTALL_DIR=/usr/local/bin sh +# Install prodsec-skills (Product Security guidance available to every session) +RUN git clone --depth 1 https://github.com/RedHatProductSecurity/prodsec-skills.git /app/prodsec-skills && \ + rm -rf /app/prodsec-skills/.git + # Set environment variables ENV PYTHONUNBUFFERED=1 ENV PYTHONDONTWRITEBYTECODE=1 diff --git a/components/runners/ambient-runner/ambient_runner/bridges/claude/bridge.py b/components/runners/ambient-runner/ambient_runner/bridges/claude/bridge.py index 893e2348c..c37bb6630 100644 --- a/components/runners/ambient-runner/ambient_runner/bridges/claude/bridge.py +++ b/components/runners/ambient-runner/ambient_runner/bridges/claude/bridge.py @@ -15,6 +15,7 @@ import os import time from collections.abc import AsyncIterator +from pathlib import Path from typing import Any from ag_ui.core import ( @@ -674,6 +675,12 @@ async def _setup_platform(self) -> None: # Workspace paths cwd_path, add_dirs = resolve_workspace_paths(self._context) + + # Prodsec-skills: make security guidance available to every session + _prodsec_path = "/app/prodsec-skills" + if Path(_prodsec_path).exists() and _prodsec_path not in add_dirs: + add_dirs.append(_prodsec_path) + if add_dirs: os.environ["CLAUDE_CODE_ADDITIONAL_DIRECTORIES_CLAUDE_MD"] = "1" diff --git a/components/runners/ambient-runner/ambient_runner/platform/prompts.py b/components/runners/ambient-runner/ambient_runner/platform/prompts.py index 7de1f8433..8b5e15a69 100644 --- a/components/runners/ambient-runner/ambient_runner/platform/prompts.py +++ b/components/runners/ambient-runner/ambient_runner/platform/prompts.py @@ -98,6 +98,22 @@ "attention.\n\n" ) +PRODSEC_SKILLS_PROMPT = ( + "## Security Skills\n" + "Product Security skills are available at `/app/prodsec-skills/skills/`. " + "When performing security-sensitive tasks (code review, writing auth/crypto/network " + "code, configuring infrastructure, auditing), read the relevant skill for guidance " + "before proceeding. Key areas:\n" + "- `secure_development/` — cryptography, web security, supply chain, MCP servers, " + "Kubernetes, API gateways, inference engines, agent security (103 skills)\n" + "- `security_testing/` — fuzzing (AFL++, libFuzzer, cargo-fuzz), static analysis " + "(Semgrep, CodeQL, SARIF) (17 skills)\n" + "- `security_auditing/` — context building, differential review, variant analysis " + "(4 skills)\n" + "- `developer_tooling/` — devcontainers, property-based testing (4 skills)\n" + "See `/app/prodsec-skills/skills/README.md` for the full index.\n\n" +) + RESTART_TOOL_DESCRIPTION = ( "Restart the Claude session to recover from issues, clear state, " "or get a fresh connection. Use this if you detect you're in a " @@ -231,6 +247,10 @@ def build_workspace_context_prompt( if os.getenv("GITLAB_TOKEN"): prompt += GITLAB_TOKEN_PROMPT + # Prodsec-skills: security guidance for every session + if Path("/app/prodsec-skills/skills").exists(): + prompt += PRODSEC_SKILLS_PROMPT + # Workflow instructions if ambient_config.get("systemPrompt"): prompt += f"## Workflow Instructions\n{ambient_config['systemPrompt']}\n\n" From 365eba7185b46d944fd078b23b7ca0789bd56324 Mon Sep 17 00:00:00 2001 From: Florencio Cano Gabarda Date: Sun, 26 Apr 2026 10:33:20 +0200 Subject: [PATCH 2/3] fix: address CodeRabbit review feedback on prodsec-skills integration - Pin prodsec-skills clone to a specific commit SHA for reproducibility and supply-chain safety (Dockerfile) - Align existence check in bridge.py to verify /app/prodsec-skills/skills directory, consistent with prompts.py - Drop hardcoded skill counts from PRODSEC_SKILLS_PROMPT to avoid drift as skills are added or removed Assisted-by: Claude Made-with: Cursor --- components/runners/ambient-runner/Dockerfile | 4 +++- .../ambient_runner/bridges/claude/bridge.py | 2 +- .../ambient-runner/ambient_runner/platform/prompts.py | 9 ++++----- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/components/runners/ambient-runner/Dockerfile b/components/runners/ambient-runner/Dockerfile index 59bd32be7..38c355bf6 100755 --- a/components/runners/ambient-runner/Dockerfile +++ b/components/runners/ambient-runner/Dockerfile @@ -47,7 +47,9 @@ RUN npm install -g @google/gemini-cli@${GEMINI_CLI_VERSION} && \ RUN curl -fsSL https://cli.coderabbit.ai/install.sh | CODERABBIT_INSTALL_DIR=/usr/local/bin sh # Install prodsec-skills (Product Security guidance available to every session) -RUN git clone --depth 1 https://github.com/RedHatProductSecurity/prodsec-skills.git /app/prodsec-skills && \ +ARG PRODSEC_SKILLS_REF=f100e15c3f560771e5ede57f7fce03dcb61512eb +RUN git clone https://github.com/RedHatProductSecurity/prodsec-skills.git /app/prodsec-skills && \ + git -C /app/prodsec-skills checkout --detach "${PRODSEC_SKILLS_REF}" && \ rm -rf /app/prodsec-skills/.git # Set environment variables diff --git a/components/runners/ambient-runner/ambient_runner/bridges/claude/bridge.py b/components/runners/ambient-runner/ambient_runner/bridges/claude/bridge.py index c37bb6630..44d4cba59 100644 --- a/components/runners/ambient-runner/ambient_runner/bridges/claude/bridge.py +++ b/components/runners/ambient-runner/ambient_runner/bridges/claude/bridge.py @@ -678,7 +678,7 @@ async def _setup_platform(self) -> None: # Prodsec-skills: make security guidance available to every session _prodsec_path = "/app/prodsec-skills" - if Path(_prodsec_path).exists() and _prodsec_path not in add_dirs: + if Path(f"{_prodsec_path}/skills").exists() and _prodsec_path not in add_dirs: add_dirs.append(_prodsec_path) if add_dirs: diff --git a/components/runners/ambient-runner/ambient_runner/platform/prompts.py b/components/runners/ambient-runner/ambient_runner/platform/prompts.py index 8b5e15a69..56aab6ffd 100644 --- a/components/runners/ambient-runner/ambient_runner/platform/prompts.py +++ b/components/runners/ambient-runner/ambient_runner/platform/prompts.py @@ -105,12 +105,11 @@ "code, configuring infrastructure, auditing), read the relevant skill for guidance " "before proceeding. Key areas:\n" "- `secure_development/` — cryptography, web security, supply chain, MCP servers, " - "Kubernetes, API gateways, inference engines, agent security (103 skills)\n" + "Kubernetes, API gateways, inference engines, agent security\n" "- `security_testing/` — fuzzing (AFL++, libFuzzer, cargo-fuzz), static analysis " - "(Semgrep, CodeQL, SARIF) (17 skills)\n" - "- `security_auditing/` — context building, differential review, variant analysis " - "(4 skills)\n" - "- `developer_tooling/` — devcontainers, property-based testing (4 skills)\n" + "(Semgrep, CodeQL, SARIF)\n" + "- `security_auditing/` — context building, differential review, variant analysis\n" + "- `developer_tooling/` — devcontainers, property-based testing\n" "See `/app/prodsec-skills/skills/README.md` for the full index.\n\n" ) From e2fcb0dc3f59fe75a2913edc2d65770d49a85740 Mon Sep 17 00:00:00 2001 From: Florencio Cano Gabarda Date: Wed, 6 May 2026 11:42:24 +0200 Subject: [PATCH 3/3] fix(runner): align prodsec-skills integration with AI Context Module layout MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The prodsec-skills repo migrated to an AI Context Module structure (ADR-0002) where skills live at module/skills//SKILL.md and module/AGENTS.md is the AI Main Spec — the correct entry point for assistants. - Bump PRODSEC_SKILLS_REF to d1b9800 (latest, includes marketplace path fix) - Point add_dirs at /app/prodsec-skills/module instead of the repo root so agents find module/AGENTS.md as the context entry point, not the contributor-facing root AGENTS.md - Update PRODSEC_SKILLS_PROMPT to reference the correct flat skill paths (module/skills//SKILL.md) and teach agents to select skills by their description field (invocation condition), not hardcoded category dirs - Update all existence checks to gate on module/skills/ consistently Assisted-by: Cursor Co-authored-by: Cursor --- components/runners/ambient-runner/Dockerfile | 2 +- .../ambient_runner/bridges/claude/bridge.py | 9 +++++---- .../ambient_runner/platform/prompts.py | 20 +++++++++---------- 3 files changed, 15 insertions(+), 16 deletions(-) diff --git a/components/runners/ambient-runner/Dockerfile b/components/runners/ambient-runner/Dockerfile index 38c355bf6..ca2c7a36a 100755 --- a/components/runners/ambient-runner/Dockerfile +++ b/components/runners/ambient-runner/Dockerfile @@ -47,7 +47,7 @@ RUN npm install -g @google/gemini-cli@${GEMINI_CLI_VERSION} && \ RUN curl -fsSL https://cli.coderabbit.ai/install.sh | CODERABBIT_INSTALL_DIR=/usr/local/bin sh # Install prodsec-skills (Product Security guidance available to every session) -ARG PRODSEC_SKILLS_REF=f100e15c3f560771e5ede57f7fce03dcb61512eb +ARG PRODSEC_SKILLS_REF=d1b9800932ca3bf5265b4bb5dccf6662000fc4c4 RUN git clone https://github.com/RedHatProductSecurity/prodsec-skills.git /app/prodsec-skills && \ git -C /app/prodsec-skills checkout --detach "${PRODSEC_SKILLS_REF}" && \ rm -rf /app/prodsec-skills/.git diff --git a/components/runners/ambient-runner/ambient_runner/bridges/claude/bridge.py b/components/runners/ambient-runner/ambient_runner/bridges/claude/bridge.py index 44d4cba59..49980349f 100644 --- a/components/runners/ambient-runner/ambient_runner/bridges/claude/bridge.py +++ b/components/runners/ambient-runner/ambient_runner/bridges/claude/bridge.py @@ -676,10 +676,11 @@ async def _setup_platform(self) -> None: # Workspace paths cwd_path, add_dirs = resolve_workspace_paths(self._context) - # Prodsec-skills: make security guidance available to every session - _prodsec_path = "/app/prodsec-skills" - if Path(f"{_prodsec_path}/skills").exists() and _prodsec_path not in add_dirs: - add_dirs.append(_prodsec_path) + # Prodsec-skills: expose the AI Context Module (module/) so agents + # find module/AGENTS.md as the entry point, not the contributor AGENTS.md + _prodsec_module = "/app/prodsec-skills/module" + if Path(f"{_prodsec_module}/skills").exists() and _prodsec_module not in add_dirs: + add_dirs.append(_prodsec_module) if add_dirs: os.environ["CLAUDE_CODE_ADDITIONAL_DIRECTORIES_CLAUDE_MD"] = "1" diff --git a/components/runners/ambient-runner/ambient_runner/platform/prompts.py b/components/runners/ambient-runner/ambient_runner/platform/prompts.py index 56aab6ffd..bb3c6a0e9 100644 --- a/components/runners/ambient-runner/ambient_runner/platform/prompts.py +++ b/components/runners/ambient-runner/ambient_runner/platform/prompts.py @@ -100,17 +100,15 @@ PRODSEC_SKILLS_PROMPT = ( "## Security Skills\n" - "Product Security skills are available at `/app/prodsec-skills/skills/`. " + "Product Security skills are available at `/app/prodsec-skills/module/skills/`. " + "Each skill is a directory containing a `SKILL.md` file. Choose a skill by reading " + "its `description` field — it is written as an invocation condition, not a summary. " "When performing security-sensitive tasks (code review, writing auth/crypto/network " - "code, configuring infrastructure, auditing), read the relevant skill for guidance " - "before proceeding. Key areas:\n" - "- `secure_development/` — cryptography, web security, supply chain, MCP servers, " - "Kubernetes, API gateways, inference engines, agent security\n" - "- `security_testing/` — fuzzing (AFL++, libFuzzer, cargo-fuzz), static analysis " - "(Semgrep, CodeQL, SARIF)\n" - "- `security_auditing/` — context building, differential review, variant analysis\n" - "- `developer_tooling/` — devcontainers, property-based testing\n" - "See `/app/prodsec-skills/skills/README.md` for the full index.\n\n" + "code, configuring infrastructure, auditing), read the relevant skill before " + "proceeding. Example:\n" + " `Using /app/prodsec-skills/module/skills/go-security/SKILL.md`: review this " + "handler for injection risks.\n" + "See `/app/prodsec-skills/module/AGENTS.md` for the full index and usage guide.\n\n" ) RESTART_TOOL_DESCRIPTION = ( @@ -247,7 +245,7 @@ def build_workspace_context_prompt( prompt += GITLAB_TOKEN_PROMPT # Prodsec-skills: security guidance for every session - if Path("/app/prodsec-skills/skills").exists(): + if Path("/app/prodsec-skills/module/skills").exists(): prompt += PRODSEC_SKILLS_PROMPT # Workflow instructions