fix(go-adk): resolve merge conflict with main in bedrock.go

main removed TopK as a standalone field (it now goes through
AdditionalModelRequestFields) and dropped reverseNameMap from the
generate functions. This branch needs reverseNameMap for tool name
sanitization, so both additionalFields and reverseNameMap are kept
in generateStreaming and generateNonStreaming. Duplicate declarations
introduced during the merge are removed.

Signed-off-by: mesutoezdil <mesudozdil@gmail.com>

Author: mesutoezdil

.github/dependabot.yml

@@ -80,35 +80,6 @@ updates:
           - "minor"
           - "patch"
 
-  # Python (uv) — sample applications
-  - package-ecosystem: "uv"
-    directories:
-      - "/python/samples/adk/basic"
-      - "/python/samples/openai/basic_agent"
-      - "/python/samples/crewai/poem_flow"
-      - "/python/samples/crewai/research-crew"
-      - "/python/samples/langgraph/currency"
-      - "/go/core/test/e2e/agents/kebab"
-    schedule:
-      interval: "weekly"
-      day: "monday"
-    open-pull-requests-limit: 5
-    labels:
-      - "dependencies"
-    commit-message:
-      prefix: "chore(deps):"
-    reviewers:
-      - "EItanya"
-      - "peterj"
-      - "yuval-k"
-    groups:
-      samples-minor-patch:
-        patterns:
-          - "*"
-        update-types:
-          - "minor"
-          - "patch"
-
   # npm — Next.js UI
   - package-ecosystem: "npm"
     directory: "/ui"
@@ -158,32 +129,3 @@ updates:
         update-types:
           - "minor"
           - "patch"
-
-  # Docker — sample and test images
-  - package-ecosystem: "docker"
-    directories:
-      - "/python/samples/adk/basic"
-      - "/python/samples/openai/basic_agent"
-      - "/python/samples/crewai/poem_flow"
-      - "/python/samples/crewai/research-crew"
-      - "/python/samples/langgraph/currency"
-      - "/go/core/test/e2e/agents/kebab"
-    schedule:
-      interval: "weekly"
-      day: "monday"
-    open-pull-requests-limit: 5
-    labels:
-      - "dependencies"
-    commit-message:
-      prefix: "chore(deps):"
-    reviewers:
-      - "EItanya"
-      - "peterj"
-      - "yuval-k"
-    groups:
-      docker-samples-minor-patch:
-        patterns:
-          - "*"
-        update-types:
-          - "minor"
-          - "patch"

.github/workflows/ci.yaml

@@ -43,6 +43,13 @@ jobs:
         uses: actions/checkout@v6
       - name: Initialize Environment
         uses: ./.github/actions/initialize-environment
+      - name: Allow unprivileged user namespaces
+        # Ubuntu 24.04 (ubuntu-latest) enables AppArmor-based restrictions on
+        # unprivileged user namespaces by default, which causes bubblewrap
+        # to fail with EPERM on unshare(CLONE_NEWUSER)
+        # See https://github.com/openai/codex/issues/14919
+        run: |
+          sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v4
         with:
@@ -195,6 +202,7 @@ jobs:
       - name: Run helm unit tests
         run: |
           helm unittest helm/kagent
+          helm unittest helm/tools/querydoc
 
   ui-tests:
     runs-on: ubuntu-latest

.github/workflows/image-scan.yaml

@@ -25,13 +25,25 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        image:
-          - controller
-          - ui
-          - app
-          - skills-init
-          - golang-adk
-          - golang-adk-full
+        include:
+          - build_target: controller
+            image_name: controller
+            tag_suffix: ""
+          - build_target: ui
+            image_name: ui
+            tag_suffix: ""
+          - build_target: app
+            image_name: app
+            tag_suffix: ""
+          - build_target: skills-init
+            image_name: skills-init
+            tag_suffix: ""
+          - build_target: golang-adk
+            image_name: golang-adk
+            tag_suffix: ""
+          - build_target: golang-adk-full
+            image_name: golang-adk
+            tag_suffix: "-full"
     runs-on: ubuntu-latest
     services:
       registry:
@@ -67,15 +79,12 @@ jobs:
             --push
         run: |
           export VERSION=${{ steps.vars.outputs.version }}
-          make build-${{ matrix.image }}
+          make build-${{ matrix.build_target }}
         working-directory: ./
-      - name: Load image versions
-        id: image-versions
-        run: make build-img-versions
       - name: Image vulnerability scanner
         uses: aquasecurity/trivy-action@0.35.0
         with:
-          image-ref: localhost:5001/kagent-dev/kagent/${{ matrix.image }}:${{ steps.vars.outputs.version }}
+          image-ref: localhost:5001/kagent-dev/kagent/${{ matrix.image_name }}:${{ steps.vars.outputs.version }}${{ matrix.tag_suffix }}
           severity: 'CRITICAL,HIGH'
           ignore-unfixed: true
           exit-code: '1'

CODEOWNERS

@@ -1,5 +1,8 @@
 /*      @EItanya @peterj @ilackarms @yuval-k
-python/ @EItanya @peterj @yuval-k
+python/ @EItanya @peterj @yuval-k @supreme-gg-gg @iplay88keys @jmhbh
 go/     @EItanya @ilackarms @yuval-k
 ui/     @peterj
-helm/   @EItanya @ilackarms @yuval-k
+helm/   @EItanya @ilackarms @yuval-k @supreme-gg-gg @iplay88keys @jmhbh
+go/adk/ @supreme-gg-gg
+go/core/ @supreme-gg-gg @iplay88keys @jmhbh
+go/api/ @supreme-gg-gg @iplay88keys @jmhbh

docker/skills-init/Dockerfile

@@ -14,5 +14,17 @@ RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /build/krane .
 
 FROM alpine:3.23
 
+ARG PYTHON_UID=1001
+ARG PYTHON_GID=1001
+
 RUN apk upgrade --no-cache && apk add --no-cache git
 COPY --from=krane-builder /build/krane /usr/local/bin/krane
+
+# Run as the same UID/GID as the main agent container (python user) so that
+# files written to the shared /skills volume are readable by the main container.
+# Keep these defaults aligned with the canonical main agent image definition
+# (for example, python/Dockerfile) to avoid UID/GID drift across images.
+RUN addgroup -g ${PYTHON_GID} pythongroup && \
+    adduser -u ${PYTHON_UID} -G pythongroup -s /bin/sh -D python
+
+USER ${PYTHON_UID}:${PYTHON_GID}

go/Dockerfile.full

@@ -29,12 +29,13 @@ RUN --mount=type=cache,target=/var/cache/apk,rw \
     apk add --no-cache \
     bash git ca-certificates nodejs npm node-gyp bubblewrap python-${TOOLS_PYTHON_VERSION} libstdc++
 
+# Keep the pinned sandbox-runtime revision, but replace its vulnerable locked lodash-es version.
 RUN --mount=type=cache,target=/root/.npm \
     mkdir -p /opt && \
     cd /opt && \
     git clone --depth 1 --revision=ef4afdef4d711ba21a507d7f7369e305f7d3dbfa https://github.com/anthropic-experimental/sandbox-runtime.git && \
     cd sandbox-runtime && \
-    npm install && \
+    npm install --save-exact lodash-es@4.18.1 @types/lodash-es@4.17.12 && \
     npm run build && \
     npm prune --omit=dev
 
@@ -45,11 +46,6 @@ RUN --mount=type=cache,target=/var/cache/apk,rw \
     apk add --no-cache \
     bash ca-certificates curl nodejs bubblewrap socat python-${TOOLS_PYTHON_VERSION} ripgrep libstdc++
 
-# Make bwrap setuid-root so it can create user/network namespaces when invoked
-# by non-root users on hosts with kernel.apparmor_restrict_unprivileged_userns=1
-# (Ubuntu 23.10+). See https://github.com/openai/codex/issues/14919
-RUN chmod u+s /usr/bin/bwrap
-
 RUN addgroup -g 1001 goagent && \
     adduser -u 1001 -G goagent -s /bin/bash -D goagent
 

go/adk/pkg/agent/agent.go

@@ -285,9 +285,10 @@ func CreateLLM(ctx context.Context, m adk.Model, log logr.Logger) (adkmodel.LLM,
 		}
 		// Use Bedrock Converse API for ALL models (including Anthropic)
 		cfg := &models.BedrockConfig{
-			TransportConfig: transportConfigFromBase(m.BaseModel, nil),
-			Model:           modelName,
-			Region:          region,
+			TransportConfig:              transportConfigFromBase(m.BaseModel, nil),
+			Model:                        modelName,
+			Region:                       region,
+			AdditionalModelRequestFields: m.AdditionalModelRequestFields,
 		}
 		return models.NewBedrockModelWithLogger(ctx, cfg, log)
 

go/adk/pkg/models/bedrock.go

@@ -76,7 +76,6 @@ type BedrockConfig struct {
 	MaxTokens                    *int
 	Temperature                  *float64
 	TopP                         *float64
-	TopK                         *int
 	AdditionalModelRequestFields map[string]any
 }
 
@@ -208,6 +207,17 @@ func (m *BedrockModel) GenerateContent(ctx context.Context, req *model.LLMReques
 	}
 }
 
+// buildAdditionalModelRequestFields returns a document.Interface containing
+// model-specific parameters that are not part of InferenceConfiguration.
+// The raw map is forwarded as-is to the Bedrock Converse API.
+// Returns nil when no extra fields are configured.
+func (m *BedrockModel) buildAdditionalModelRequestFields() document.Interface {
+	if len(m.Config.AdditionalModelRequestFields) == 0 {
+		return nil
+	}
+	return document.NewLazyDocument(m.Config.AdditionalModelRequestFields)
+}
+
 // generateStreaming handles streaming responses from Bedrock ConverseStream.
 // It properly handles both text and tool use content blocks during streaming.
 // reverseNameMap maps sanitized Bedrock tool names back to their original names.
@@ -369,16 +379,6 @@ func (tc *streamingToolCall) parseArgs() map[string]any {
 	return args
 }
 
-// buildAdditionalModelRequestFields returns a document.Interface containing
-// model-specific parameters that are not part of InferenceConfiguration.
-// Returns nil when no extra fields are configured.
-func (m *BedrockModel) buildAdditionalModelRequestFields() document.Interface {
-	if len(m.Config.AdditionalModelRequestFields) == 0 {
-		return nil
-	}
-	return document.NewLazyDocument(m.Config.AdditionalModelRequestFields)
-}
-
 // generateNonStreaming handles non-streaming responses from Bedrock Converse.
 // reverseNameMap maps sanitized Bedrock tool names back to their original names.
 func (m *BedrockModel) generateNonStreaming(ctx context.Context, modelId string, messages []types.Message, systemPrompt []types.SystemContentBlock, inferenceConfig *types.InferenceConfiguration, toolConfig *types.ToolConfiguration, additionalFields document.Interface, reverseNameMap map[string]string, yield func(*model.LLMResponse, error) bool) {

go/api/adk/types.go

@@ -247,6 +247,10 @@ type Bedrock struct {
 	BaseModel
 	// Region is the AWS region where the model is available
 	Region string `json:"region,omitempty"`
+	// AdditionalModelRequestFields passes model-specific parameters to Bedrock's
+	// additionalModelRequestFields in the Converse API. Use this for provider-specific
+	// options outside the standard InferenceConfiguration block.
+	AdditionalModelRequestFields map[string]any `json:"additional_model_request_fields,omitempty"`
 }
 
 func (b *Bedrock) MarshalJSON() ([]byte, error) {

go/api/config/crd/bases/kagent.dev_agents.yaml

@@ -10216,8 +10216,10 @@ spec:
                         skills from.
                       properties:
                         name:
-                          description: Name for the skill directory under /skills.
-                            Defaults to the repo name.
+                          description: |-
+                            Name for the skill directory under /skills. If omitted, defaults to the last
+                            segment of Path when Path is set; otherwise defaults to the repo name (last
+                            URL path segment, without .git).
                           type: string
                         path:
                           description: Subdirectory within the repo to use as the