Use Desktop proxy for all HTTP downloads

Updates fetch, openapi, api tools, gateway catalog, skills cache, and models.dev store to use remote.NewTransport for Desktop proxy support when downloading external content.

Assisted-By: docker-agent
Signed-off-by: Guillaume Tardif <guillaume.tardif@gmail.com>

Author: gtardif

pkg/gateway/catalog.go

@@ -13,6 +13,7 @@ import (
 	"time"
 
 	"github.com/docker/docker-agent/pkg/paths"
+	"github.com/docker/docker-agent/pkg/remote"
 )
 
 const (
@@ -166,10 +167,6 @@ func saveToDisk(path string, catalog Catalog, etag string) {
 	}
 }
 
-// catalogClient is a dedicated HTTP client for catalog fetches, isolated from
-// http.DefaultClient so that other parts of the process cannot interfere.
-var catalogClient = &http.Client{}
-
 // fetchFromNetwork fetches the catalog, using the ETag for conditional requests.
 // It returns (nil, "", nil) when the server responds with 304 Not Modified.
 func fetchFromNetwork(ctx context.Context, etag string) (Catalog, string, error) {
@@ -185,6 +182,7 @@ func fetchFromNetwork(ctx context.Context, etag string) (Catalog, string, error)
 		req.Header.Set("If-None-Match", etag)
 	}
 
+	catalogClient := &http.Client{Transport: remote.NewTransport(ctx)}
 	resp, err := catalogClient.Do(req)
 	if err != nil {
 		return nil, "", err

pkg/modelsdev/store.go

@@ -13,6 +13,8 @@ import (
 	"strings"
 	"sync"
 	"time"
+
+	"github.com/docker/docker-agent/pkg/remote"
 )
 
 const (
@@ -183,7 +185,7 @@ func fetchFromAPI(ctx context.Context, etag string) (*Database, string, error) {
 		req.Header.Set("If-None-Match", etag)
 	}
 
-	resp, err := (&http.Client{Timeout: 30 * time.Second}).Do(req)
+	resp, err := (&http.Client{Timeout: 30 * time.Second, Transport: remote.NewTransport(ctx)}).Do(req)
 	if err != nil {
 		return nil, "", fmt.Errorf("failed to fetch from API: %w", err)
 	}

pkg/skills/cache.go

@@ -1,6 +1,7 @@
 package skills
 
 import (
+	"context"
 	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
@@ -13,11 +14,12 @@ import (
 	"strconv"
 	"strings"
 	"time"
+
+	"github.com/docker/docker-agent/pkg/remote"
 )
 
 type diskCache struct {
-	baseDir    string
-	httpClient *http.Client
+	baseDir string
 }
 
 type cacheMetadata struct {
@@ -29,9 +31,6 @@ type cacheMetadata struct {
 func newDiskCache(baseDir string) *diskCache {
 	return &diskCache{
 		baseDir: baseDir,
-		httpClient: &http.Client{
-			Timeout: 30 * time.Second,
-		},
 	}
 }
 
@@ -68,10 +67,14 @@ func (c *diskCache) Get(baseURL, skillName, filePath string) (string, bool) {
 
 // FetchAndStore downloads a file from the given URL and stores it in the cache.
 // It respects Cache-Control headers to determine expiry.
-func (c *diskCache) FetchAndStore(baseURL, skillName, filePath, fileURL string) (string, error) {
+func (c *diskCache) FetchAndStore(ctx context.Context, baseURL, skillName, filePath, fileURL string) (string, error) {
 	slog.Debug("Fetching remote skill file", "url", fileURL)
 
-	resp, err := c.httpClient.Get(fileURL)
+	httpClient := &http.Client{
+		Timeout:   30 * time.Second,
+		Transport: remote.NewTransport(ctx),
+	}
+	resp, err := httpClient.Get(fileURL)
 	if err != nil {
 		return "", fmt.Errorf("fetching %s: %w", fileURL, err)
 	}

pkg/skills/cache_test.go

@@ -22,7 +22,7 @@ func TestDiskCache_FetchAndStore(t *testing.T) {
 
 	cache := newDiskCache(t.TempDir())
 
-	content, err := cache.FetchAndStore("https://example.com", "my-skill", "SKILL.md", srv.URL+"/SKILL.md")
+	content, err := cache.FetchAndStore(t.Context(), "https://example.com", "my-skill", "SKILL.md", srv.URL+"/SKILL.md")
 	require.NoError(t, err)
 	assert.Equal(t, "file content", content)
 
@@ -54,7 +54,7 @@ func TestDiskCache_Get_Cached(t *testing.T) {
 
 	cache := newDiskCache(t.TempDir())
 
-	_, err := cache.FetchAndStore("https://example.com", "skill", "SKILL.md", srv.URL+"/SKILL.md")
+	_, err := cache.FetchAndStore(t.Context(), "https://example.com", "skill", "SKILL.md", srv.URL+"/SKILL.md")
 	require.NoError(t, err)
 
 	content, ok := cache.Get("https://example.com", "skill", "SKILL.md")
@@ -71,7 +71,7 @@ func TestDiskCache_Get_Expired(t *testing.T) {
 
 	cache := newDiskCache(t.TempDir())
 
-	_, err := cache.FetchAndStore("https://example.com", "skill", "SKILL.md", srv.URL+"/SKILL.md")
+	_, err := cache.FetchAndStore(t.Context(), "https://example.com", "skill", "SKILL.md", srv.URL+"/SKILL.md")
 	require.NoError(t, err)
 
 	// The max-age=0 should make it immediately expired
@@ -87,7 +87,7 @@ func TestDiskCache_NestedFiles(t *testing.T) {
 
 	cache := newDiskCache(t.TempDir())
 
-	content, err := cache.FetchAndStore("https://example.com", "my-skill", "references/FORMS.md", srv.URL+"/file")
+	content, err := cache.FetchAndStore(t.Context(), "https://example.com", "my-skill", "references/FORMS.md", srv.URL+"/file")
 	require.NoError(t, err)
 	assert.Equal(t, "nested file content", content)
 
@@ -152,7 +152,7 @@ func TestDiskCache_HTTPError(t *testing.T) {
 
 	cache := newDiskCache(t.TempDir())
 
-	_, err := cache.FetchAndStore("https://example.com", "skill", "SKILL.md", srv.URL+"/notfound")
+	_, err := cache.FetchAndStore(t.Context(), "https://example.com", "skill", "SKILL.md", srv.URL+"/notfound")
 	require.Error(t, err)
 	assert.Contains(t, err.Error(), "HTTP 404")
 }

pkg/skills/remote.go

@@ -1,6 +1,7 @@
 package skills
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -11,6 +12,7 @@ import (
 	"time"
 
 	"github.com/docker/docker-agent/pkg/paths"
+	"github.com/docker/docker-agent/pkg/remote"
 )
 
 // remoteIndex represents the index.json served at /.well-known/skills/index.json
@@ -24,10 +26,6 @@ type remoteSkillEntry struct {
 	Files       []string `json:"files"`
 }
 
-var defaultHTTPClient = &http.Client{
-	Timeout: 30 * time.Second,
-}
-
 func defaultCache() *diskCache {
 	return newDiskCache(filepath.Join(paths.GetCacheDir(), "skills"))
 }
@@ -37,16 +35,20 @@ func defaultCache() *diskCache {
 // into a disk cache so the agent can read them without network requests during
 // task execution.
 func loadRemoteSkills(baseURL string) []Skill {
-	return loadRemoteSkillsWithCache(baseURL, defaultCache())
+	return loadRemoteSkillsWithCache(context.Background(), baseURL, defaultCache())
 }
 
-func loadRemoteSkillsWithCache(baseURL string, cache *diskCache) []Skill {
+func loadRemoteSkillsWithCache(ctx context.Context, baseURL string, cache *diskCache) []Skill {
 	baseURL = strings.TrimRight(baseURL, "/")
 	indexURL := baseURL + "/.well-known/skills/index.json"
 
 	slog.Debug("Fetching remote skills index", "url", indexURL)
 
-	resp, err := defaultHTTPClient.Get(indexURL)
+	httpClient := &http.Client{
+		Timeout:   30 * time.Second,
+		Transport: remote.NewTransport(ctx),
+	}
+	resp, err := httpClient.Get(indexURL)
 	if err != nil {
 		slog.Warn("Failed to fetch remote skills index", "url", indexURL, "error", err)
 		return nil
@@ -77,7 +79,7 @@ func loadRemoteSkillsWithCache(baseURL string, cache *diskCache) []Skill {
 		}
 
 		cacheDir := cache.cacheDir(baseURL, entry.Name)
-		prefetchFiles(cache, baseURL, entry.Name, entry.Files)
+		prefetchFiles(ctx, cache, baseURL, entry.Name, entry.Files)
 
 		skill := Skill{
 			Name:        entry.Name,
@@ -96,7 +98,7 @@ func loadRemoteSkillsWithCache(baseURL string, cache *diskCache) []Skill {
 // prefetchFiles downloads all files listed in the index for a skill,
 // storing them in the disk cache. Files already in cache (and not expired)
 // are skipped.
-func prefetchFiles(cache *diskCache, baseURL, skillName string, files []string) {
+func prefetchFiles(ctx context.Context, cache *diskCache, baseURL, skillName string, files []string) {
 	for _, file := range files {
 		if !isValidFilePath(file) {
 			slog.Debug("Skipping invalid file path in skill", "skill", skillName, "file", file)
@@ -108,7 +110,7 @@ func prefetchFiles(cache *diskCache, baseURL, skillName string, files []string)
 		}
 
 		fileURL := fmt.Sprintf("%s/.well-known/skills/%s/%s", baseURL, skillName, file)
-		if _, err := cache.FetchAndStore(baseURL, skillName, file, fileURL); err != nil {
+		if _, err := cache.FetchAndStore(ctx, baseURL, skillName, file, fileURL); err != nil {
 			slog.Warn("Failed to prefetch skill file", "skill", skillName, "file", file, "error", err)
 		}
 	}

pkg/skills/remote_test.go

@@ -47,7 +47,7 @@ func TestLoadRemoteSkills(t *testing.T) {
 
 		cacheDir := t.TempDir()
 		cache := newDiskCache(cacheDir)
-		skills := loadRemoteSkillsWithCache(srv.URL, cache)
+		skills := loadRemoteSkillsWithCache(t.Context(), srv.URL, cache)
 
 		require.Len(t, skills, 2)
 
@@ -84,7 +84,7 @@ func TestLoadRemoteSkills(t *testing.T) {
 		defer srv.Close()
 
 		cache := newDiskCache(t.TempDir())
-		skills := loadRemoteSkillsWithCache(srv.URL+"/", cache)
+		skills := loadRemoteSkillsWithCache(t.Context(), srv.URL+"/", cache)
 		require.Len(t, skills, 1)
 
 		content, err := os.ReadFile(skills[0].FilePath)
@@ -99,7 +99,7 @@ func TestLoadRemoteSkills(t *testing.T) {
 		}))
 		defer srv.Close()
 
-		skills := loadRemoteSkillsWithCache(srv.URL, newDiskCache(t.TempDir()))
+		skills := loadRemoteSkillsWithCache(t.Context(), srv.URL, newDiskCache(t.TempDir()))
 		assert.Empty(t, skills)
 	})
 
@@ -110,7 +110,7 @@ func TestLoadRemoteSkills(t *testing.T) {
 		}))
 		defer srv.Close()
 
-		skills := loadRemoteSkillsWithCache(srv.URL, newDiskCache(t.TempDir()))
+		skills := loadRemoteSkillsWithCache(t.Context(), srv.URL, newDiskCache(t.TempDir()))
 		assert.Empty(t, skills)
 	})
 
@@ -121,15 +121,15 @@ func TestLoadRemoteSkills(t *testing.T) {
 		}))
 		defer srv.Close()
 
-		skills := loadRemoteSkillsWithCache(srv.URL, newDiskCache(t.TempDir()))
+		skills := loadRemoteSkillsWithCache(t.Context(), srv.URL, newDiskCache(t.TempDir()))
 		assert.Empty(t, skills)
 	})
 
 	t.Run("server returns 404", func(t *testing.T) {
 		srv := httptest.NewServer(http.NotFoundHandler())
 		defer srv.Close()
 
-		skills := loadRemoteSkillsWithCache(srv.URL, newDiskCache(t.TempDir()))
+		skills := loadRemoteSkillsWithCache(t.Context(), srv.URL, newDiskCache(t.TempDir()))
 		assert.Empty(t, skills)
 	})
 
@@ -139,12 +139,12 @@ func TestLoadRemoteSkills(t *testing.T) {
 		}))
 		defer srv.Close()
 
-		skills := loadRemoteSkillsWithCache(srv.URL, newDiskCache(t.TempDir()))
+		skills := loadRemoteSkillsWithCache(t.Context(), srv.URL, newDiskCache(t.TempDir()))
 		assert.Empty(t, skills)
 	})
 
 	t.Run("unreachable server", func(t *testing.T) {
-		skills := loadRemoteSkillsWithCache("http://127.0.0.1:1", newDiskCache(t.TempDir()))
+		skills := loadRemoteSkillsWithCache(t.Context(), "http://127.0.0.1:1", newDiskCache(t.TempDir()))
 		assert.Empty(t, skills)
 	})
 
@@ -168,12 +168,12 @@ func TestLoadRemoteSkills(t *testing.T) {
 		cache := newDiskCache(t.TempDir())
 
 		// First load
-		skills1 := loadRemoteSkillsWithCache(srv.URL, cache)
+		skills1 := loadRemoteSkillsWithCache(t.Context(), srv.URL, cache)
 		require.Len(t, skills1, 1)
 		assert.Equal(t, 2, fetchCount) // index.json + SKILL.md
 
 		// Second load — SKILL.md should be cached
-		skills2 := loadRemoteSkillsWithCache(srv.URL, cache)
+		skills2 := loadRemoteSkillsWithCache(t.Context(), srv.URL, cache)
 		require.Len(t, skills2, 1)
 		assert.Equal(t, 3, fetchCount) // only index.json re-fetched, SKILL.md from cache
 	})
@@ -193,7 +193,7 @@ func TestLoadRemoteSkills(t *testing.T) {
 		defer srv.Close()
 
 		cache := newDiskCache(t.TempDir())
-		skills := loadRemoteSkillsWithCache(srv.URL, cache)
+		skills := loadRemoteSkillsWithCache(t.Context(), srv.URL, cache)
 		require.Len(t, skills, 1)
 		// Only SKILL.md should have been fetched, not the malicious paths
 	})

pkg/tools/builtin/api.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/docker/docker-agent/pkg/config/latest"
 	"github.com/docker/docker-agent/pkg/js"
+	"github.com/docker/docker-agent/pkg/remote"
 	"github.com/docker/docker-agent/pkg/tools"
 )
 
@@ -30,7 +31,8 @@ var (
 
 func (t *APITool) callTool(ctx context.Context, toolCall tools.ToolCall) (*tools.ToolCallResult, error) {
 	client := &http.Client{
-		Timeout: 30 * time.Second,
+		Timeout:   30 * time.Second,
+		Transport: remote.NewTransport(ctx),
 	}
 
 	endpoint := t.config.Endpoint

pkg/tools/builtin/fetch.go

@@ -14,6 +14,7 @@ import (
 	"github.com/k3a/html2text"
 	"github.com/temoto/robotstxt"
 
+	"github.com/docker/docker-agent/pkg/remote"
 	"github.com/docker/docker-agent/pkg/tools"
 	"github.com/docker/docker-agent/pkg/useragent"
 )
@@ -49,7 +50,8 @@ func (h *fetchHandler) CallTool(ctx context.Context, params FetchToolArgs) (*too
 
 	// Set timeout if specified
 	client := &http.Client{
-		Timeout: h.timeout,
+		Timeout:   h.timeout,
+		Transport: remote.NewTransport(ctx),
 	}
 	if params.Timeout > 0 {
 		client.Timeout = time.Duration(params.Timeout) * time.Second

pkg/tools/builtin/openapi.go

@@ -15,6 +15,7 @@ import (
 
 	"github.com/getkin/kin-openapi/openapi3"
 
+	"github.com/docker/docker-agent/pkg/remote"
 	"github.com/docker/docker-agent/pkg/tools"
 	"github.com/docker/docker-agent/pkg/upstream"
 	"github.com/docker/docker-agent/pkg/useragent"
@@ -70,7 +71,7 @@ func (t *OpenAPITool) fetchSpec(ctx context.Context) (*openapi3.T, error) {
 	req.Header.Set("Accept", "application/json")
 	setHeaders(req, t.headers)
 
-	resp, err := (&http.Client{Timeout: httpTimeout}).Do(req)
+	resp, err := (&http.Client{Timeout: httpTimeout, Transport: remote.NewTransport(ctx)}).Do(req)
 	if err != nil {
 		return nil, fmt.Errorf("request failed: %w", err)
 	}
@@ -398,7 +399,7 @@ func (h *openAPIHandler) callTool(ctx context.Context, params openAPICallArgs) (
 	req.Header.Set("Accept", "application/json")
 	setHeaders(req, h.headers)
 
-	resp, err := (&http.Client{Timeout: httpTimeout}).Do(req)
+	resp, err := (&http.Client{Timeout: httpTimeout, Transport: remote.NewTransport(ctx)}).Do(req)
 	if err != nil {
 		return nil, fmt.Errorf("request failed: %w", err)
 	}