[Bug]: SSH_AUTH_SOCK is possibly not being passed to Dagger sessions

[terpasaurus-midwest]

What happened?

When working with an AI agent on a local Git repo that has a submodule pointing to a remote repository that requires SSH authentication, the resulting Dagger session does not have access to the host's SSH socket.

It appears here is where Dagger is invoked during the above, and I think during the Tree() call is when something tries to initialized the submodules. During this process the ssh agent socket at SSH_AUTH_SOCK on the host has the required key loaded. But the environment creation fails when git tries to do an SSH call to the remote and can't find any credentials.

Originally, I thought the issue was on Dagger's side, but after opening an issue there, I don't think that's the case. I can't find anywhere container-use code accesses the host's SSH_AUTH_SOCK environment variable or configures the Dagger session to use it when it invokes Dagger.

This may be related to #161 but the specifics of our reports are quite different, so I felt it worth posting. I'm willing to dig into the code more and contribute an MR or help get an existing one to the finish line if that existing submodules branch is still valid and worth forking.

Version

container-use version 0.4.1
commit: 71346865565c2a0d9dd92350ed30c86ed73e43b9
built: 2025-08-01T18:32:52Z

Logs

[cwlbraa]

This is a complex issue -- is your goal here just to provide your agent with the submodule dependency associated with the repo? I think that is feasible in the short term (I have a very rough prototype of submodule support in #233)...

downstream of that basic read-only support though there are a few more complex issues:

1. currently, inside the container the agent doesn't actually have the repo's .git -- it can't commit, pull, view logs, submodule update, etc - we manage all those things automatically on the host. eventually I'd like to fix this, but for now the submodule approach would be to mount the submodule code into the container from the correct ref and try to make it un-editable (because exporting it opens another can of worms)
2. if we can have that basic "give me the correct code" support, i think it may not be desirable to have the SSH_AUTH_SOCK provided to the container, right? the keys on those sockets often have R/W access to credentials, and many agents are prone to indirect prompt injections.

so circling back to my original question: would it work for you if we just got your submodule code into the container so your project has access to all it's dependencies?

[terpasaurus-midwest]

would it work for you if we just got your submodule code into the container so your project has access to all it's dependencies?

For my use case, that would work. Locally, the submodule has already been initialized. So, the main git repo and the submodule code is there already on my host. In fact, for this specific use case, I don't care about this submodule. So even an option to tell something to ignore or not try to initialize it would also work for me. Though, I suspect others will need either real submodule initialization or at least the ability to use locallly initialized code in the resulting env.

My totally ignorant assumption (having no deep understanding yet of the Container Use and Dagger code) was the local repo + submodule code would just get mounted into a Dagger container. So, the submodule initialization during the env creation, and the need for SSH access within the engine or container was a bit of a surprise to me.

[cwlbraa]

My totally ignorant assumption (having no deep understanding yet of the Container Use and Dagger code) was the local repo + submodule code would just get mounted into a Dagger container.

It does get mounted in a way, but from a local-filesystem "fork repo" we maintain on the host -- this is a big part of the magic behind how we get all the agent's changes into git :)

https://github.com/dagger/container-use/blob/main/environment/README.md explains how the setup works and why

[cwlbraa]

fyi i am working on submodule support right now, it's harder than it sounds, unfortunately :(