docker · dgageot · May 18, 2026 · May 13, 2026 · May 13, 2026 · May 13, 2026
@@ -0,0 +1,37 @@
+package desktop
+
+import (
+	"context"
+	"time"
+
+	"github.com/kofalt/go-memoize"
+)
+
+// versionMemoizer caches the Docker Desktop version lookup with a TTL so:
+//   - if docker-agent starts before Desktop is ready, version detection
+//     recovers automatically once Desktop comes up;
+//   - if Desktop is upgraded mid-session, the new version is picked up
+//     within at most one TTL.
+var versionMemoizer = memoize.NewMemoizer(5*time.Minute, 10*time.Minute)
+
+// GetVersion returns the running Docker Desktop version (e.g. "4.74.0") or
+// an empty string if Docker Desktop is not running or the call fails.
+//
+// The lookup is bounded by a short internal timeout so a stale or missing
+// backend socket cannot stall callers on hot paths (it is queried on every
+// outbound built-in tool HTTP request). ctx is used for the underlying
+// HTTP call on a cache miss; on a cache hit the cached value is returned
+// without consulting ctx.
+func GetVersion(ctx context.Context) string {
+	v, _, _ := memoize.Call(versionMemoizer, "desktopVersion", func() (string, error) {
+		ctx, cancel := context.WithTimeout(ctx, 2*time.Second)
+		defer cancel()
+
+		var info struct {
+			CurrentVersion string `json:"currentVersion"`
+		}
+		_ = ClientBackend.Get(ctx, "/update", &info)
+		return info.CurrentVersion, nil
+	})
+	return v
+}
@@ -149,7 +149,7 @@ func (t *Tool) Tools(context.Context) ([]tools.Tool, error) {
 }
 
 func setHeaders(req *http.Request, headers map[string]string) {
-	req.Header.Set("User-Agent", useragent.Header)
+	useragent.SetIdentity(req)
 	for k, v := range upstream.ResolveHeaders(req.Context(), headers) {
 		req.Header.Set(k, v)
 	}

@@ -14,6 +14,8 @@ import (
 	"github.com/docker/docker-agent/pkg/config/latest"
 	"github.com/docker/docker-agent/pkg/js"
 	"github.com/docker/docker-agent/pkg/tools"
+	"github.com/docker/docker-agent/pkg/useragent"
+	"github.com/docker/docker-agent/pkg/version"
 )
 
 // newAPIToolForTest constructs an APITool that bypasses SSRF dial-time
@@ -133,6 +135,26 @@ func TestAPITool_Headers(t *testing.T) {
 	assert.Equal(t, "another-value", ts.receivedHeaders.Get("X-Another-Header"))
 }
 
+// TestAPITool_IdentityHeaders pins the docker-agent identity headers that
+// every built-in tool sends so backends can attribute traffic to a specific
+// docker-agent install. X-Docker-Desktop-Version is only present when
+// Docker Desktop is reachable, so we accept its absence.
+func TestAPITool_IdentityHeaders(t *testing.T) {
+	t.Parallel()
+	ts := getTestServer(t)
+
+	tool := newAPIToolForTest(latest.APIToolConfig{
+		Method:   http.MethodGet,
+		Endpoint: ts.serverURL,
+	}, testExpander())
+
+	_, err := tool.callTool(t.Context(), tools.ToolCall{})
+	require.NoError(t, err)
+
+	assert.Equal(t, useragent.Header, ts.receivedHeaders.Get("User-Agent"))
+	assert.Equal(t, version.Version, ts.receivedHeaders.Get(useragent.HeaderAgentVersion))
+}
+
 func TestAPITool_DefaultOutputSchema(t *testing.T) {
 	t.Parallel()
 

@@ -163,7 +163,7 @@ func (h *fetchHandler) fetchURL(ctx context.Context, client *http.Client, urlStr
 	robots, cached := robotsCache[host]
 	if !cached {
 		var err error
-		robots, err = h.fetchRobots(ctx, client, parsedURL, useragent.Header)
+		robots, err = h.fetchRobots(ctx, client, parsedURL)
 		if err != nil {
 			result.Error = fmt.Sprintf("robots.txt check failed: %v", err)
 			return result
@@ -183,8 +183,8 @@ func (h *fetchHandler) fetchURL(ctx context.Context, client *http.Client, urlStr
 		result.Error = fmt.Sprintf("failed to create request: %v", err)
 		return result
 	}
-	req.Header.Set("User-Agent", useragent.Header)
 	req.Header.Set("Accept", fmtHandler.accept)
+	useragent.SetIdentity(req)
 	// Apply caller-configured headers last so an operator-supplied
 	// Authorization, User-Agent, Accept, ... wins over the defaults set above.
 	for k, v := range h.headers {
@@ -233,7 +233,7 @@ func (h *fetchHandler) fetchURL(ctx context.Context, client *http.Client, urlStr
 //   - caller-supplied headers (Authorization, X-Api-Key, ...) are stripped
 //     when crossing host boundaries, so credentials never leak to a
 //     third-party host that handles a robots.txt redirect.
-func (h *fetchHandler) fetchRobots(ctx context.Context, client *http.Client, targetURL *url.URL, userAgent string) (*robotstxt.RobotsData, error) {
+func (h *fetchHandler) fetchRobots(ctx context.Context, client *http.Client, targetURL *url.URL) (*robotstxt.RobotsData, error) {
 	// Build robots.txt URL
 	robotsURL := &url.URL{
 		Scheme: targetURL.Scheme,
@@ -248,7 +248,7 @@ func (h *fetchHandler) fetchRobots(ctx context.Context, client *http.Client, tar
 		return nil, nil
 	}
 
-	req.Header.Set("User-Agent", userAgent)
+	useragent.SetIdentity(req)
 	// Apply custom headers to robots.txt requests too, so authenticated
 	// endpoints that also protect robots.txt work correctly. Cross-host
 	// leaks are prevented by the shared client's CheckRedirect.

@@ -13,6 +13,8 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/docker/docker-agent/pkg/tools"
+	"github.com/docker/docker-agent/pkg/useragent"
+	"github.com/docker/docker-agent/pkg/version"
 )
 
 // newFetchToolForTest constructs a FetchTool that bypasses SSRF dial-time
@@ -438,14 +440,16 @@ func TestFetchTool_WithHeadersOption(t *testing.T) {
 }
 
 func TestFetch_Headers_SentOnRequest(t *testing.T) {
-	var gotAuthorization, gotAPIKey string
+	var gotAuthorization, gotAPIKey, gotUserAgent, gotAgentVersion string
 	url := runHTTPServer(t, func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path == "/robots.txt" {
 			http.NotFound(w, r)
 			return
 		}
 		gotAuthorization = r.Header.Get("Authorization")
 		gotAPIKey = r.Header.Get("X-Api-Key")
+		gotUserAgent = r.Header.Get("User-Agent")
+		gotAgentVersion = r.Header.Get(useragent.HeaderAgentVersion)
 		w.Header().Set("Content-Type", "text/plain")
 		fmt.Fprint(w, "ok")
 	})
@@ -463,6 +467,8 @@ func TestFetch_Headers_SentOnRequest(t *testing.T) {
 	assert.Contains(t, result.Output, "Successfully fetched")
 	assert.Equal(t, "Bearer secret-token", gotAuthorization)
 	assert.Equal(t, "key-123", gotAPIKey)
+	assert.Equal(t, useragent.Header, gotUserAgent)
+	assert.Equal(t, version.Version, gotAgentVersion)
 }
 
 // TestFetch_Headers_OverrideDefaults pins the precedence rule: caller-supplied

@@ -382,11 +382,12 @@ func sanitizeToolName(name string) string {
 	return name
 }
 
-// setHeaders sets the User-Agent and custom headers on an HTTP request.
-// Header values may contain ${headers.NAME} placeholders that are resolved
-// from upstream headers stored in the request context.
+// setHeaders sets identity headers (User-Agent, X-Docker-Agent-Version,
+// X-Docker-Desktop-Version) plus any operator-supplied custom headers on
+// an HTTP request. Header values may contain ${headers.NAME} placeholders
+// that are resolved from upstream headers stored in the request context.
 func setHeaders(req *http.Request, headers map[string]string) {
-	req.Header.Set("User-Agent", useragent.Header)
+	useragent.SetIdentity(req)
 	for k, v := range upstream.ResolveHeaders(req.Context(), headers) {
 		req.Header.Set(k, v)
 	}

@@ -11,6 +11,8 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/docker/docker-agent/pkg/tools"
+	"github.com/docker/docker-agent/pkg/useragent"
+	"github.com/docker/docker-agent/pkg/version"
 )
 
 // newOpenAPIToolForTest constructs an OpenAPITool that bypasses SSRF
@@ -342,6 +344,8 @@ func TestOpenAPITool_CustomHeaders(t *testing.T) {
 
 	assert.Equal(t, "Bearer test-token", receivedHeaders.Get("Authorization"))
 	assert.Equal(t, "custom-value", receivedHeaders.Get("X-Custom"))
+	assert.Equal(t, useragent.Header, receivedHeaders.Get("User-Agent"))
+	assert.Equal(t, version.Version, receivedHeaders.Get(useragent.HeaderAgentVersion))
 }
 
 func TestOpenAPITool_ErrorResponse(t *testing.T) {

@@ -1,10 +1,35 @@
+// Package useragent centralizes the HTTP identity headers that built-in
+// tools (api, fetch, openapi, ...) attach to every outbound request.
 package useragent
 
 import (
 	"fmt"
+	"net/http"
 	"runtime"
 
+	"github.com/docker/docker-agent/pkg/desktop"
 	"github.com/docker/docker-agent/pkg/version"
 )
 
+// Header is the User-Agent value sent by built-in HTTP tools. It also
+// doubles as the agent name fed to robotstxt.RobotsData.TestAgent so
+// site operators see the same identity in both places.
 var Header = fmt.Sprintf("Cagent/%s (%s; %s)", version.Version, runtime.GOOS, runtime.GOARCH)
+
+// HTTP header names emitted by [SetIdentity] in addition to User-Agent.
+const (
+	HeaderAgentVersion   = "X-Docker-Agent-Version"
+	HeaderDesktopVersion = "X-Docker-Desktop-Version"
+)
+
+// SetIdentity stamps the request with User-Agent, X-Docker-Agent-Version,
+// and (when Docker Desktop is reachable) X-Docker-Desktop-Version. Callers
+// that want operator-supplied overrides should apply those headers AFTER
+// calling SetIdentity.
+func SetIdentity(req *http.Request) {
+	req.Header.Set("User-Agent", Header)
+	req.Header.Set(HeaderAgentVersion, version.Version)
+	if v := desktop.GetVersion(req.Context()); v != "" {
+		req.Header.Set(HeaderDesktopVersion, v)
+	}
+}
@@ -0,0 +1,21 @@
+package useragent
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/docker/docker-agent/pkg/version"
+)
+
+func TestSetIdentity(t *testing.T) {
+	req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, "http://example.com/", http.NoBody)
+	require.NoError(t, err)
+
+	SetIdentity(req)
+
+	assert.Equal(t, Header, req.Header.Get("User-Agent"))
+	assert.Equal(t, version.Version, req.Header.Get(HeaderAgentVersion))
+}