From 05b12b41b6623de59ed305c8d7d3d0231cf291ec Mon Sep 17 00:00:00 2001
From: claude <eric+claude@dideric.is>
Date: Thu, 4 Jun 2026 21:58:36 +0000
Subject: [PATCH] fix: remove remaining pipelock references missed in prior
 pass

- test_supervise.py: drop TOOL_PIPELOCK_BLOCK import; update TOOLS
  assertion to match the 3-item tuple (egress, capability, list-egress)
- test_supervise_server.py: remove pipelock from tools-list assertion,
  fix test_rejected_response_sets_isError to use capability-block
- contrib/claude and contrib/codex: remove tls_passthrough=True from
  EgressRoute constructors (field removed with pipelock)
- test_egress.py: drop tls_passthrough parameter from _provider_route,
  remove tls_passthrough-only tests, fix EgressRoute constructions
- test_agent_provider.py: drop route.tls_passthrough assertions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 bot_bottle/contrib/claude/agent_provider.py |  1 -
 bot_bottle/contrib/codex/agent_provider.py  |  1 -
 tests/unit/test_agent_provider.py           |  4 ----
 tests/unit/test_egress.py                   | 21 +++------------------
 tests/unit/test_supervise.py                |  5 +----
 tests/unit/test_supervise_server.py         | 15 ++++++---------
 6 files changed, 10 insertions(+), 37 deletions(-)

diff --git a/bot_bottle/contrib/claude/agent_provider.py b/bot_bottle/contrib/claude/agent_provider.py
index 81f5b4a..17f2de7 100644
--- a/bot_bottle/contrib/claude/agent_provider.py
+++ b/bot_bottle/contrib/claude/agent_provider.py
@@ -94,7 +94,6 @@ class ClaudeAgentProvider(AgentProvider):
             host="api.anthropic.com",
             auth_scheme="Bearer" if auth_token else "",
             token_ref=auth_token,
-            tls_passthrough=True,
         ),)
         hidden_env_names: frozenset[str] = frozenset()
         if auth_token:
diff --git a/bot_bottle/contrib/codex/agent_provider.py b/bot_bottle/contrib/codex/agent_provider.py
index 472999c..e781938 100644
--- a/bot_bottle/contrib/codex/agent_provider.py
+++ b/bot_bottle/contrib/codex/agent_provider.py
@@ -110,7 +110,6 @@ class CodexAgentProvider(AgentProvider):
                 host=host,
                 auth_scheme="Bearer" if forward_host_credentials else "",
                 token_ref=CODEX_HOST_CREDENTIAL_TOKEN_REF if forward_host_credentials else "",
-                tls_passthrough=True,
             ))
 
         if forward_host_credentials:
diff --git a/tests/unit/test_agent_provider.py b/tests/unit/test_agent_provider.py
index ec9157d..7f33a0b 100644
--- a/tests/unit/test_agent_provider.py
+++ b/tests/unit/test_agent_provider.py
@@ -101,7 +101,6 @@ class TestAgentProviderRuntime(unittest.TestCase):
         self.assertEqual("api.anthropic.com", route.host)
         self.assertEqual("Bearer", route.auth_scheme)
         self.assertEqual("BOT_BOTTLE_CLAUDE_OAUTH_TOKEN", route.token_ref)
-        self.assertTrue(route.tls_passthrough)
         self.assertEqual("egress-placeholder", plan.env_vars["CLAUDE_CODE_OAUTH_TOKEN"])
         self.assertEqual("1", plan.env_vars["CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC"])
         self.assertEqual("1", plan.env_vars["DISABLE_ERROR_REPORTING"])
@@ -143,7 +142,6 @@ class TestAgentProviderRuntime(unittest.TestCase):
         for r in plan.egress_routes:
             self.assertEqual("Bearer", r.auth_scheme)
             self.assertEqual(CODEX_HOST_CREDENTIAL_TOKEN_REF, r.token_ref)
-            self.assertTrue(r.tls_passthrough)
 
     def test_codex_without_forward_host_credentials_has_passthrough_egress_routes(self):
         with tempfile.TemporaryDirectory(prefix="bb-provider.") as tmp:
@@ -161,7 +159,6 @@ class TestAgentProviderRuntime(unittest.TestCase):
         for r in plan.egress_routes:
             self.assertEqual("", r.auth_scheme)
             self.assertEqual("", r.token_ref)
-            self.assertTrue(r.tls_passthrough)
 
     def test_claude_without_auth_token_has_passthrough_egress_route(self):
         with tempfile.TemporaryDirectory(prefix="bb-provider.") as tmp:
@@ -176,7 +173,6 @@ class TestAgentProviderRuntime(unittest.TestCase):
         self.assertEqual("api.anthropic.com", route.host)
         self.assertEqual("", route.auth_scheme)
         self.assertEqual("", route.token_ref)
-        self.assertTrue(route.tls_passthrough)
         self.assertNotIn("CLAUDE_CODE_OAUTH_TOKEN", plan.env_vars)
         self.assertEqual(frozenset(), plan.hidden_env_names)
 
diff --git a/tests/unit/test_egress.py b/tests/unit/test_egress.py
index 9eb715a..b0f4531 100644
--- a/tests/unit/test_egress.py
+++ b/tests/unit/test_egress.py
@@ -24,12 +24,11 @@ def _bottle(routes):  # type: ignore
     }).bottles["dev"]
 
 
-def _provider_route(host: str, token_ref: str, *, tls_passthrough: bool = False) -> EgressRoute:
+def _provider_route(host: str, token_ref: str) -> EgressRoute:
     return EgressRoute(
         host=host,
         auth_scheme="Bearer",
         token_ref=token_ref,
-        tls_passthrough=tls_passthrough,
     )
 
 
@@ -150,7 +149,7 @@ class TestProviderRouteMerge(unittest.TestCase):
 
     def test_unauthenticated_provider_route_appends_without_token_slot(self):
         b = _bottle([])
-        pr = EgressRoute(host="api.openai.com", tls_passthrough=True)
+        pr = EgressRoute(host="api.openai.com")
         routes = egress_routes_for_bottle(b, (pr,))
         self.assertEqual(1, len(routes))
         self.assertEqual("api.openai.com", routes[0].host)
@@ -162,13 +161,12 @@ class TestProviderRouteMerge(unittest.TestCase):
     def test_provider_route_wins_over_bare_manifest_route(self):
         # Provisioned host wins outright; manifest path_allowlist is dropped.
         b = _bottle([{"host": "api.openai.com", "path_allowlist": ["/v1/"]}])
-        pr = EgressRoute(host="api.openai.com", tls_passthrough=True)
+        pr = EgressRoute(host="api.openai.com")
         routes = egress_routes_for_bottle(b, (pr,))
         self.assertEqual(1, len(routes))
         self.assertEqual("", routes[0].auth_scheme)
         self.assertEqual("", routes[0].token_env)
         self.assertEqual("", routes[0].token_ref)
-        self.assertTrue(routes[0].tls_passthrough)
         self.assertEqual((), routes[0].path_allowlist)
         self.assertEqual({}, egress_token_env_map(routes))
 
@@ -209,19 +207,6 @@ class TestProviderRouteMerge(unittest.TestCase):
         self.assertEqual(CODEX_HOST_CREDENTIAL_TOKEN_REF, routes[0].token_ref)
         self.assertEqual("GH_PAT", routes[1].token_ref)
 
-    def test_provider_route_tls_passthrough_set_on_appended_route(self):
-        b = _bottle([])
-        pr = _provider_route("api.openai.com", "TOK", tls_passthrough=True)
-        routes = egress_routes_for_bottle(b, (pr,))
-        self.assertTrue(routes[0].tls_passthrough)
-
-    def test_provider_route_tls_passthrough_wins_over_bare_manifest_route(self):
-        b = _bottle([{"host": "api.openai.com"}])
-        pr = _provider_route("api.openai.com", "TOK", tls_passthrough=True)
-        routes = egress_routes_for_bottle(b, (pr,))
-        self.assertTrue(routes[0].tls_passthrough)
-
-
 class TestTokenEnvMap(unittest.TestCase):
     def test_only_authenticated_routes_contribute(self):
         b = _bottle([
diff --git a/tests/unit/test_supervise.py b/tests/unit/test_supervise.py
index 0191e36..de92d73 100644
--- a/tests/unit/test_supervise.py
+++ b/tests/unit/test_supervise.py
@@ -18,7 +18,6 @@ from bot_bottle.supervise import (
     STATUS_REJECTED,
     TOOL_CAPABILITY_BLOCK,
     TOOL_EGRESS_BLOCK,
-    TOOL_PIPELOCK_BLOCK,
     archive_proposal,
     audit_log_path,
     list_pending_proposals,
@@ -320,16 +319,14 @@ class TestToolConstants(unittest.TestCase):
         self.assertEqual(
             (
                 TOOL_EGRESS_BLOCK,
-                TOOL_PIPELOCK_BLOCK,
                 TOOL_CAPABILITY_BLOCK,
                 supervise.TOOL_LIST_EGRESS_ROUTES,
             ),
             supervise.TOOLS,
         )
 
-    def test_component_map_covers_two_remediation_tools_only(self):
+    def test_component_map_covers_egress_remediation_only(self):
         self.assertIn(TOOL_EGRESS_BLOCK, supervise.COMPONENT_FOR_TOOL)
-        self.assertIn(TOOL_PIPELOCK_BLOCK, supervise.COMPONENT_FOR_TOOL)
         self.assertNotIn(TOOL_CAPABILITY_BLOCK, supervise.COMPONENT_FOR_TOOL)
 
 
diff --git a/tests/unit/test_supervise_server.py b/tests/unit/test_supervise_server.py
index c53411c..8f63eb6 100644
--- a/tests/unit/test_supervise_server.py
+++ b/tests/unit/test_supervise_server.py
@@ -56,12 +56,10 @@ class TestValidation(unittest.TestCase):
     def test_empty_proposed_file_rejected_for_tools_with_file_field(self):
         # egress-block has structured input (validated in
         # _validate_and_bundle_egress_route, not here) and
-        # list-egress-routes takes no input. Only the other
-        # two go through `validate_proposed_file`.
-        for tool in (_sv.TOOL_PIPELOCK_BLOCK, _sv.TOOL_CAPABILITY_BLOCK):
-            with self.subTest(tool=tool):
-                with self.assertRaises(_RpcError):
-                    validate_proposed_file(tool, "   \n\t")
+        # list-egress-routes takes no input. Only capability-block
+        # goes through `validate_proposed_file`.
+        with self.assertRaises(_RpcError):
+            validate_proposed_file(_sv.TOOL_CAPABILITY_BLOCK, "   \n\t")
 
 
 # --- JSON-RPC parsing ------------------------------------------------------
@@ -144,7 +142,6 @@ class TestHandleToolsList(unittest.TestCase):
         self.assertEqual(
             sorted([
                 _sv.TOOL_EGRESS_BLOCK,
-                _sv.TOOL_PIPELOCK_BLOCK,
                 _sv.TOOL_CAPABILITY_BLOCK,
                 _sv.TOOL_LIST_EGRESS_ROUTES,
             ]),
@@ -229,9 +226,9 @@ class TestHandleToolsCall(unittest.TestCase):
         try:
             result = handle_tools_call(
                 {
-                    "name": _sv.TOOL_PIPELOCK_BLOCK,
+                    "name": _sv.TOOL_CAPABILITY_BLOCK,
                     "arguments": {
-                        "failed_url": "https://example.com/path",
+                        "dockerfile": "FROM python:3.13\n",
                         "justification": "needed for tests",
                     },
                 },