fix: remove remaining pipelock references missed in prior pass
- test_supervise.py: drop TOOL_PIPELOCK_BLOCK import; update TOOLS assertion to match the 3-item tuple (egress, capability, list-egress) - test_supervise_server.py: remove pipelock from tools-list assertion, fix test_rejected_response_sets_isError to use capability-block - contrib/claude and contrib/codex: remove tls_passthrough=True from EgressRoute constructors (field removed with pipelock) - test_egress.py: drop tls_passthrough parameter from _provider_route, remove tls_passthrough-only tests, fix EgressRoute constructions - test_agent_provider.py: drop route.tls_passthrough assertions Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -94,7 +94,6 @@ class ClaudeAgentProvider(AgentProvider):
|
|||||||
host="api.anthropic.com",
|
host="api.anthropic.com",
|
||||||
auth_scheme="Bearer" if auth_token else "",
|
auth_scheme="Bearer" if auth_token else "",
|
||||||
token_ref=auth_token,
|
token_ref=auth_token,
|
||||||
tls_passthrough=True,
|
|
||||||
),)
|
),)
|
||||||
hidden_env_names: frozenset[str] = frozenset()
|
hidden_env_names: frozenset[str] = frozenset()
|
||||||
if auth_token:
|
if auth_token:
|
||||||
|
|||||||
@@ -110,7 +110,6 @@ class CodexAgentProvider(AgentProvider):
|
|||||||
host=host,
|
host=host,
|
||||||
auth_scheme="Bearer" if forward_host_credentials else "",
|
auth_scheme="Bearer" if forward_host_credentials else "",
|
||||||
token_ref=CODEX_HOST_CREDENTIAL_TOKEN_REF if forward_host_credentials else "",
|
token_ref=CODEX_HOST_CREDENTIAL_TOKEN_REF if forward_host_credentials else "",
|
||||||
tls_passthrough=True,
|
|
||||||
))
|
))
|
||||||
|
|
||||||
if forward_host_credentials:
|
if forward_host_credentials:
|
||||||
|
|||||||
@@ -101,7 +101,6 @@ class TestAgentProviderRuntime(unittest.TestCase):
|
|||||||
self.assertEqual("api.anthropic.com", route.host)
|
self.assertEqual("api.anthropic.com", route.host)
|
||||||
self.assertEqual("Bearer", route.auth_scheme)
|
self.assertEqual("Bearer", route.auth_scheme)
|
||||||
self.assertEqual("BOT_BOTTLE_CLAUDE_OAUTH_TOKEN", route.token_ref)
|
self.assertEqual("BOT_BOTTLE_CLAUDE_OAUTH_TOKEN", route.token_ref)
|
||||||
self.assertTrue(route.tls_passthrough)
|
|
||||||
self.assertEqual("egress-placeholder", plan.env_vars["CLAUDE_CODE_OAUTH_TOKEN"])
|
self.assertEqual("egress-placeholder", plan.env_vars["CLAUDE_CODE_OAUTH_TOKEN"])
|
||||||
self.assertEqual("1", plan.env_vars["CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC"])
|
self.assertEqual("1", plan.env_vars["CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC"])
|
||||||
self.assertEqual("1", plan.env_vars["DISABLE_ERROR_REPORTING"])
|
self.assertEqual("1", plan.env_vars["DISABLE_ERROR_REPORTING"])
|
||||||
@@ -143,7 +142,6 @@ class TestAgentProviderRuntime(unittest.TestCase):
|
|||||||
for r in plan.egress_routes:
|
for r in plan.egress_routes:
|
||||||
self.assertEqual("Bearer", r.auth_scheme)
|
self.assertEqual("Bearer", r.auth_scheme)
|
||||||
self.assertEqual(CODEX_HOST_CREDENTIAL_TOKEN_REF, r.token_ref)
|
self.assertEqual(CODEX_HOST_CREDENTIAL_TOKEN_REF, r.token_ref)
|
||||||
self.assertTrue(r.tls_passthrough)
|
|
||||||
|
|
||||||
def test_codex_without_forward_host_credentials_has_passthrough_egress_routes(self):
|
def test_codex_without_forward_host_credentials_has_passthrough_egress_routes(self):
|
||||||
with tempfile.TemporaryDirectory(prefix="bb-provider.") as tmp:
|
with tempfile.TemporaryDirectory(prefix="bb-provider.") as tmp:
|
||||||
@@ -161,7 +159,6 @@ class TestAgentProviderRuntime(unittest.TestCase):
|
|||||||
for r in plan.egress_routes:
|
for r in plan.egress_routes:
|
||||||
self.assertEqual("", r.auth_scheme)
|
self.assertEqual("", r.auth_scheme)
|
||||||
self.assertEqual("", r.token_ref)
|
self.assertEqual("", r.token_ref)
|
||||||
self.assertTrue(r.tls_passthrough)
|
|
||||||
|
|
||||||
def test_claude_without_auth_token_has_passthrough_egress_route(self):
|
def test_claude_without_auth_token_has_passthrough_egress_route(self):
|
||||||
with tempfile.TemporaryDirectory(prefix="bb-provider.") as tmp:
|
with tempfile.TemporaryDirectory(prefix="bb-provider.") as tmp:
|
||||||
@@ -176,7 +173,6 @@ class TestAgentProviderRuntime(unittest.TestCase):
|
|||||||
self.assertEqual("api.anthropic.com", route.host)
|
self.assertEqual("api.anthropic.com", route.host)
|
||||||
self.assertEqual("", route.auth_scheme)
|
self.assertEqual("", route.auth_scheme)
|
||||||
self.assertEqual("", route.token_ref)
|
self.assertEqual("", route.token_ref)
|
||||||
self.assertTrue(route.tls_passthrough)
|
|
||||||
self.assertNotIn("CLAUDE_CODE_OAUTH_TOKEN", plan.env_vars)
|
self.assertNotIn("CLAUDE_CODE_OAUTH_TOKEN", plan.env_vars)
|
||||||
self.assertEqual(frozenset(), plan.hidden_env_names)
|
self.assertEqual(frozenset(), plan.hidden_env_names)
|
||||||
|
|
||||||
|
|||||||
@@ -24,12 +24,11 @@ def _bottle(routes): # type: ignore
|
|||||||
}).bottles["dev"]
|
}).bottles["dev"]
|
||||||
|
|
||||||
|
|
||||||
def _provider_route(host: str, token_ref: str, *, tls_passthrough: bool = False) -> EgressRoute:
|
def _provider_route(host: str, token_ref: str) -> EgressRoute:
|
||||||
return EgressRoute(
|
return EgressRoute(
|
||||||
host=host,
|
host=host,
|
||||||
auth_scheme="Bearer",
|
auth_scheme="Bearer",
|
||||||
token_ref=token_ref,
|
token_ref=token_ref,
|
||||||
tls_passthrough=tls_passthrough,
|
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
@@ -150,7 +149,7 @@ class TestProviderRouteMerge(unittest.TestCase):
|
|||||||
|
|
||||||
def test_unauthenticated_provider_route_appends_without_token_slot(self):
|
def test_unauthenticated_provider_route_appends_without_token_slot(self):
|
||||||
b = _bottle([])
|
b = _bottle([])
|
||||||
pr = EgressRoute(host="api.openai.com", tls_passthrough=True)
|
pr = EgressRoute(host="api.openai.com")
|
||||||
routes = egress_routes_for_bottle(b, (pr,))
|
routes = egress_routes_for_bottle(b, (pr,))
|
||||||
self.assertEqual(1, len(routes))
|
self.assertEqual(1, len(routes))
|
||||||
self.assertEqual("api.openai.com", routes[0].host)
|
self.assertEqual("api.openai.com", routes[0].host)
|
||||||
@@ -162,13 +161,12 @@ class TestProviderRouteMerge(unittest.TestCase):
|
|||||||
def test_provider_route_wins_over_bare_manifest_route(self):
|
def test_provider_route_wins_over_bare_manifest_route(self):
|
||||||
# Provisioned host wins outright; manifest path_allowlist is dropped.
|
# Provisioned host wins outright; manifest path_allowlist is dropped.
|
||||||
b = _bottle([{"host": "api.openai.com", "path_allowlist": ["/v1/"]}])
|
b = _bottle([{"host": "api.openai.com", "path_allowlist": ["/v1/"]}])
|
||||||
pr = EgressRoute(host="api.openai.com", tls_passthrough=True)
|
pr = EgressRoute(host="api.openai.com")
|
||||||
routes = egress_routes_for_bottle(b, (pr,))
|
routes = egress_routes_for_bottle(b, (pr,))
|
||||||
self.assertEqual(1, len(routes))
|
self.assertEqual(1, len(routes))
|
||||||
self.assertEqual("", routes[0].auth_scheme)
|
self.assertEqual("", routes[0].auth_scheme)
|
||||||
self.assertEqual("", routes[0].token_env)
|
self.assertEqual("", routes[0].token_env)
|
||||||
self.assertEqual("", routes[0].token_ref)
|
self.assertEqual("", routes[0].token_ref)
|
||||||
self.assertTrue(routes[0].tls_passthrough)
|
|
||||||
self.assertEqual((), routes[0].path_allowlist)
|
self.assertEqual((), routes[0].path_allowlist)
|
||||||
self.assertEqual({}, egress_token_env_map(routes))
|
self.assertEqual({}, egress_token_env_map(routes))
|
||||||
|
|
||||||
@@ -209,19 +207,6 @@ class TestProviderRouteMerge(unittest.TestCase):
|
|||||||
self.assertEqual(CODEX_HOST_CREDENTIAL_TOKEN_REF, routes[0].token_ref)
|
self.assertEqual(CODEX_HOST_CREDENTIAL_TOKEN_REF, routes[0].token_ref)
|
||||||
self.assertEqual("GH_PAT", routes[1].token_ref)
|
self.assertEqual("GH_PAT", routes[1].token_ref)
|
||||||
|
|
||||||
def test_provider_route_tls_passthrough_set_on_appended_route(self):
|
|
||||||
b = _bottle([])
|
|
||||||
pr = _provider_route("api.openai.com", "TOK", tls_passthrough=True)
|
|
||||||
routes = egress_routes_for_bottle(b, (pr,))
|
|
||||||
self.assertTrue(routes[0].tls_passthrough)
|
|
||||||
|
|
||||||
def test_provider_route_tls_passthrough_wins_over_bare_manifest_route(self):
|
|
||||||
b = _bottle([{"host": "api.openai.com"}])
|
|
||||||
pr = _provider_route("api.openai.com", "TOK", tls_passthrough=True)
|
|
||||||
routes = egress_routes_for_bottle(b, (pr,))
|
|
||||||
self.assertTrue(routes[0].tls_passthrough)
|
|
||||||
|
|
||||||
|
|
||||||
class TestTokenEnvMap(unittest.TestCase):
|
class TestTokenEnvMap(unittest.TestCase):
|
||||||
def test_only_authenticated_routes_contribute(self):
|
def test_only_authenticated_routes_contribute(self):
|
||||||
b = _bottle([
|
b = _bottle([
|
||||||
|
|||||||
@@ -18,7 +18,6 @@ from bot_bottle.supervise import (
|
|||||||
STATUS_REJECTED,
|
STATUS_REJECTED,
|
||||||
TOOL_CAPABILITY_BLOCK,
|
TOOL_CAPABILITY_BLOCK,
|
||||||
TOOL_EGRESS_BLOCK,
|
TOOL_EGRESS_BLOCK,
|
||||||
TOOL_PIPELOCK_BLOCK,
|
|
||||||
archive_proposal,
|
archive_proposal,
|
||||||
audit_log_path,
|
audit_log_path,
|
||||||
list_pending_proposals,
|
list_pending_proposals,
|
||||||
@@ -320,16 +319,14 @@ class TestToolConstants(unittest.TestCase):
|
|||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
(
|
(
|
||||||
TOOL_EGRESS_BLOCK,
|
TOOL_EGRESS_BLOCK,
|
||||||
TOOL_PIPELOCK_BLOCK,
|
|
||||||
TOOL_CAPABILITY_BLOCK,
|
TOOL_CAPABILITY_BLOCK,
|
||||||
supervise.TOOL_LIST_EGRESS_ROUTES,
|
supervise.TOOL_LIST_EGRESS_ROUTES,
|
||||||
),
|
),
|
||||||
supervise.TOOLS,
|
supervise.TOOLS,
|
||||||
)
|
)
|
||||||
|
|
||||||
def test_component_map_covers_two_remediation_tools_only(self):
|
def test_component_map_covers_egress_remediation_only(self):
|
||||||
self.assertIn(TOOL_EGRESS_BLOCK, supervise.COMPONENT_FOR_TOOL)
|
self.assertIn(TOOL_EGRESS_BLOCK, supervise.COMPONENT_FOR_TOOL)
|
||||||
self.assertIn(TOOL_PIPELOCK_BLOCK, supervise.COMPONENT_FOR_TOOL)
|
|
||||||
self.assertNotIn(TOOL_CAPABILITY_BLOCK, supervise.COMPONENT_FOR_TOOL)
|
self.assertNotIn(TOOL_CAPABILITY_BLOCK, supervise.COMPONENT_FOR_TOOL)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -56,12 +56,10 @@ class TestValidation(unittest.TestCase):
|
|||||||
def test_empty_proposed_file_rejected_for_tools_with_file_field(self):
|
def test_empty_proposed_file_rejected_for_tools_with_file_field(self):
|
||||||
# egress-block has structured input (validated in
|
# egress-block has structured input (validated in
|
||||||
# _validate_and_bundle_egress_route, not here) and
|
# _validate_and_bundle_egress_route, not here) and
|
||||||
# list-egress-routes takes no input. Only the other
|
# list-egress-routes takes no input. Only capability-block
|
||||||
# two go through `validate_proposed_file`.
|
# goes through `validate_proposed_file`.
|
||||||
for tool in (_sv.TOOL_PIPELOCK_BLOCK, _sv.TOOL_CAPABILITY_BLOCK):
|
with self.assertRaises(_RpcError):
|
||||||
with self.subTest(tool=tool):
|
validate_proposed_file(_sv.TOOL_CAPABILITY_BLOCK, " \n\t")
|
||||||
with self.assertRaises(_RpcError):
|
|
||||||
validate_proposed_file(tool, " \n\t")
|
|
||||||
|
|
||||||
|
|
||||||
# --- JSON-RPC parsing ------------------------------------------------------
|
# --- JSON-RPC parsing ------------------------------------------------------
|
||||||
@@ -144,7 +142,6 @@ class TestHandleToolsList(unittest.TestCase):
|
|||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
sorted([
|
sorted([
|
||||||
_sv.TOOL_EGRESS_BLOCK,
|
_sv.TOOL_EGRESS_BLOCK,
|
||||||
_sv.TOOL_PIPELOCK_BLOCK,
|
|
||||||
_sv.TOOL_CAPABILITY_BLOCK,
|
_sv.TOOL_CAPABILITY_BLOCK,
|
||||||
_sv.TOOL_LIST_EGRESS_ROUTES,
|
_sv.TOOL_LIST_EGRESS_ROUTES,
|
||||||
]),
|
]),
|
||||||
@@ -229,9 +226,9 @@ class TestHandleToolsCall(unittest.TestCase):
|
|||||||
try:
|
try:
|
||||||
result = handle_tools_call(
|
result = handle_tools_call(
|
||||||
{
|
{
|
||||||
"name": _sv.TOOL_PIPELOCK_BLOCK,
|
"name": _sv.TOOL_CAPABILITY_BLOCK,
|
||||||
"arguments": {
|
"arguments": {
|
||||||
"failed_url": "https://example.com/path",
|
"dockerfile": "FROM python:3.13\n",
|
||||||
"justification": "needed for tests",
|
"justification": "needed for tests",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|||||||
Reference in New Issue
Block a user