feat(mitmproxy): integration tests for the bumped HTTPS path

Fourth and final step of PRD 0005. Two new end-to-end tests that
exercise the full chain agent -> mitmproxy(bump) -> addon ->
pipelock -> upstream and pin the two paths the addon implements.

- test_mitmproxy_blocks_secret_https_post: HTTPS variant of the
  existing test_pipelock_blocks_secret_post. Posts a credential
  pattern in the body over HTTPS through the bottle. mitmproxy
  bumps the CONNECT (the agent trusts the per-bottle ephemeral CA
  installed by provision_ca), the addon forwards the decrypted
  request to pipelock, pipelock returns 403 with the known
  `blocked: ...` body shape, and the addon short-circuits the
  flow with status=403 + X-Pipelock-Bridge: block. The two-axis
  assertion (status + header) proves the addon-mediated path is
  what produced the block, not some other layer.

- test_mitmproxy_allows_normal_https: hits raw.githubusercontent.com
  (a baked-in allowlist host) over HTTPS through the bottle.
  Verifies the addon's allow path: mitmproxy bumps, addon
  forwards to pipelock for the scan, pipelock allows, mitmproxy
  proceeds to the real upstream, response comes back through. The
  absence of X-Pipelock-Bridge on the response is the signal that
  the addon didn't short-circuit. Body length sanity-checks that
  the response is real upstream content, not a synthesized stub.

Both probes are stdlib-only Node (http.request CONNECT + tls.connect
on the tunneled socket) — pulling in undici as a dep would be the
clean way to do HTTPS-through-proxy but is out of scope.

The earlier integration tests still pass with mitmproxy in path:
their assertions hold under the new topology, though their semantic
coverage shifts (e.g. test_pipelock_allow_node now exercises
mitmproxy's CONNECT-200 path rather than pipelock's host allowlist
on CONNECT). Updating those tests is a follow-up.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

tests/integration/test_mitmproxy_allows_normal_https.py

@@ -0,0 +1,167 @@
+"""Integration: with mitmproxy in front of pipelock, a plain HTTPS
+GET to an allowlisted host with no credential pattern still gets
+through end-to-end.
+
+The complement to test_mitmproxy_blocks_secret_https_post — together
+they isolate the addon's two paths (block vs. allow). This test
+also functions as the end-to-end TLS-trust check: if the agent's
+trust store didn't have mitmproxy's CA installed, the TLS handshake
+between the agent and mitmproxy's bumped cert would fail and the
+fetch would throw before we ever saw a response.
+"""
+
+from __future__ import annotations
+
+import os
+import shutil
+import tempfile
+import unittest
+from pathlib import Path
+
+from claude_bottle.backend import BottleSpec, get_bottle_backend
+from tests._docker import skip_unless_docker
+from tests.fixtures import fixture_minimal
+
+
+# raw.githubusercontent.com is in the baked-in DEFAULT_ALLOWLIST.
+# Pick a file path that's stable enough across runs — `git`'s own
+# README.md on the master branch is a long-lived artifact and one
+# of github's most-trafficked raw files.
+_TARGET_URL = "https://raw.githubusercontent.com/git/git/master/README.md"
+
+# stdlib http (for CONNECT) + tls (for the bumped tunnel); see the
+# block test for the rationale on not pulling undici in as a dep.
+#
+# Output contract:
+#   - "status=<code>"   HTTP status from upstream (or addon, if
+#                       blocked)
+#   - "bridge=<value>"  X-Pipelock-Bridge header; empty on allow
+#   - "len=<N>"         response body length, sanity-check it's a
+#                       real response and not an empty proxy stub
+#   - "error=<...>"     thrown error
+_PROBE_JS = r"""
+const http = require('http');
+const tls = require('tls');
+
+const proxy = new URL(process.env.HTTPS_PROXY);
+
+const connectReq = http.request({
+  host: proxy.hostname,
+  port: proxy.port,
+  method: 'CONNECT',
+  path: 'raw.githubusercontent.com:443',
+});
+connectReq.setTimeout(10000, () => {
+  console.log('timeout=connect');
+  connectReq.destroy();
+});
+connectReq.on('error', (e) => {
+  console.log('error=' + (e.code || '') + ' ' + e.message);
+});
+connectReq.on('connect', (res, socket) => {
+  if (res.statusCode !== 200) {
+    console.log('status=' + res.statusCode);
+    console.log('bridge=' + (res.headers['x-pipelock-bridge'] || ''));
+    return;
+  }
+  const tlsSocket = tls.connect({
+    socket: socket,
+    servername: 'raw.githubusercontent.com',
+  });
+  tlsSocket.on('secureConnect', () => {
+    tlsSocket.write(
+      'GET /git/git/master/README.md HTTP/1.1\r\n' +
+      'Host: raw.githubusercontent.com\r\n' +
+      'User-Agent: claude-bottle-mitm-test\r\n' +
+      'Accept: */*\r\n' +
+      'Connection: close\r\n' +
+      '\r\n'
+    );
+  });
+  let buf = Buffer.alloc(0);
+  tlsSocket.on('data', (c) => { buf = Buffer.concat([buf, c]); });
+  tlsSocket.on('end', () => {
+    const text = buf.toString('utf8');
+    const headersEnd = text.indexOf('\r\n\r\n');
+    const head = headersEnd >= 0 ? text.slice(0, headersEnd) : text;
+    const body = headersEnd >= 0 ? text.slice(headersEnd + 4) : '';
+    const lines = head.split('\r\n');
+    const m = lines[0].match(/HTTP\/[\d.]+ (\d+)/);
+    let bridge = '';
+    for (let i = 1; i < lines.length; i++) {
+      const ix = lines[i].indexOf(': ');
+      if (ix < 0) continue;
+      if (lines[i].slice(0, ix).toLowerCase() === 'x-pipelock-bridge') {
+        bridge = lines[i].slice(ix + 2);
+      }
+    }
+    console.log('status=' + (m ? m[1] : '?'));
+    console.log('bridge=' + bridge);
+    console.log('len=' + body.length);
+  });
+  tlsSocket.on('error', (e) => {
+    console.log('tls_error=' + (e.code || '') + ' ' + e.message);
+  });
+});
+connectReq.end();
+"""
+
+
+@skip_unless_docker()
+class TestMitmproxyAllowsNormalHttps(unittest.TestCase):
+    @unittest.skipIf(
+        os.environ.get("GITEA_ACTIONS") == "true",
+        "skipped under act_runner: docker socket mount topology breaks "
+        "in-process visibility of networks created on the host daemon",
+    )
+    def test_https_get_to_allowed_host_succeeds(self):
+        backend = get_bottle_backend()
+        stage_dir = Path(tempfile.mkdtemp(prefix="cb-test-stage."))
+        try:
+            spec = BottleSpec(
+                manifest=fixture_minimal(),
+                agent_name="demo",
+                copy_cwd=False,
+                user_cwd=str(stage_dir),
+                forward_oauth_token=False,
+            )
+            plan = backend.prepare(spec, stage_dir=stage_dir)
+            with backend.launch(plan) as bottle:
+                script = (
+                    "set -e\n"
+                    "cat > /tmp/probe.js <<'PROBE_EOF'\n"
+                    f"{_PROBE_JS}\n"
+                    "PROBE_EOF\n"
+                    "node /tmp/probe.js\n"
+                )
+                result = bottle.exec(script)
+        finally:
+            shutil.rmtree(stage_dir, ignore_errors=True)
+
+        self.assertEqual(
+            0, result.returncode,
+            f"exec wrapper failed: stdout={result.stdout!r} stderr={result.stderr!r}",
+        )
+        # The TLS-trust setup is implicit here — if it had failed,
+        # fetch would have thrown rather than returned a status.
+        self.assertIn(
+            "status=200", result.stdout,
+            f"expected 200 from raw.githubusercontent.com; got: {result.stdout!r}",
+        )
+        # X-Pipelock-Bridge is set only on the addon's short-circuit
+        # paths (block / misconfigured / scanner-unreachable). An
+        # allow flow goes straight through mitmproxy to upstream and
+        # the header should be absent.
+        self.assertIn(
+            "bridge=\n", result.stdout,
+            f"X-Pipelock-Bridge unexpectedly present on the allow "
+            f"path: {result.stdout!r}",
+        )
+        # Sanity: the README is many KB. An empty body would suggest
+        # the response was synthesized by something in the chain
+        # rather than fetched from github.
+        self.assertNotIn("len=0\n", result.stdout)
+
+
+if __name__ == "__main__":
+    unittest.main()