didericis/bot-bottle
1
0
Fork 0
Code Issues 5 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

docs(demo): switch to prompt-driven probes; BirdsOfParadise theme
test / unit (push) Successful in 15s
Details
test / integration (push) Successful in 32s
Details

Browse Source 
Each of the four probes is now a natural-language prompt to claude
instead of a bash escape via `!`. The agent uses its Bash tool, runs
the literal curl/git command, and narrates what pipelock or git-gate
returned. More authentic to actual product use, at the cost of a
longer recording (59s vs 26s) and a non-deterministic narration.

To keep claude on-task, the demo agent now ships a system prompt
that frames the bottle as a security-testing sandbox: synthetic
credentials, intentional probes, and an instruction to invoke curl
with `--proxy "$HTTPS_PROXY"` since curl ignores the uppercase
HTTP_PROXY env var (an upstream curl quirk — the env var is set, but
only the explicit flag actually routes through pipelock).

Theme moves to BirdsOfParadise (warmer palette against Claude TUI's
red accents). README copy updated to describe the prompt flow.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
didericis
2026-05-13 02:28:04 -04:00
parent c47356c728
commit 2c2af47d3e
4 changed files with 40 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+9 -8
View File
@@ -10,14 +10,15 @@ Run multiple Claude Code agents on your own machine, each scoped to its own secr
![pipelock and git-gate blocking exfil attempts against a live bottle](docs/demo.gif)
Four moments from a real bottle, end-to-end:
claude responds to `hello there` — proof api.anthropic.com routes
through pipelock's bumped TLS;
a `! curl` to a non-allowlisted host is refused at the host filter;
a `! curl POST` carrying a credential-shaped body is refused by the
DLP body scanner;
a `git push` of a file containing a leaked-looking key is rejected
by git-gate's gitleaks pre-receive hook.
Four prompts to the agent inside a real bottle:
claude replies to `hello there` — proof api.anthropic.com routes
through pipelock's bumped TLS end-to-end;
asked to GET a non-allowlisted host, the agent's curl gets 403 back
from pipelock;
asked to POST a credential-shaped body to an allowlisted host, the
same 403 — pipelock's DLP body scanner caught it;
asked to commit and push an AKIA-shaped key, git-gate's gitleaks
pre-receive hook rejects the ref.
Run it yourself with `bash scripts/demo.sh`.
## Why "claude-bottle"?