docs: correct stale role field and claude provider auth example
lint / lint (push) Successful in 1m53s
lint / lint (push) Successful in 1m53s
The egress route fields table described `role` as a functional field that wires built-in auth flows. PRD 0029 removed the `claude_code_oauth` role; the manifest parser now rejects any `role` value as reserved-for-future-use. Provider auth routes are injected from `agent_provider.auth_token`. - README: fix the `role` row to state it is reserved and any value is rejected at load. - examples/bottles/claude.md: the manual `api.anthropic.com` route used the rejected `role` key and, even without it, would be silently dropped (provider-injected routes win for a provisioned host) — so its auth never took effect and the dlp comments described a route that never exists in the plan. Replace it with the canonical `agent_provider.auth_token` shape. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01YcU7nerbg8cVj9R4EkpfLJ
This commit was merged in pull request #211.
This commit is contained in:
@@ -138,7 +138,7 @@ You help maintain Gitea-hosted projects.
|
|||||||
| Field | Required | Description |
|
| Field | Required | Description |
|
||||||
|---|---|---|
|
|---|---|---|
|
||||||
| `host` | yes | Hostname to allowlist. One entry per host. |
|
| `host` | yes | Hostname to allowlist. One entry per host. |
|
||||||
| `role` | no | Provider-specific role string (e.g. `claude_code_oauth`). Wires built-in auth flows; set by provider templates, not manually. |
|
| `role` | no | Reserved for future use. The key is recognised but any value is currently rejected at load. Provider auth routes (e.g. Claude's `api.anthropic.com`) are injected automatically from `agent_provider.auth_token`, not via `role`. |
|
||||||
| `auth.scheme` | when `auth` present | `Bearer` or `token`. Injected by the proxy; the agent never sees the value. |
|
| `auth.scheme` | when `auth` present | `Bearer` or `token`. Injected by the proxy; the agent never sees the value. |
|
||||||
| `auth.token_ref` | when `auth` present | Env-var name holding the secret on the host. |
|
| `auth.token_ref` | when `auth` present | Env-var name holding the secret on the host. |
|
||||||
| `matches` | no | Array of `{paths, methods, headers}` filters. A request must match at least one entry (if any are given) to be forwarded. |
|
| `matches` | no | Array of `{paths, methods, headers}` filters. A request must match at least one entry (if any are given) to be forwarded. |
|
||||||
|
|||||||
@@ -1,19 +1,14 @@
|
|||||||
---
|
---
|
||||||
agent_provider:
|
agent_provider:
|
||||||
template: claude
|
template: claude
|
||||||
|
# auth_token names the host env var holding the Claude OAuth token. The
|
||||||
egress:
|
# provider injects a provider-owned api.anthropic.com egress route that
|
||||||
routes:
|
# re-injects this token as the Bearer header; the agent only ever sees a
|
||||||
- host: api.anthropic.com
|
# placeholder CLAUDE_CODE_OAUTH_TOKEN. DLP defaults (token_patterns,
|
||||||
role: claude_code_oauth # wires Claude Code OAuth; do not change
|
# known_secrets outbound; naive_injection_detection inbound) apply to
|
||||||
auth:
|
# that route. To scan additional hosts, declare them under egress.routes
|
||||||
scheme: Bearer
|
# with per-route matches/dlp (see README "Egress route fields").
|
||||||
token_ref: BOT_BOTTLE_CLAUDE_OAUTH_TOKEN
|
auth_token: BOT_BOTTLE_CLAUDE_OAUTH_TOKEN
|
||||||
# dlp is omitted → all detectors on by default (token_patterns,
|
|
||||||
# known_secrets outbound; naive_injection_detection inbound).
|
|
||||||
# To disable inbound scanning for this route:
|
|
||||||
# dlp:
|
|
||||||
# inbound_detectors: false
|
|
||||||
---
|
---
|
||||||
|
|
||||||
Common Claude provider boundary. Drop this file into
|
Common Claude provider boundary. Drop this file into
|
||||||
|
|||||||
Reference in New Issue
Block a user