feat(supervise): list-egress-proxy-routes MCP tool, defaults on egress-proxy
Reshape the allowlist topology so the egress-proxy is the bottle's
single allowlist surface, and replace the agent-side
routes/allowlist file mounts with a live MCP tool.
Policy change (move defaults to egress-proxy):
- `egress_proxy_routes_for_bottle(bottle)` now folds in
DEFAULT_ALLOWLIST (the claude-code defaults) and
`bottle.egress.allowlist` (user adds) as bare-pass routes (no
auth, no path filter), on top of the bottle's
`egress_proxy.routes`. Manifest routes win on host collision.
- `pipelock_effective_allowlist(bottle)` mirrors egress-proxy's
effective host set when egress-proxy is in use. Pipelock is
no longer the bottle's primary allowlist authority; it
enforces a downstream copy as defense-in-depth + does DLP body
scanning.
- Split out `egress_proxy_manifest_routes(bottle)` for callers
that want just the manifest entries (tests, internal use).
- DEFAULT_ALLOWLIST moves from `pipelock.py` to `egress_proxy.py`
(pipelock re-imports for the no-egress-proxy fallback path).
- Dropped the `egress-proxy` auto-allow on pipelock's allowlist
— the agent never dials egress-proxy via the proxy mechanism;
pipelock only sees upstream hostnames from egress-proxy's
CONNECTs.
Introspection endpoint (existing mitmproxy feature):
- Egress-proxy addon recognises requests to the magic host
`_egress-proxy.local` and synthesizes responses via
`flow.response = http.Response.make(...)` — no upstream
connection, no allowlist enforcement on the magic host.
- `GET /allowlist` returns the in-memory route table as JSON
(host + path_allowlist + auth_scheme + token_env per route;
no token VALUES).
- Smoke-tested end-to-end against a real egress-proxy container.
MCP tool (existing supervise plumbing):
- New `list-egress-proxy-routes` tool (no inputs, no operator
approval). Handler fetches via egress-proxy's introspection
endpoint using urllib's ProxyHandler against
`EGRESS_PROXY_FORWARD_PROXY`. Returns the JSON payload as the
tool's text content; `isError: true` if the proxy is
unreachable.
- `egress-proxy-block` description now points the agent at
`list-egress-proxy-routes` instead of a staged file path.
- `pipelock-block` description acknowledges the mirror — agents
should prefer `egress-proxy-block` to add hosts; pipelock-block
stays for the rare divergence case.
Drop agent-side file mounts:
- Supervise's `current-config` dir staging no longer writes
routes.yaml / allowlist. Only `Dockerfile` remains
(capability-block still reads it from
`/etc/claude-bottle/current-config/Dockerfile`).
- `prepare.py` stops passing `routes_content` /
`allowlist_content` to `supervise.prepare`.
- `Supervise.prepare` signature simplified to one
`dockerfile_content` kwarg.
Tests: 400 unit + integration pass. Added coverage for
defaults-folding (`TestRoutesForBottleFoldsDefaults`), the new
tool definition + handler, and the updated supervise.prepare
shape.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -36,7 +36,9 @@ import os
|
||||
import socketserver
|
||||
import sys
|
||||
import typing
|
||||
import urllib.error
|
||||
import urllib.parse
|
||||
import urllib.request
|
||||
from dataclasses import dataclass
|
||||
from pathlib import Path
|
||||
|
||||
@@ -132,16 +134,17 @@ TOOL_DEFINITIONS: list[dict[str, object]] = [
|
||||
"description": (
|
||||
"Call when egress-proxy refused your HTTPS request — host "
|
||||
"without a matching route, or a path outside the route's "
|
||||
"path_allowlist (typically a 403 from the proxy). Read "
|
||||
"the current routes.yaml from "
|
||||
"/etc/claude-bottle/current-config/routes.yaml, compose "
|
||||
"a modified version that adds or relaxes the route you "
|
||||
"need, and pass the full new file plus a justification. "
|
||||
"The operator approves or rejects in the supervise TUI. "
|
||||
"On approval the supervisor writes the new routes.yaml "
|
||||
"on the host and SIGHUPs egress-proxy (the addon's reload "
|
||||
"swaps the route table atomically without dropping "
|
||||
"in-flight connections)."
|
||||
"path_allowlist (typically a 403 from the proxy). First "
|
||||
"call `list-egress-proxy-routes` to see the current route "
|
||||
"table; compose a modified version that adds or relaxes "
|
||||
"the route you need, and pass the full new file plus a "
|
||||
"justification. The operator approves or rejects in the "
|
||||
"supervise TUI. On approval the supervisor writes the "
|
||||
"new routes.yaml on the host, SIGHUPs egress-proxy (the "
|
||||
"addon's reload swaps the route table atomically without "
|
||||
"dropping in-flight connections), and mirrors the route "
|
||||
"hosts onto pipelock's allowlist so the downstream gate "
|
||||
"lets them through too."
|
||||
),
|
||||
"inputSchema": {
|
||||
"type": "object",
|
||||
@@ -158,19 +161,41 @@ TOOL_DEFINITIONS: list[dict[str, object]] = [
|
||||
"required": ["routes", "justification"],
|
||||
},
|
||||
},
|
||||
{
|
||||
"name": _sv.TOOL_LIST_EGRESS_PROXY_ROUTES,
|
||||
"description": (
|
||||
"List the current egress-proxy route table — the bottle's "
|
||||
"primary egress allowlist. Returns JSON with one entry "
|
||||
"per allowed host, each carrying its path_allowlist (if "
|
||||
"any) and whether the proxy injects Authorization for "
|
||||
"the route. Use this before composing an "
|
||||
"`egress-proxy-block` proposal so the new routes file "
|
||||
"extends the live one rather than replacing it. "
|
||||
"Pipelock's allowlist is a mirror of this set — every "
|
||||
"host listed here is also reachable through pipelock's "
|
||||
"downstream hostname gate."
|
||||
),
|
||||
"inputSchema": {
|
||||
"type": "object",
|
||||
"properties": {},
|
||||
"additionalProperties": False,
|
||||
},
|
||||
},
|
||||
{
|
||||
"name": _sv.TOOL_PIPELOCK_BLOCK,
|
||||
"description": (
|
||||
"Call when pipelock refused your outbound request — host "
|
||||
"not in the allowlist, connection refused at the egress "
|
||||
"layer. Pass the full URL you tried to hit (scheme + "
|
||||
"host + path) plus a justification. The supervisor "
|
||||
"extracts the hostname and merges it into the bottle's "
|
||||
"current pipelock allowlist; the path is captured as "
|
||||
"context for the operator to review (pipelock's allowlist "
|
||||
"is hostname-only — it can't enforce path-level rules). "
|
||||
"On approval the supervisor restarts pipelock with the "
|
||||
"merged allowlist."
|
||||
"Call when pipelock refused your outbound request and "
|
||||
"the failing host is genuinely missing from the bottle's "
|
||||
"allowlist (vs. blocked for DLP reasons — those need a "
|
||||
"different remediation). In practice pipelock's allowlist "
|
||||
"is now a mirror of the egress-proxy routes set by "
|
||||
"`egress-proxy-block`, so prefer that tool when you want "
|
||||
"to add a host. This tool stays available for the rare "
|
||||
"case where pipelock and egress-proxy have diverged. "
|
||||
"Pass the full URL you tried to hit (scheme + host + "
|
||||
"path); the supervisor extracts the hostname and merges "
|
||||
"it into pipelock's allowlist. On approval the "
|
||||
"supervisor restarts pipelock."
|
||||
),
|
||||
"inputSchema": {
|
||||
"type": "object",
|
||||
@@ -308,15 +333,57 @@ def handle_tools_list(_params: dict[str, object]) -> dict[str, object]:
|
||||
return {"tools": TOOL_DEFINITIONS}
|
||||
|
||||
|
||||
def handle_list_egress_proxy_routes(
|
||||
_params: dict[str, object],
|
||||
_config: ServerConfig,
|
||||
) -> dict[str, object]:
|
||||
"""Fetch the live egress-proxy route table via its
|
||||
`_egress-proxy.local/allowlist` introspection endpoint. The
|
||||
request goes through egress-proxy as a forward proxy; the
|
||||
addon recognises the magic host and synthesizes a response —
|
||||
no real upstream connection, no allowlist enforcement
|
||||
against the magic host. Returns the JSON payload as the
|
||||
tool's text content."""
|
||||
proxy_handler = urllib.request.ProxyHandler({
|
||||
"http": _sv.EGRESS_PROXY_FORWARD_PROXY,
|
||||
})
|
||||
opener = urllib.request.build_opener(proxy_handler)
|
||||
try:
|
||||
with opener.open(_sv.EGRESS_PROXY_INTROSPECT_URL, timeout=5) as resp:
|
||||
body = resp.read().decode("utf-8")
|
||||
except (urllib.error.URLError, OSError) as e:
|
||||
return {
|
||||
"content": [{
|
||||
"type": "text",
|
||||
"text": (
|
||||
f"list-egress-proxy-routes: could not reach "
|
||||
f"{_sv.EGRESS_PROXY_INTROSPECT_URL!r} via "
|
||||
f"{_sv.EGRESS_PROXY_FORWARD_PROXY!r}: {e}"
|
||||
),
|
||||
}],
|
||||
"isError": True,
|
||||
}
|
||||
return {
|
||||
"content": [{"type": "text", "text": body}],
|
||||
"isError": False,
|
||||
}
|
||||
|
||||
|
||||
def handle_tools_call(
|
||||
params: dict[str, object],
|
||||
config: ServerConfig,
|
||||
) -> dict[str, object]:
|
||||
"""Validates the proposal, writes it to the queue, blocks waiting
|
||||
for a Response, returns the result wrapped in MCP `content`."""
|
||||
for a Response, returns the result wrapped in MCP `content`.
|
||||
|
||||
Side-effect-free `list-*` tools short-circuit before the queue/
|
||||
blocking machinery — they're read-only introspection that
|
||||
doesn't need operator approval."""
|
||||
name = params.get("name")
|
||||
if not isinstance(name, str):
|
||||
raise _RpcError(ERR_INVALID_PARAMS, "tools/call missing 'name'")
|
||||
if name == _sv.TOOL_LIST_EGRESS_PROXY_ROUTES:
|
||||
return handle_list_egress_proxy_routes(params.get("arguments", {}), config)
|
||||
if name not in PROPOSED_FILE_FIELD:
|
||||
raise _RpcError(ERR_INVALID_PARAMS, f"unknown tool {name!r}")
|
||||
args_raw = params.get("arguments", {})
|
||||
|
||||
Reference in New Issue
Block a user