feat(supervise): list-egress-proxy-routes MCP tool, defaults on egress-proxy
Reshape the allowlist topology so the egress-proxy is the bottle's
single allowlist surface, and replace the agent-side
routes/allowlist file mounts with a live MCP tool.
Policy change (move defaults to egress-proxy):
- `egress_proxy_routes_for_bottle(bottle)` now folds in
DEFAULT_ALLOWLIST (the claude-code defaults) and
`bottle.egress.allowlist` (user adds) as bare-pass routes (no
auth, no path filter), on top of the bottle's
`egress_proxy.routes`. Manifest routes win on host collision.
- `pipelock_effective_allowlist(bottle)` mirrors egress-proxy's
effective host set when egress-proxy is in use. Pipelock is
no longer the bottle's primary allowlist authority; it
enforces a downstream copy as defense-in-depth + does DLP body
scanning.
- Split out `egress_proxy_manifest_routes(bottle)` for callers
that want just the manifest entries (tests, internal use).
- DEFAULT_ALLOWLIST moves from `pipelock.py` to `egress_proxy.py`
(pipelock re-imports for the no-egress-proxy fallback path).
- Dropped the `egress-proxy` auto-allow on pipelock's allowlist
— the agent never dials egress-proxy via the proxy mechanism;
pipelock only sees upstream hostnames from egress-proxy's
CONNECTs.
Introspection endpoint (existing mitmproxy feature):
- Egress-proxy addon recognises requests to the magic host
`_egress-proxy.local` and synthesizes responses via
`flow.response = http.Response.make(...)` — no upstream
connection, no allowlist enforcement on the magic host.
- `GET /allowlist` returns the in-memory route table as JSON
(host + path_allowlist + auth_scheme + token_env per route;
no token VALUES).
- Smoke-tested end-to-end against a real egress-proxy container.
MCP tool (existing supervise plumbing):
- New `list-egress-proxy-routes` tool (no inputs, no operator
approval). Handler fetches via egress-proxy's introspection
endpoint using urllib's ProxyHandler against
`EGRESS_PROXY_FORWARD_PROXY`. Returns the JSON payload as the
tool's text content; `isError: true` if the proxy is
unreachable.
- `egress-proxy-block` description now points the agent at
`list-egress-proxy-routes` instead of a staged file path.
- `pipelock-block` description acknowledges the mirror — agents
should prefer `egress-proxy-block` to add hosts; pipelock-block
stays for the rare divergence case.
Drop agent-side file mounts:
- Supervise's `current-config` dir staging no longer writes
routes.yaml / allowlist. Only `Dockerfile` remains
(capability-block still reads it from
`/etc/claude-bottle/current-config/Dockerfile`).
- `prepare.py` stops passing `routes_content` /
`allowlist_content` to `supervise.prepare`.
- `Supervise.prepare` signature simplified to one
`dockerfile_content` kwarg.
Tests: 400 unit + integration pass. Added coverage for
defaults-folding (`TestRoutesForBottleFoldsDefaults`), the new
tool definition + handler, and the updated supervise.prepare
shape.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -5,6 +5,8 @@ import json
|
||||
import unittest
|
||||
|
||||
from claude_bottle.egress_proxy import (
|
||||
DEFAULT_ALLOWLIST,
|
||||
egress_proxy_manifest_routes,
|
||||
egress_proxy_render_routes,
|
||||
egress_proxy_resolve_token_values,
|
||||
egress_proxy_routes_for_bottle,
|
||||
@@ -27,7 +29,7 @@ class TestRoutesForBottle(unittest.TestCase):
|
||||
"host": "api.github.com",
|
||||
"auth": {"scheme": "Bearer", "token_ref": "GH_PAT"},
|
||||
}])
|
||||
routes = egress_proxy_routes_for_bottle(b)
|
||||
routes = egress_proxy_manifest_routes(b)
|
||||
self.assertEqual(1, len(routes))
|
||||
r = routes[0]
|
||||
self.assertEqual("api.github.com", r.host)
|
||||
@@ -38,7 +40,7 @@ class TestRoutesForBottle(unittest.TestCase):
|
||||
|
||||
def test_unauthenticated_route_has_empty_auth_fields(self):
|
||||
b = _bottle([{"host": "github.com", "path_allowlist": ["/x/"]}])
|
||||
routes = egress_proxy_routes_for_bottle(b)
|
||||
routes = egress_proxy_manifest_routes(b)
|
||||
r = routes[0]
|
||||
self.assertEqual("", r.auth_scheme)
|
||||
self.assertEqual("", r.token_env)
|
||||
@@ -52,7 +54,7 @@ class TestRoutesForBottle(unittest.TestCase):
|
||||
{"host": "github.com",
|
||||
"auth": {"scheme": "Bearer", "token_ref": "GH_PAT"}},
|
||||
])
|
||||
routes = egress_proxy_routes_for_bottle(b)
|
||||
routes = egress_proxy_manifest_routes(b)
|
||||
slots = {r.token_env for r in routes}
|
||||
self.assertEqual({"EGRESS_PROXY_TOKEN_0"}, slots)
|
||||
|
||||
@@ -63,7 +65,7 @@ class TestRoutesForBottle(unittest.TestCase):
|
||||
{"host": "b.example",
|
||||
"auth": {"scheme": "Bearer", "token_ref": "T2"}},
|
||||
])
|
||||
routes = egress_proxy_routes_for_bottle(b)
|
||||
routes = egress_proxy_manifest_routes(b)
|
||||
slots = [r.token_env for r in routes]
|
||||
self.assertEqual(["EGRESS_PROXY_TOKEN_0", "EGRESS_PROXY_TOKEN_1"], slots)
|
||||
|
||||
@@ -77,12 +79,56 @@ class TestRoutesForBottle(unittest.TestCase):
|
||||
{"host": "b.example",
|
||||
"auth": {"scheme": "Bearer", "token_ref": "T2"}},
|
||||
])
|
||||
routes = egress_proxy_routes_for_bottle(b)
|
||||
routes = egress_proxy_manifest_routes(b)
|
||||
authed = [r.token_env for r in routes if r.token_env]
|
||||
self.assertEqual(["EGRESS_PROXY_TOKEN_0", "EGRESS_PROXY_TOKEN_1"], authed)
|
||||
self.assertEqual("", routes[1].token_env)
|
||||
|
||||
|
||||
class TestRoutesForBottleFoldsDefaults(unittest.TestCase):
|
||||
"""The effective route table includes DEFAULT_ALLOWLIST +
|
||||
bottle.egress.allowlist as bare-pass entries — pipelock's
|
||||
allowlist is a mirror of this set."""
|
||||
|
||||
def test_defaults_present_when_no_manifest_routes(self):
|
||||
b = _bottle([])
|
||||
hosts = [r.host for r in egress_proxy_routes_for_bottle(b)]
|
||||
for default in DEFAULT_ALLOWLIST:
|
||||
self.assertIn(default, hosts)
|
||||
|
||||
def test_manifest_route_wins_over_default(self):
|
||||
# api.anthropic.com is in DEFAULT_ALLOWLIST. A manifest
|
||||
# route for the same host takes precedence — we want the
|
||||
# auth config to apply, not a duplicate bare-pass entry.
|
||||
b = _bottle([{
|
||||
"host": "api.anthropic.com",
|
||||
"auth": {"scheme": "Bearer", "token_ref": "T"},
|
||||
}])
|
||||
routes = egress_proxy_routes_for_bottle(b)
|
||||
anthropic = [r for r in routes if r.host == "api.anthropic.com"]
|
||||
self.assertEqual(1, len(anthropic))
|
||||
self.assertEqual("Bearer", anthropic[0].auth_scheme)
|
||||
|
||||
def test_bottle_egress_allowlist_folded_in(self):
|
||||
m = Manifest.from_json_obj({
|
||||
"bottles": {"dev": {
|
||||
"egress_proxy": {"routes": []},
|
||||
"egress": {"allowlist": ["example.com"]},
|
||||
}},
|
||||
"agents": {"demo": {"skills": [], "prompt": "", "bottle": "dev"}},
|
||||
})
|
||||
hosts = [r.host for r in egress_proxy_routes_for_bottle(m.bottles["dev"])]
|
||||
self.assertIn("example.com", hosts)
|
||||
|
||||
def test_manifest_only_when_no_defaults_or_allowlist(self):
|
||||
# Sanity: egress_proxy_manifest_routes returns just the
|
||||
# manifest entries — defaults are added by the
|
||||
# _routes_for_bottle wrapper.
|
||||
b = _bottle([{"host": "x.example"}])
|
||||
manifest = [r.host for r in egress_proxy_manifest_routes(b)]
|
||||
self.assertEqual(["x.example"], manifest)
|
||||
|
||||
|
||||
class TestTokenEnvMap(unittest.TestCase):
|
||||
def test_only_authenticated_routes_contribute(self):
|
||||
b = _bottle([
|
||||
@@ -90,7 +136,7 @@ class TestTokenEnvMap(unittest.TestCase):
|
||||
"auth": {"scheme": "Bearer", "token_ref": "T1"}},
|
||||
{"host": "passthrough.example"},
|
||||
])
|
||||
routes = egress_proxy_routes_for_bottle(b)
|
||||
routes = egress_proxy_manifest_routes(b)
|
||||
m = egress_proxy_token_env_map(routes)
|
||||
self.assertEqual({"EGRESS_PROXY_TOKEN_0": "T1"}, m)
|
||||
|
||||
@@ -105,7 +151,7 @@ class TestRenderRoutes(unittest.TestCase):
|
||||
"auth": {"scheme": "Bearer", "token_ref": "GH_PAT"},
|
||||
"path_allowlist": ["/repos/x/"],
|
||||
}])
|
||||
routes = egress_proxy_routes_for_bottle(b)
|
||||
routes = egress_proxy_manifest_routes(b)
|
||||
payload = json.loads(egress_proxy_render_routes(routes))
|
||||
self.assertEqual(
|
||||
[{
|
||||
@@ -123,7 +169,7 @@ class TestRenderRoutes(unittest.TestCase):
|
||||
# enforces both-or-neither, so emitting empty strings would
|
||||
# round-trip as a partial pair and crash.
|
||||
b = _bottle([{"host": "github.com", "path_allowlist": ["/x/"]}])
|
||||
routes = egress_proxy_routes_for_bottle(b)
|
||||
routes = egress_proxy_manifest_routes(b)
|
||||
payload = json.loads(egress_proxy_render_routes(routes))
|
||||
entry = payload["routes"][0]
|
||||
self.assertNotIn("auth_scheme", entry)
|
||||
@@ -134,7 +180,7 @@ class TestRenderRoutes(unittest.TestCase):
|
||||
"host": "api.anthropic.com",
|
||||
"auth": {"scheme": "Bearer", "token_ref": "CL"},
|
||||
}])
|
||||
routes = egress_proxy_routes_for_bottle(b)
|
||||
routes = egress_proxy_manifest_routes(b)
|
||||
payload = json.loads(egress_proxy_render_routes(routes))
|
||||
self.assertNotIn("path_allowlist", payload["routes"][0])
|
||||
|
||||
@@ -149,7 +195,7 @@ class TestRenderRoutes(unittest.TestCase):
|
||||
{"host": "github.com", "path_allowlist": ["/x/"]},
|
||||
{"host": "api.anthropic.com"},
|
||||
])
|
||||
routes = egress_proxy_routes_for_bottle(b)
|
||||
routes = egress_proxy_manifest_routes(b)
|
||||
addon_routes = load_routes(egress_proxy_render_routes(routes))
|
||||
self.assertEqual(3, len(addon_routes))
|
||||
self.assertEqual("Bearer", addon_routes[0].auth_scheme)
|
||||
|
||||
@@ -67,20 +67,29 @@ class TestAllowlistWithRoutes(unittest.TestCase):
|
||||
self.assertIn("registry.npmjs.org", eff)
|
||||
self.assertIn("api.github.com", eff)
|
||||
|
||||
def test_egress_proxy_hostname_auto_added_when_routes_exist(self):
|
||||
# Egress-proxy's outbound leg uses HTTPS_PROXY=pipelock, so
|
||||
# any request that flows through egress-proxy → pipelock
|
||||
# would otherwise be rejected by pipelock's hostname gate.
|
||||
def test_egress_proxy_hostname_NOT_in_pipelock_allowlist(self):
|
||||
# The agent never dials egress-proxy via the proxy mechanism
|
||||
# — it IS the proxy. Pipelock receives upstream hostnames
|
||||
# from egress-proxy's CONNECT requests, not the
|
||||
# `egress-proxy` hostname itself.
|
||||
eff = pipelock_effective_allowlist(_bottle(_routes([
|
||||
{"host": "x.example",
|
||||
"auth": {"scheme": "Bearer", "token_ref": "T"}},
|
||||
])))
|
||||
self.assertIn("egress-proxy", eff)
|
||||
|
||||
def test_egress_proxy_hostname_NOT_added_when_no_routes(self):
|
||||
eff = pipelock_effective_allowlist(_bottle({}))
|
||||
self.assertNotIn("egress-proxy", eff)
|
||||
|
||||
def test_pipelock_mirrors_egress_proxy_defaults_when_routes_present(self):
|
||||
# When egress_proxy is in use, pipelock's allowlist mirrors
|
||||
# the egress-proxy effective routes — which fold in
|
||||
# DEFAULT_ALLOWLIST + bottle.egress.allowlist.
|
||||
eff = pipelock_effective_allowlist(_bottle(_routes([
|
||||
{"host": "x.example",
|
||||
"auth": {"scheme": "Bearer", "token_ref": "T"}},
|
||||
])))
|
||||
for default in ("api.anthropic.com", "sentry.io"):
|
||||
self.assertIn(default, eff)
|
||||
self.assertIn("x.example", eff)
|
||||
|
||||
def test_supervise_hostname_auto_added_when_supervise_enabled(self):
|
||||
# The agent's MCP client opens long-polled requests to
|
||||
# http://supervise:9100/. They bypass the agent's HTTP_PROXY
|
||||
|
||||
@@ -314,7 +314,12 @@ class TestDiffAndHash(unittest.TestCase):
|
||||
class TestToolConstants(unittest.TestCase):
|
||||
def test_tools_tuple_matches_individual_constants(self):
|
||||
self.assertEqual(
|
||||
(TOOL_EGRESS_PROXY_BLOCK, TOOL_PIPELOCK_BLOCK, TOOL_CAPABILITY_BLOCK),
|
||||
(
|
||||
TOOL_EGRESS_PROXY_BLOCK,
|
||||
TOOL_PIPELOCK_BLOCK,
|
||||
TOOL_CAPABILITY_BLOCK,
|
||||
supervise.TOOL_LIST_EGRESS_PROXY_ROUTES,
|
||||
),
|
||||
supervise.TOOLS,
|
||||
)
|
||||
|
||||
@@ -357,20 +362,10 @@ class TestSupervisePrepare(unittest.TestCase):
|
||||
def test_prepare_creates_queue_and_current_config(self):
|
||||
plan = _StubSupervise().prepare(
|
||||
"dev", self.stage_dir,
|
||||
routes_content='{"routes": [{"path": "/x/"}]}\n',
|
||||
allowlist_content="example.com\n",
|
||||
dockerfile_content="FROM python:3.13\n",
|
||||
)
|
||||
self.assertTrue(plan.queue_dir.is_dir())
|
||||
self.assertTrue(plan.current_config_dir.is_dir())
|
||||
self.assertEqual(
|
||||
'{"routes": [{"path": "/x/"}]}\n',
|
||||
(plan.current_config_dir / "routes.yaml").read_text(),
|
||||
)
|
||||
self.assertEqual(
|
||||
"example.com\n",
|
||||
(plan.current_config_dir / "allowlist").read_text(),
|
||||
)
|
||||
self.assertEqual(
|
||||
"FROM python:3.13\n",
|
||||
(plan.current_config_dir / "Dockerfile").read_text(),
|
||||
@@ -378,12 +373,12 @@ class TestSupervisePrepare(unittest.TestCase):
|
||||
self.assertEqual("dev", plan.slug)
|
||||
self.assertEqual("", plan.internal_network)
|
||||
|
||||
def test_prepare_defaults_routes_to_empty_when_absent(self):
|
||||
def test_prepare_only_writes_dockerfile_to_current_config(self):
|
||||
# routes.yaml + allowlist live behind the
|
||||
# `list-egress-proxy-routes` MCP tool now (PRD 0017 chunk 3).
|
||||
plan = _StubSupervise().prepare("dev", self.stage_dir)
|
||||
self.assertEqual(
|
||||
'{"routes": []}\n',
|
||||
(plan.current_config_dir / "routes.yaml").read_text(),
|
||||
)
|
||||
files = sorted(p.name for p in plan.current_config_dir.iterdir())
|
||||
self.assertEqual(["Dockerfile"], files)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
@@ -170,7 +170,7 @@ class TestHandleInitialize(unittest.TestCase):
|
||||
|
||||
|
||||
class TestHandleToolsList(unittest.TestCase):
|
||||
def test_returns_three_tools(self):
|
||||
def test_returns_all_tools(self):
|
||||
result = handle_tools_list({})
|
||||
names = [t["name"] for t in result["tools"]] # type: ignore[index]
|
||||
self.assertEqual(
|
||||
@@ -178,19 +178,35 @@ class TestHandleToolsList(unittest.TestCase):
|
||||
_sv.TOOL_EGRESS_PROXY_BLOCK,
|
||||
_sv.TOOL_PIPELOCK_BLOCK,
|
||||
_sv.TOOL_CAPABILITY_BLOCK,
|
||||
_sv.TOOL_LIST_EGRESS_PROXY_ROUTES,
|
||||
]),
|
||||
sorted(names),
|
||||
)
|
||||
|
||||
def test_each_tool_has_inputSchema_with_two_required_fields(self):
|
||||
def test_remediation_tools_have_inputSchema_with_two_required_fields(self):
|
||||
# Only the proposal/remediation tools have required input
|
||||
# fields. The list-* introspection tools take no input.
|
||||
for tool in TOOL_DEFINITIONS:
|
||||
with self.subTest(name=tool["name"]):
|
||||
name = tool["name"]
|
||||
if name not in PROPOSED_FILE_FIELD:
|
||||
continue
|
||||
with self.subTest(name=name):
|
||||
schema = tool["inputSchema"]
|
||||
self.assertEqual("object", schema["type"]) # type: ignore[index]
|
||||
required = schema["required"] # type: ignore[index]
|
||||
self.assertEqual(2, len(required))
|
||||
self.assertIn("justification", required)
|
||||
self.assertIn(PROPOSED_FILE_FIELD[tool["name"]], required) # type: ignore[index]
|
||||
self.assertIn(PROPOSED_FILE_FIELD[name], required) # type: ignore[index]
|
||||
|
||||
def test_list_egress_proxy_routes_takes_no_input(self):
|
||||
tool = next(
|
||||
t for t in TOOL_DEFINITIONS
|
||||
if t["name"] == _sv.TOOL_LIST_EGRESS_PROXY_ROUTES
|
||||
)
|
||||
schema = tool["inputSchema"]
|
||||
self.assertEqual({}, schema.get("properties")) # type: ignore[union-attr]
|
||||
# No `required` array because no inputs are required.
|
||||
self.assertNotIn("required", schema) # type: ignore[operator]
|
||||
|
||||
|
||||
class TestHandleToolsCall(unittest.TestCase):
|
||||
|
||||
Reference in New Issue
Block a user