diff --git a/README.md b/README.md index a9d7b3c..a151a82 100644 --- a/README.md +++ b/README.md @@ -10,11 +10,14 @@ Run multiple Claude Code agents on your own machine, each scoped to its own secr ![pipelock and git-gate blocking exfil attempts against a live bottle](docs/demo.gif) -Four probes against a real bottle, end-to-end: -pipelock forwards a clean HTTPS GET to an allowlisted host, -blocks a GET to a non-allowlisted host, -blocks a POST whose body carries a credential pattern; -git-gate rejects a push containing a leaked key. +Four moments from a real bottle, end-to-end: +claude responds to `hello there` — proof api.anthropic.com routes +through pipelock's bumped TLS; +a `! curl` to a non-allowlisted host is refused at the host filter; +a `! curl POST` carrying a credential-shaped body is refused by the +DLP body scanner; +a `git push` of a file containing a leaked-looking key is rejected +by git-gate's gitleaks pre-receive hook. Run it yourself with `bash scripts/demo.sh`. ## Why "claude-bottle"? diff --git a/docs/demo.gif b/docs/demo.gif index b66eace..d270f68 100644 Binary files a/docs/demo.gif and b/docs/demo.gif differ diff --git a/docs/demo.tape b/docs/demo.tape index 2ef3a4e..0a92c7f 100644 --- a/docs/demo.tape +++ b/docs/demo.tape @@ -13,7 +13,7 @@ Set FontSize 13 Set Width 1180 Set Height 780 Set Padding 20 -Set Theme "Catppuccin Mocha" +Set Theme "Brogrammer" Set TypingSpeed 40ms Hide @@ -38,11 +38,13 @@ Enter # sidecars started, agent container started, claude boots. Sleep 22s -# Probe 1 — allowlisted HTTPS reaches an allowlisted host via the -# bumped TLS tunnel. Baseline: the proxy isn't just blocking everything. -Type `! curl --proxy "$HTTPS_PROXY" -sw 'status=%{http_code}\n' -o /dev/null https://raw.githubusercontent.com/git/git/master/README.md` +# Probe 1 — plain claude prompt. A reply proves api.anthropic.com is +# reachable through pipelock end-to-end: bumped TLS handshake, DLP +# scan, and forward all succeed. No `!` prefix — this is the AI +# answering through the same proxy the other probes try to bypass. +Type "hello there" Enter -Sleep 5s +Sleep 9s # Probe 2 — non-allowlisted host. Pipelock's host filter refuses to # forward; DLP doesn't even get a chance to run.