didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

docs: remove pipelock references from README, examples, and test docs
lint / lint (push) Successful in 1m27s
Details
test / unit (push) Successful in 33s
Details
test / integration (push) Successful in 46s
Details
Update Quality Badges / update-badges (push) Successful in 1m8s
Details

Browse Source 
Pipelock was removed in PR #193. Update the five remaining places
where current documentation (README, examples/bottles/claude.md,
tests/README.md, docs/ci.md, sidecar_bundle.py comment) still
described the old pipelock + cred-proxy topology.
This commit is contained in:
didericis (claude)
2026-06-06 05:07:21 +00:00
parent 7e6e0b1f5a
commit 63a3b9b50a
5 changed files with 38 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+15 -23
View File
@@ -27,7 +27,7 @@
## Architecture
A bottle is two containers per agent: an `agent` container, and a `sidecars` container that bundles pipelock + cred-proxy + git-gate + supervise behind a Python init supervisor. They share a per-agent Docker `--internal` network; the agent has no default route off-box.
A bottle is two containers per agent: an `agent` container, and a `sidecars` container that bundles egress + git-gate + supervise behind a Python init supervisor. They share a per-agent Docker `--internal` network; the agent has no default route off-box.
```
host ( ./cli.py )
@@ -36,31 +36,25 @@ A bottle is two containers per agent: an `agent` container, and a `sidecars` con
┌─────────────────────────── bottle ──────────────────────────────────┐
│ │
│ ┌──────────────────┐ ┌──────────────
│ │ agent image │ HTTP(S) proxy │ cred-proxy │
│ │ (claude-code, │ ─────────────────►│ (strips/inj │
│ │ codex, etc) │ │ Authoriz.) │ │
│ │ │ └──────┬───────┘
│ │ environ: URLs │
│ │ only, no real │
│ │ tokens ┌────────────────┐ HTTPS to
│ │ │ │ pipelock image │──────────┼──► allowlisted
│ │ │ │ (TLS bump, DLP │ │ hosts (incl.
│ │ │ │ body scan, │ │ cred-proxy
│ │ │ │ allowlist) │ │ upstreams)
│ │ │ └────────────────┘ │
│ │ │ │
│ ┌──────────────────┐ ┌──────────────────────┐
│ │ agent image │ HTTP(S) proxy │ egress image
│ │ (claude-code, │ ─────────────────►│ (mitmproxy; TLS bump │ HTTPS to
│ │ codex, etc) │ │ DLP scan, path │───┼──► allowlisted
│ │ │ │ matching, auth hosts
│ │ environ: proxy │injection)
│ │ URLs only, no └──────────────────────┘
│ │ real tokens │
│ │ │ git proxy ┌────────────────┐ │ SSH push/fetch
│ │ │ ────────────────►│ git-gate image │──────────┼──► to bottle.git
│ │ │ │ (gitleaks + │ │ upstreams
│ └──────────────────┘ │ git daemon) │ │ (direct — not
│ └────────────────┘ │ via pipelock)
│ └────────────────┘ │ via egress)
│ │
│ agent on internal network (no default route); pipelock,
cred-proxy, and git-gate straddle internal + egress networks. │
pipelock is the single HTTP/HTTPS chokepoint — cred-proxy's
outbound traverses it too. git-gate's SSH egress is direct │
│ because pipelock is HTTP-only. │
│ agent on internal network (no default route); egress and
│ git-gate straddle internal + egress networks.
egress is the single HTTP/HTTPS chokepoint — all agent HTTP/HTTPS
traffic flows through it. git-gate's SSH egress is direct
│ because egress is HTTP-only.
└─────────────────────────────────────────────────────────────────────┘
```
@@ -104,8 +98,6 @@ egress:
auth:
scheme: token
token_ref: BOT_BOTTLE_GITEA_TOKEN
pipelock:
ssrf_ip_allowlist: [100.78.141.42/32]
---
The `gitea-dev` bottle. Provider auth via the inherited Claude route;
bot_bottle/backend/docker/sidecar_bundle.py
+1 -2
View File
@@ -14,8 +14,7 @@ import os
# Bundle image. Defaults to a built-locally tag (built from the
# repo's Dockerfile.sidecars via compose `build:`). Operators
# pinning to a published digest can override via env, matching
# the existing `BOT_BOTTLE_PIPELOCK_IMAGE` shape.
# pinning to a published digest can override via env.
SIDECAR_BUNDLE_IMAGE = os.environ.get(
"BOT_BOTTLE_SIDECAR_IMAGE",
"bot-bottle-sidecars:latest",
docs/ci.md
+6 -4
View File
@@ -22,7 +22,9 @@ mounted in. That topology breaks two assumptions those tests make:
`http://127.0.0.1:<host_port>` from inside the job time out.
The affected tests (`test_orphan_cleanup.test_create_and_remove`,
`test_pipelock_sidecar_smoke.test_smoke`) still run locally where the
test process and Docker daemon share a host. Making them work in CI
is a follow-up: either re-write them to discover container IPs via
`docker inspect`, or reconfigure the runner with host networking.
`test_sidecar_bundle_image.TestSidecarBundleImage`,
`test_sidecar_bundle_compose.TestSidecarBundleCompose`) still run
locally where the test process and Docker daemon share a host.
Making them work in CI is a follow-up: either re-write them to
discover container IPs via `docker inspect`, or reconfigure the
runner with host networking.
examples/bottles/claude.md
-2
View File
@@ -9,8 +9,6 @@ egress:
auth:
scheme: Bearer
token_ref: BOT_BOTTLE_CLAUDE_OAUTH_TOKEN
pipelock:
tls_passthrough: true
---
Common Claude provider boundary. Drop this file into
tests/README.md
+16 -13
View File
@@ -11,16 +11,19 @@ tests/
fixtures.py # JSON manifest builders (shared)
_docker.py # docker-availability skip helper (shared)
unit/
test_pipelock_classify.py
test_pipelock_allowlist.py
test_pipelock_yaml.py
test_egress.py
test_egress_addon_core.py
test_manifest_egress.py
test_dlp_detectors.py
test_manifest_runtime.py
... # many others; see unit/ directory
integration/
test_pipelock_sidecar_smoke.py
test_sidecar_bundle_image.py
test_sidecar_bundle_compose.py
test_dry_run_plan.py
test_orphan_cleanup.py
canaries/
test_pipelock_image.py # opt-in; see below
...
canaries/ # opt-in; see below (currently empty)
```
Classification falls out of the directory — no hand-maintained list to
@@ -32,7 +35,7 @@ keep in sync.
python -m unittest discover -t . -s tests/unit -v # unit only
python -m unittest discover -t . -s tests/integration -v # integration only
python -m unittest discover -t . -s tests -v # both (recursive)
python -m unittest tests.unit.test_pipelock_yaml # one file
python -m unittest tests.unit.test_manifest_egress # one file
```
Discovery is invoked with `-t .` (top-level dir = repo root) so the
@@ -46,18 +49,18 @@ Discovery is invoked with `-t .` (top-level dir = repo root) so the
- `test_orphan_cleanup.py``network_remove` is idempotent against
missing resources, so the EXIT trap can call it unconditionally.
- `test_sidecar_bundle_image.py` — builds Dockerfile.sidecars and
probes that pipelock / gitleaks / mitmdump / supervise are all
reachable inside the bundle.
probes that gitleaks / mitmdump / supervise are all reachable
inside the bundle.
- `test_sidecar_bundle_compose.py` — end-to-end compose-up of an
agent + bundle pair; verifies the agent reaches the bundle via
the legacy network aliases.
## Canaries
`tests/canaries/` holds upstream-regression checks (e.g. the pinned
pipelock digest's binary still runs). These are gated on
`tests/canaries/` holds upstream-regression checks gated on
`BOT_BOTTLE_RUN_CANARIES=1` and not part of the per-push suite.
They're invoked by the scheduled `canaries` workflow.
They're invoked by the scheduled `canaries` workflow. Currently
no canaries are defined.
```bash
BOT_BOTTLE_RUN_CANARIES=1 python -m unittest discover -t . -s tests/canaries -v
@@ -67,7 +70,7 @@ BOT_BOTTLE_RUN_CANARIES=1 python -m unittest discover -t . -s tests/canaries -v
- `bot_bottle/ssh.py` end-to-end (would need a fake SSH host inside
the container).
- A live SSH-through-pipelock tunnel against a real Tailscale-style IP.
- A live SSH-through-git-gate tunnel against a real Tailscale-style IP.
- DLP false-positive measurements.
- TLS handling / cert pinning behavior.