From 63a3b9b50a3cd0b3443fcbc176e10c76482ea582 Mon Sep 17 00:00:00 2001 From: claude Date: Sat, 6 Jun 2026 05:07:21 +0000 Subject: [PATCH] docs: remove pipelock references from README, examples, and test docs Pipelock was removed in PR #193. Update the five remaining places where current documentation (README, examples/bottles/claude.md, tests/README.md, docs/ci.md, sidecar_bundle.py comment) still described the old pipelock + cred-proxy topology. --- README.md | 38 ++++++++------------- bot_bottle/backend/docker/sidecar_bundle.py | 3 +- docs/ci.md | 10 +++--- examples/bottles/claude.md | 2 -- tests/README.md | 29 +++++++++------- 5 files changed, 38 insertions(+), 44 deletions(-) diff --git a/README.md b/README.md index 8d5371f..72dd051 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ ## Architecture -A bottle is two containers per agent: an `agent` container, and a `sidecars` container that bundles pipelock + cred-proxy + git-gate + supervise behind a Python init supervisor. They share a per-agent Docker `--internal` network; the agent has no default route off-box. +A bottle is two containers per agent: an `agent` container, and a `sidecars` container that bundles egress + git-gate + supervise behind a Python init supervisor. They share a per-agent Docker `--internal` network; the agent has no default route off-box. ``` host ( ./cli.py ) @@ -36,31 +36,25 @@ A bottle is two containers per agent: an `agent` container, and a `sidecars` con ▼ ┌─────────────────────────── bottle ──────────────────────────────────┐ │ │ - │ ┌──────────────────┐ ┌──────────────┐ │ - │ │ agent image │ HTTP(S) proxy │ cred-proxy │ │ - │ │ (claude-code, │ ─────────────────►│ (strips/inj │ │ - │ │ codex, etc) │ │ Authoriz.) │ │ - │ │ │ └──────┬───────┘ │ - │ │ environ: URLs │ │ │ - │ │ only, no real │ ▼ │ - │ │ tokens │ ┌────────────────┐ │ HTTPS to - │ │ │ │ pipelock image │──────────┼──► allowlisted - │ │ │ │ (TLS bump, DLP │ │ hosts (incl. - │ │ │ │ body scan, │ │ cred-proxy - │ │ │ │ allowlist) │ │ upstreams) - │ │ │ └────────────────┘ │ - │ │ │ │ + │ ┌──────────────────┐ ┌──────────────────────┐ │ + │ │ agent image │ HTTP(S) proxy │ egress image │ │ + │ │ (claude-code, │ ─────────────────►│ (mitmproxy; TLS bump │ │ HTTPS to + │ │ codex, etc) │ │ DLP scan, path │───┼──► allowlisted + │ │ │ │ matching, auth │ │ hosts + │ │ environ: proxy │ │ injection) │ │ + │ │ URLs only, no │ └──────────────────────┘ │ + │ │ real tokens │ │ │ │ │ git proxy ┌────────────────┐ │ SSH push/fetch │ │ │ ────────────────►│ git-gate image │──────────┼──► to bottle.git │ │ │ │ (gitleaks + │ │ upstreams │ └──────────────────┘ │ git daemon) │ │ (direct — not - │ └────────────────┘ │ via pipelock) + │ └────────────────┘ │ via egress) │ │ - │ agent on internal network (no default route); pipelock, │ - │ cred-proxy, and git-gate straddle internal + egress networks. │ - │ pipelock is the single HTTP/HTTPS chokepoint — cred-proxy's │ - │ outbound traverses it too. git-gate's SSH egress is direct │ - │ because pipelock is HTTP-only. │ + │ agent on internal network (no default route); egress and │ + │ git-gate straddle internal + egress networks. │ + │ egress is the single HTTP/HTTPS chokepoint — all agent HTTP/HTTPS │ + │ traffic flows through it. git-gate's SSH egress is direct │ + │ because egress is HTTP-only. │ └─────────────────────────────────────────────────────────────────────┘ ``` @@ -104,8 +98,6 @@ egress: auth: scheme: token token_ref: BOT_BOTTLE_GITEA_TOKEN - pipelock: - ssrf_ip_allowlist: [100.78.141.42/32] --- The `gitea-dev` bottle. Provider auth via the inherited Claude route; diff --git a/bot_bottle/backend/docker/sidecar_bundle.py b/bot_bottle/backend/docker/sidecar_bundle.py index fca0dfe..af3d39e 100644 --- a/bot_bottle/backend/docker/sidecar_bundle.py +++ b/bot_bottle/backend/docker/sidecar_bundle.py @@ -14,8 +14,7 @@ import os # Bundle image. Defaults to a built-locally tag (built from the # repo's Dockerfile.sidecars via compose `build:`). Operators -# pinning to a published digest can override via env, matching -# the existing `BOT_BOTTLE_PIPELOCK_IMAGE` shape. +# pinning to a published digest can override via env. SIDECAR_BUNDLE_IMAGE = os.environ.get( "BOT_BOTTLE_SIDECAR_IMAGE", "bot-bottle-sidecars:latest", diff --git a/docs/ci.md b/docs/ci.md index 448dff8..195b6ab 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -22,7 +22,9 @@ mounted in. That topology breaks two assumptions those tests make: `http://127.0.0.1:` from inside the job time out. The affected tests (`test_orphan_cleanup.test_create_and_remove`, -`test_pipelock_sidecar_smoke.test_smoke`) still run locally where the -test process and Docker daemon share a host. Making them work in CI -is a follow-up: either re-write them to discover container IPs via -`docker inspect`, or reconfigure the runner with host networking. +`test_sidecar_bundle_image.TestSidecarBundleImage`, +`test_sidecar_bundle_compose.TestSidecarBundleCompose`) still run +locally where the test process and Docker daemon share a host. +Making them work in CI is a follow-up: either re-write them to +discover container IPs via `docker inspect`, or reconfigure the +runner with host networking. diff --git a/examples/bottles/claude.md b/examples/bottles/claude.md index 766dfc5..a47037a 100644 --- a/examples/bottles/claude.md +++ b/examples/bottles/claude.md @@ -9,8 +9,6 @@ egress: auth: scheme: Bearer token_ref: BOT_BOTTLE_CLAUDE_OAUTH_TOKEN - pipelock: - tls_passthrough: true --- Common Claude provider boundary. Drop this file into diff --git a/tests/README.md b/tests/README.md index 79d6f9d..c3275d2 100644 --- a/tests/README.md +++ b/tests/README.md @@ -11,16 +11,19 @@ tests/ fixtures.py # JSON manifest builders (shared) _docker.py # docker-availability skip helper (shared) unit/ - test_pipelock_classify.py - test_pipelock_allowlist.py - test_pipelock_yaml.py + test_egress.py + test_egress_addon_core.py + test_manifest_egress.py + test_dlp_detectors.py test_manifest_runtime.py + ... # many others; see unit/ directory integration/ - test_pipelock_sidecar_smoke.py + test_sidecar_bundle_image.py + test_sidecar_bundle_compose.py test_dry_run_plan.py test_orphan_cleanup.py - canaries/ - test_pipelock_image.py # opt-in; see below + ... + canaries/ # opt-in; see below (currently empty) ``` Classification falls out of the directory — no hand-maintained list to @@ -32,7 +35,7 @@ keep in sync. python -m unittest discover -t . -s tests/unit -v # unit only python -m unittest discover -t . -s tests/integration -v # integration only python -m unittest discover -t . -s tests -v # both (recursive) -python -m unittest tests.unit.test_pipelock_yaml # one file +python -m unittest tests.unit.test_manifest_egress # one file ``` Discovery is invoked with `-t .` (top-level dir = repo root) so the @@ -46,18 +49,18 @@ Discovery is invoked with `-t .` (top-level dir = repo root) so the - `test_orphan_cleanup.py` — `network_remove` is idempotent against missing resources, so the EXIT trap can call it unconditionally. - `test_sidecar_bundle_image.py` — builds Dockerfile.sidecars and - probes that pipelock / gitleaks / mitmdump / supervise are all - reachable inside the bundle. + probes that gitleaks / mitmdump / supervise are all reachable + inside the bundle. - `test_sidecar_bundle_compose.py` — end-to-end compose-up of an agent + bundle pair; verifies the agent reaches the bundle via the legacy network aliases. ## Canaries -`tests/canaries/` holds upstream-regression checks (e.g. the pinned -pipelock digest's binary still runs). These are gated on +`tests/canaries/` holds upstream-regression checks gated on `BOT_BOTTLE_RUN_CANARIES=1` and not part of the per-push suite. -They're invoked by the scheduled `canaries` workflow. +They're invoked by the scheduled `canaries` workflow. Currently +no canaries are defined. ```bash BOT_BOTTLE_RUN_CANARIES=1 python -m unittest discover -t . -s tests/canaries -v @@ -67,7 +70,7 @@ BOT_BOTTLE_RUN_CANARIES=1 python -m unittest discover -t . -s tests/canaries -v - `bot_bottle/ssh.py` end-to-end (would need a fake SSH host inside the container). -- A live SSH-through-pipelock tunnel against a real Tailscale-style IP. +- A live SSH-through-git-gate tunnel against a real Tailscale-style IP. - DLP false-positive measurements. - TLS handling / cert pinning behavior.