didericis/bot-bottle
1
0
Fork 0
Code Issues 5 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

feat(smolmachines): PRD 0022 sandbox-escape suite green under smolmachines (PRD 0023 chunk 5)
test / unit (pull_request) Successful in 26s
Details
test / integration (pull_request) Successful in 41s
Details

Browse Source 
Final PRD 0023 chunk. The PRD 0022 attack suite was already
backend-agnostic — it goes through get_bottle_backend(), so the
right dispatch happens based on CLAUDE_BOTTLE_BACKEND. Two
cleanups to make it actually run cleanly under
CLAUDE_BOTTLE_BACKEND=smolmachines:

- setUpClass raises unittest.SkipTest with a useful message when
  CLAUDE_BOTTLE_BACKEND=smolmachines but smolvm isn't on PATH, or
  when the host isn't macOS (libkrun + TSI single-IP allowlist is
  macOS-only in v1). Without this, the test would die deep inside
  backend.prepare's smolmachines_preflight rather than skipping.

- test_5_readme_push_blocked switches from a hardcoded
  `git://git-gate/...` remote URL (only resolvable on docker via
  the bundle's short alias) to the bottle's declared upstream URL
  (`ssh://git@unreachable.invalid:22/throwaway.git`). The agent's
  ~/.gitconfig insteadOf rewrite — set up by provision_git on both
  backends — transparently redirects to the gate, so the same test
  exercises docker's `git://git-gate/...` and smolmachines's
  `git://<bundle_ip>:9418/...` URLs without branching on backend.

README gets a "Backend selection" subsection under Quickstart
documenting CLAUDE_BOTTLE_BACKEND, the macOS-only v1 scope for
smolmachines, and the `curl -sSL .../install.sh | sh` install
prerequisite — per PRD 0023's acceptance criteria.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
didericis (claude)
2026-05-27 14:31:27 -04:00
parent ac8c7ba696
commit 78345b5343
2 changed files with 49 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+21
View File
@@ -190,6 +190,27 @@ The container is removed automatically when the session ends. If the script
is killed with SIGKILL the exit trap won't fire and the container may be
left running; remove it with `docker rm -f <container-name>`.
### Backend selection
The default backend uses Docker for both the agent and the sidecar
bundle. An experimental smolmachines backend runs the agent in a
[smolvm](https://smolmachines.com) micro-VM (libkrun on macOS) and
keeps the sidecar bundle in Docker:
```sh
CLAUDE_BOTTLE_BACKEND=smolmachines ./cli.py start <agent>
```
The smolmachines backend is **macOS-only in v1** (libkrun + TSI
single-IP allowlisting) and requires `smolvm` on PATH:
```sh
curl -sSL https://smolmachines.com/install.sh | sh
```
The integration tests run against whichever backend the env var
selects and skip cleanly when its prerequisites are missing.
## Manifest
Bottles and agents live as Markdown files with YAML frontmatter under