From 822cff48ad4ab53929bc251961886aae8fa7fd97 Mon Sep 17 00:00:00 2001 From: didericis Date: Tue, 14 Jul 2026 01:42:05 -0400 Subject: [PATCH] docs(research): mark credential-proxy note as implemented (agents get placeholders) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The note still described the pre-gateway state as "today" — raw provider tokens env-injected into the agent, readable via printenv — which is no longer true and was actively misleading. Add a dated Status banner and flag the stale "today's wiring" / "recommended path forward" passages: the agent now holds only a placeholder (e.g. CLAUDE_CODE_OAUTH_TOKEN=egress-placeholder) and the real token is injected as the upstream Authorization header by the existing pipelock/mitmproxy egress sidecar (EgressRoute auth_scheme + token_ref, one MITM not two), generalized across Claude/Codex/Pi and git-host tokens. Reasoning preserved per the research-note convention. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_01LhiafsABCr46bu3oHUm7wa --- .../agent-credential-proxy-landscape.md | 29 ++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/docs/research/agent-credential-proxy-landscape.md b/docs/research/agent-credential-proxy-landscape.md index 38af5c7..c9a4749 100644 --- a/docs/research/agent-credential-proxy-landscape.md +++ b/docs/research/agent-credential-proxy-landscape.md @@ -15,6 +15,25 @@ the biggest credential risk). ## Summary +> **Status — implemented (2026-07-14).** This note's recommendation +> shipped, so the "today" / "in-flight" tenses below are now historical +> (kept as the reasoning that led here). Current reality: bot-bottle no +> longer injects raw provider tokens into the agent. The agent's environ +> carries only a **placeholder** (e.g. +> `CLAUDE_CODE_OAUTH_TOKEN=egress-placeholder`); the real token is held +> in the egress sidecar and injected as the upstream `Authorization` +> header. Rather than adding a *separate* in-container reverse proxy (as +> proposed below), credential injection was folded into the **existing +> pipelock/mitmproxy egress firewall**: an `EgressRoute` carries +> `auth_scheme` + `token_ref`, the host token is forwarded into the +> sidecar addon under an `EGRESS_TOKEN_N` slot, and the addon rewrites +> `Authorization` on matching routes — **one MITM, not two** (this +> resolves the Infisical-doubling concern noted later). The same +> mechanism now covers Codex and Pi provider tokens and git-host PATs. +> A `printenv` inside the bottle yields the placeholder, not the secret. +> For current wiring see `bot_bottle/egress.py` and +> `bot_bottle/contrib/*/agent_provider.py`. + Today every bot-bottle agent gets `CLAUDE_CODE_OAUTH_TOKEN` (and any `bottle.env` secrets like a Gitea PAT) injected as env vars, which means the agent process can read them with `printenv` or @@ -95,7 +114,9 @@ The remaining credible designs reduce to three: ### Anthropic / Claude Code -**Today's wiring** (`bot_bottle/cli/start.py`): the host's +**Original wiring** (pre-gateway; **superseded 2026-07-14** — see the +Status note in the Summary; the token now lives in the egress sidecar +and the agent gets a placeholder): the host's `BOT_BOTTLE_CLAUDE_OAUTH_TOKEN` is forwarded into the bottle as `CLAUDE_CODE_OAUTH_TOKEN` via `docker run -e CLAUDE_CODE_OAUTH_TOKEN` (no `=value`, so the value never lands on argv — good). Inside the @@ -332,6 +353,12 @@ exposed. ## Recommended path forward +> **Mostly implemented (2026-07-14).** Steps 1–3 shipped — the token +> injection moved into the egress sidecar (folded into pipelock rather +> than a standalone reverse proxy) and generalized to Codex/Pi/git-host +> tokens. Steps 4–5 (issuance-side scope narrowing, per-route allowlists) +> remain good hygiene. See the Status note in the Summary. + In priority order: 1. **In-container reverse proxy holding `CLAUDE_CODE_OAUTH_TOKEN`.**