docs(research): mark credential-proxy note as implemented (agents get placeholders)
The note still described the pre-gateway state as "today" — raw provider tokens env-injected into the agent, readable via printenv — which is no longer true and was actively misleading. Add a dated Status banner and flag the stale "today's wiring" / "recommended path forward" passages: the agent now holds only a placeholder (e.g. CLAUDE_CODE_OAUTH_TOKEN=egress-placeholder) and the real token is injected as the upstream Authorization header by the existing pipelock/mitmproxy egress sidecar (EgressRoute auth_scheme + token_ref, one MITM not two), generalized across Claude/Codex/Pi and git-host tokens. Reasoning preserved per the research-note convention. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01LhiafsABCr46bu3oHUm7wa
This commit is contained in:
@@ -15,6 +15,25 @@ the biggest credential risk).
|
||||
|
||||
## Summary
|
||||
|
||||
> **Status — implemented (2026-07-14).** This note's recommendation
|
||||
> shipped, so the "today" / "in-flight" tenses below are now historical
|
||||
> (kept as the reasoning that led here). Current reality: bot-bottle no
|
||||
> longer injects raw provider tokens into the agent. The agent's environ
|
||||
> carries only a **placeholder** (e.g.
|
||||
> `CLAUDE_CODE_OAUTH_TOKEN=egress-placeholder`); the real token is held
|
||||
> in the egress sidecar and injected as the upstream `Authorization`
|
||||
> header. Rather than adding a *separate* in-container reverse proxy (as
|
||||
> proposed below), credential injection was folded into the **existing
|
||||
> pipelock/mitmproxy egress firewall**: an `EgressRoute` carries
|
||||
> `auth_scheme` + `token_ref`, the host token is forwarded into the
|
||||
> sidecar addon under an `EGRESS_TOKEN_N` slot, and the addon rewrites
|
||||
> `Authorization` on matching routes — **one MITM, not two** (this
|
||||
> resolves the Infisical-doubling concern noted later). The same
|
||||
> mechanism now covers Codex and Pi provider tokens and git-host PATs.
|
||||
> A `printenv` inside the bottle yields the placeholder, not the secret.
|
||||
> For current wiring see `bot_bottle/egress.py` and
|
||||
> `bot_bottle/contrib/*/agent_provider.py`.
|
||||
|
||||
Today every bot-bottle agent gets `CLAUDE_CODE_OAUTH_TOKEN` (and
|
||||
any `bottle.env` secrets like a Gitea PAT) injected as env vars,
|
||||
which means the agent process can read them with `printenv` or
|
||||
@@ -95,7 +114,9 @@ The remaining credible designs reduce to three:
|
||||
|
||||
### Anthropic / Claude Code
|
||||
|
||||
**Today's wiring** (`bot_bottle/cli/start.py`): the host's
|
||||
**Original wiring** (pre-gateway; **superseded 2026-07-14** — see the
|
||||
Status note in the Summary; the token now lives in the egress sidecar
|
||||
and the agent gets a placeholder): the host's
|
||||
`BOT_BOTTLE_CLAUDE_OAUTH_TOKEN` is forwarded into the bottle as
|
||||
`CLAUDE_CODE_OAUTH_TOKEN` via `docker run -e CLAUDE_CODE_OAUTH_TOKEN`
|
||||
(no `=value`, so the value never lands on argv — good). Inside the
|
||||
@@ -332,6 +353,12 @@ exposed.
|
||||
|
||||
## Recommended path forward
|
||||
|
||||
> **Mostly implemented (2026-07-14).** Steps 1–3 shipped — the token
|
||||
> injection moved into the egress sidecar (folded into pipelock rather
|
||||
> than a standalone reverse proxy) and generalized to Codex/Pi/git-host
|
||||
> tokens. Steps 4–5 (issuance-side scope narrowing, per-route allowlists)
|
||||
> remain good hygiene. See the Status note in the Summary.
|
||||
|
||||
In priority order:
|
||||
|
||||
1. **In-container reverse proxy holding `CLAUDE_CODE_OAUTH_TOKEN`.**
|
||||
|
||||
Reference in New Issue
Block a user