docs(research): mark credential-proxy note as implemented (agents get placeholders)
The note still described the pre-gateway state as "today" — raw provider tokens env-injected into the agent, readable via printenv — which is no longer true and was actively misleading. Add a dated Status banner and flag the stale "today's wiring" / "recommended path forward" passages: the agent now holds only a placeholder (e.g. CLAUDE_CODE_OAUTH_TOKEN=egress-placeholder) and the real token is injected as the upstream Authorization header by the existing pipelock/mitmproxy egress sidecar (EgressRoute auth_scheme + token_ref, one MITM not two), generalized across Claude/Codex/Pi and git-host tokens. Reasoning preserved per the research-note convention. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01LhiafsABCr46bu3oHUm7wa
This commit is contained in:
@@ -15,6 +15,25 @@ the biggest credential risk).
|
|||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
|
> **Status — implemented (2026-07-14).** This note's recommendation
|
||||||
|
> shipped, so the "today" / "in-flight" tenses below are now historical
|
||||||
|
> (kept as the reasoning that led here). Current reality: bot-bottle no
|
||||||
|
> longer injects raw provider tokens into the agent. The agent's environ
|
||||||
|
> carries only a **placeholder** (e.g.
|
||||||
|
> `CLAUDE_CODE_OAUTH_TOKEN=egress-placeholder`); the real token is held
|
||||||
|
> in the egress sidecar and injected as the upstream `Authorization`
|
||||||
|
> header. Rather than adding a *separate* in-container reverse proxy (as
|
||||||
|
> proposed below), credential injection was folded into the **existing
|
||||||
|
> pipelock/mitmproxy egress firewall**: an `EgressRoute` carries
|
||||||
|
> `auth_scheme` + `token_ref`, the host token is forwarded into the
|
||||||
|
> sidecar addon under an `EGRESS_TOKEN_N` slot, and the addon rewrites
|
||||||
|
> `Authorization` on matching routes — **one MITM, not two** (this
|
||||||
|
> resolves the Infisical-doubling concern noted later). The same
|
||||||
|
> mechanism now covers Codex and Pi provider tokens and git-host PATs.
|
||||||
|
> A `printenv` inside the bottle yields the placeholder, not the secret.
|
||||||
|
> For current wiring see `bot_bottle/egress.py` and
|
||||||
|
> `bot_bottle/contrib/*/agent_provider.py`.
|
||||||
|
|
||||||
Today every bot-bottle agent gets `CLAUDE_CODE_OAUTH_TOKEN` (and
|
Today every bot-bottle agent gets `CLAUDE_CODE_OAUTH_TOKEN` (and
|
||||||
any `bottle.env` secrets like a Gitea PAT) injected as env vars,
|
any `bottle.env` secrets like a Gitea PAT) injected as env vars,
|
||||||
which means the agent process can read them with `printenv` or
|
which means the agent process can read them with `printenv` or
|
||||||
@@ -95,7 +114,9 @@ The remaining credible designs reduce to three:
|
|||||||
|
|
||||||
### Anthropic / Claude Code
|
### Anthropic / Claude Code
|
||||||
|
|
||||||
**Today's wiring** (`bot_bottle/cli/start.py`): the host's
|
**Original wiring** (pre-gateway; **superseded 2026-07-14** — see the
|
||||||
|
Status note in the Summary; the token now lives in the egress sidecar
|
||||||
|
and the agent gets a placeholder): the host's
|
||||||
`BOT_BOTTLE_CLAUDE_OAUTH_TOKEN` is forwarded into the bottle as
|
`BOT_BOTTLE_CLAUDE_OAUTH_TOKEN` is forwarded into the bottle as
|
||||||
`CLAUDE_CODE_OAUTH_TOKEN` via `docker run -e CLAUDE_CODE_OAUTH_TOKEN`
|
`CLAUDE_CODE_OAUTH_TOKEN` via `docker run -e CLAUDE_CODE_OAUTH_TOKEN`
|
||||||
(no `=value`, so the value never lands on argv — good). Inside the
|
(no `=value`, so the value never lands on argv — good). Inside the
|
||||||
@@ -332,6 +353,12 @@ exposed.
|
|||||||
|
|
||||||
## Recommended path forward
|
## Recommended path forward
|
||||||
|
|
||||||
|
> **Mostly implemented (2026-07-14).** Steps 1–3 shipped — the token
|
||||||
|
> injection moved into the egress sidecar (folded into pipelock rather
|
||||||
|
> than a standalone reverse proxy) and generalized to Codex/Pi/git-host
|
||||||
|
> tokens. Steps 4–5 (issuance-side scope narrowing, per-route allowlists)
|
||||||
|
> remain good hygiene. See the Status note in the Summary.
|
||||||
|
|
||||||
In priority order:
|
In priority order:
|
||||||
|
|
||||||
1. **In-container reverse proxy holding `CLAUDE_CODE_OAUTH_TOKEN`.**
|
1. **In-container reverse proxy holding `CLAUDE_CODE_OAUTH_TOKEN`.**
|
||||||
|
|||||||
Reference in New Issue
Block a user