refactor!: rename project to bot-bottle

Assisted-by: Codex
2026-05-28 17:56:14 -04:00
parent 8875d8cc17
commit c08b09dc9f
200 changed files with 1271 additions and 1271 deletions
@@ -0,0 +1,8 @@
+"""Per-provisioner modules for the Docker backend.
+
+Each module exports one top-level function:
+    provision_<thing>(plan: DockerBottlePlan, target: str) -> ...
+
+`DockerBottleBackend.provision_*` methods delegate to these. The
+abstract `BottleBackend.provision_*` surface is unchanged; this
+subpackage exists only to keep `backend.py` from being a god-file."""
@@ -0,0 +1,103 @@
+"""Install the per-bottle MITM CA into the agent container's trust
+store.
+
+Post-PRD-0017 the CA depends on the agent's HTTP_PROXY target:
+
+  - Bottle declares `egress.routes[]` → agent's HTTP_PROXY
+    points at egress; the cert the agent must trust is the
+    one egress mints leaf certs with (the egress CA).
+  - No egress routes → agent's HTTP_PROXY points straight at
+    pipelock; the cert the agent must trust is pipelock's CA (the
+    pre-cutover behavior).
+
+By the time this provisioner runs, the corresponding `tls_init`
+helper has generated the chosen CA under `plan.stage_dir`, and the
+sidecar (pipelock or egress) is up referencing the
+in-container CA paths.
+
+Cert lands on Debian's standard source path
+(`/usr/local/share/ca-certificates/`); `update-ca-certificates`
+rebuilds `/etc/ssl/certs/ca-certificates.crt`, which is what curl,
+Python `ssl`, and OpenSSL-based tools all read by default. The env
+trio set on the agent's `docker run` covers Node
+(`NODE_EXTRA_CA_CERTS`) and Python `requests` /
+`SSL_CERT_FILE`-honoring libraries that don't load the system
+bundle.
+
+The fingerprint is computed via stdlib (`ssl.PEM_cert_to_DER_cert`
+ `hashlib.sha256`) and logged once to stderr. The private key
+stays on the host (under `stage_dir`) until teardown wipes the
+stage dir; nothing in the agent ever sees it."""
+
+from __future__ import annotations
+
+import hashlib
+import ssl
+import subprocess
+from pathlib import Path
+
+from ....log import info
+from ..bottle_plan import DockerBottlePlan
+
+
+# Debian-family path for sources that `update-ca-certificates` reads.
+# Bundle path is what the command rebuilds and what every standard
+# TLS consumer in the image reads.
+AGENT_CA_PATH = "/usr/local/share/ca-certificates/bot-bottle-mitm-ca.crt"
+AGENT_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"
+
+
+def _select_ca_cert(plan: DockerBottlePlan) -> tuple[Path, str]:
+    """Pick the CA cert (and a short label for the log line) that
+    matches the proxy the agent's HTTP_PROXY points at. Egress-proxy
+    wins when the bottle declares any routes (it sits in front of
+    pipelock); else pipelock."""
+    if plan.egress_plan.routes:
+        cert = plan.egress_plan.mitmproxy_ca_cert_only_host_path
+        if cert == Path() or not cert.is_file():
+            from ....log import die
+            die(
+                f"egress CA cert missing at {cert or '(empty)'}; "
+                f"launch must have called egress_tls_init and "
+                f"re-bound the plan before provision"
+            )
+        return cert, "egress"
+    cert = plan.proxy_plan.ca_cert_host_path
+    if not cert or not cert.is_file():
+        from ....log import die
+        die(
+            f"pipelock CA cert missing at {cert or '(empty)'}; "
+            f"launch must have called pipelock_tls_init and re-bound "
+            f"the plan before provision"
+        )
+    return cert, "pipelock"
+
+
+def provision_ca(plan: DockerBottlePlan, target: str) -> None:
+    """Copy the agent-facing CA cert into the agent, rebuild the
+    trust bundle, emit a one-line fingerprint log. Called from
+    `BottleBackend.provision` after the agent container is up."""
+    container = target
+    cert_host_path, label = _select_ca_cert(plan)
+
+    subprocess.run(
+        ["docker", "cp", str(cert_host_path), f"{container}:{AGENT_CA_PATH}"],
+        stdout=subprocess.DEVNULL,
+        check=True,
+    )
+    subprocess.run(
+        ["docker", "exec", "-u", "0", container, "chmod", "644", AGENT_CA_PATH],
+        stdout=subprocess.DEVNULL,
+        check=True,
+    )
+    subprocess.run(
+        ["docker", "exec", "-u", "0", container, "update-ca-certificates"],
+        stdout=subprocess.DEVNULL,
+        check=True,
+    )
+
+    # Stdlib SHA-256 of the cert's DER bytes — the standard
+    # fingerprint form. Never the private key.
+    der = ssl.PEM_cert_to_DER_cert(cert_host_path.read_text())
+    fingerprint = hashlib.sha256(der).hexdigest()
+    info(f"{label} ca fingerprint: sha256:{fingerprint[:32]}...")
@@ -0,0 +1,121 @@
+"""Git provisioning inside a running Docker bottle.
+
+Three concerns, all about git in the agent:
+
+  1. If --cwd was passed AND the host cwd has a .git, copy that .git
+     into /home/node/workspace/.git so the agent operates on the
+     user's repo.
+  2. If the bottle declares `git` entries (PRD 0008), write a
+     ~/.gitconfig with insteadOf rules so every git operation
+     against a declared upstream (push, fetch, clone, pull,
+     ls-remote) transparently hits the per-agent git-gate. The
+     gate mirrors the upstream in both directions, so URL
+     rewriting is symmetric.
+  3. If the bottle declares `git.user` (issue #86), set
+     `git config --global user.{name,email}` inside the bottle so
+     the agent's commits are attributed to that identity.
+"""
+
+from __future__ import annotations
+
+import os
+import subprocess
+from pathlib import Path
+
+from ....git_gate import GIT_GATE_HOSTNAME, git_gate_render_gitconfig
+from ....log import info
+from .. import util as docker_mod
+from ..bottle_plan import DockerBottlePlan
+
+
+def provision_git(plan: DockerBottlePlan, target: str) -> None:
+    """Set up git inside the bottle. Runs all three subcases; each
+    no-ops when its condition isn't met."""
+    _provision_cwd_git(plan, target)
+    _provision_git_gate_config(plan, target)
+    _provision_git_user(plan, target)
+
+
+def _provision_cwd_git(plan: DockerBottlePlan, target: str) -> None:
+    """If --cwd was set and the host cwd has a .git directory, copy
+    it into /home/node/workspace/.git and fix ownership. No-op
+    otherwise."""
+    if not (plan.spec.copy_cwd and Path(plan.spec.user_cwd, ".git").is_dir()):
+        return
+    container = target
+    info(f"copying {plan.spec.user_cwd}/.git -> {container}:/home/node/workspace/.git")
+    subprocess.run(
+        ["docker", "cp", f"{plan.spec.user_cwd}/.git", f"{container}:/home/node/workspace/.git"],
+        stdout=subprocess.DEVNULL,
+        check=True,
+    )
+    subprocess.run(
+        [
+            "docker", "exec", "-u", "0", container,
+            "chown", "-R", "node:node", "/home/node/workspace/.git",
+        ],
+        stdout=subprocess.DEVNULL,
+        check=True,
+    )
+
+
+def _provision_git_gate_config(plan: DockerBottlePlan, target: str) -> None:
+    """Write ~/.gitconfig in the bottle with the git-gate
+    insteadOf rules. No-op when the bottle has no `git` entries."""
+    bottle = plan.spec.manifest.bottle_for(plan.spec.agent_name)
+    if not bottle.git:
+        return
+    container = target
+    container_home = os.environ.get("BOT_BOTTLE_CONTAINER_HOME", "/home/node")
+    container_gitconfig = f"{container_home}/.gitconfig"
+
+    content = git_gate_render_gitconfig(bottle.git, GIT_GATE_HOSTNAME)
+    config_file = plan.stage_dir / "agent_gitconfig"
+    config_file.write_text(content)
+    config_file.chmod(0o600)
+
+    info(f"writing {container_gitconfig} with {len(bottle.git)} insteadOf rule(s)")
+    subprocess.run(
+        ["docker", "cp", str(config_file), f"{container}:{container_gitconfig}"],
+        stdout=subprocess.DEVNULL,
+        check=True,
+    )
+    docker_mod.docker_exec_root(container, ["chown", "node:node", container_gitconfig])
+    docker_mod.docker_exec_root(container, ["chmod", "644", container_gitconfig])
+
+
+def _provision_git_user(plan: DockerBottlePlan, target: str) -> None:
+    """Apply `git config --global user.{name,email}` inside the
+    bottle so the agent's commits are attributed to the operator-
+    chosen identity instead of the agent image's default
+    (which is no user — git would refuse to commit at all
+    until the agent ran its own `git config`).
+
+    Runs as the `node` user so `--global` lands in
+    `/home/node/.gitconfig` (matching the existing
+    `_provision_git_gate_config` write location). No-op when the
+    bottle didn't declare `git.user`.
+
+    Each field set independently — name-only or email-only
+    configs only run the `git config` line for the field
+    present."""
+    bottle = plan.spec.manifest.bottle_for(plan.spec.agent_name)
+    gu = bottle.git_user
+    if gu.is_empty():
+        return
+    if gu.name:
+        info(f"git config --global user.name = {gu.name!r}")
+        subprocess.run(
+            ["docker", "exec", "-u", "node", target,
+             "git", "config", "--global", "user.name", gu.name],
+            stdout=subprocess.DEVNULL,
+            check=True,
+        )
+    if gu.email:
+        info(f"git config --global user.email = {gu.email!r}")
+        subprocess.run(
+            ["docker", "exec", "-u", "node", target,
+             "git", "config", "--global", "user.email", gu.email],
+            stdout=subprocess.DEVNULL,
+            check=True,
+        )
@@ -0,0 +1,43 @@
+"""Copy the agent prompt into a running Docker bottle.
+
+The prompt file is always copied (so the in-container path always
+exists) but `--append-system-prompt-file` only fires when the agent
+actually has a prompt — the return value signals which case."""
+
+from __future__ import annotations
+
+import os
+import subprocess
+
+from ..bottle_plan import DockerBottlePlan
+
+
+def provision_prompt(plan: DockerBottlePlan, target: str) -> str | None:
+    """Copy the prompt file into the container, fix ownership/mode.
+    Returns the in-container path if the agent has a non-empty
+    prompt (drives --append-system-prompt-file), else None. The
+    file is copied either way so the path always exists."""
+    container = target
+    container_home = os.environ.get("BOT_BOTTLE_CONTAINER_HOME", "/home/node")
+    in_container_prompt_path = f"{container_home}/.bot-bottle-prompt.txt"
+
+    subprocess.run(
+        ["docker", "cp", str(plan.prompt_file), f"{container}:{in_container_prompt_path}"],
+        stdout=subprocess.DEVNULL,
+        check=True,
+    )
+    # `docker cp` preserves host UID; re-own/mode as root so node
+    # can read its own mode-600 prompt regardless of host UID.
+    subprocess.run(
+        ["docker", "exec", "-u", "0", container, "chown", "node:node", in_container_prompt_path],
+        stdout=subprocess.DEVNULL,
+        check=True,
+    )
+    subprocess.run(
+        ["docker", "exec", "-u", "0", container, "chmod", "600", in_container_prompt_path],
+        stdout=subprocess.DEVNULL,
+        check=True,
+    )
+
+    agent = plan.spec.manifest.agents[plan.spec.agent_name]
+    return in_container_prompt_path if agent.prompt else None
@@ -0,0 +1,62 @@
+"""Copy host-side skill directories into a running Docker bottle.
+
+Skills are validated on the host before launch by the base class's
+`BottleBackend._validate_skills` (called from `prepare`); this module
+assumes that validation has already run. A skill disappearing between
+validation and copy still dies loudly rather than silently producing
+a partial container."""
+
+from __future__ import annotations
+
+import os
+import subprocess
+
+from ....log import die, info
+from ...util import host_skill_dir
+from ..bottle_plan import DockerBottlePlan
+
+
+def provision_skills(plan: DockerBottlePlan, target: str) -> None:
+    """Copy each of the agent's named skills from the host's
+    ~/.claude/skills/<name>/ into the container's equivalent path.
+    For each skill: ensure parent dir, wipe any prior copy, then
+    `docker cp <host>/. <container>:<dst>/` so the contents are
+    copied into a freshly-created destination dir. No-op when the
+    agent has no skills."""
+    agent = plan.spec.manifest.agents[plan.spec.agent_name]
+    if not agent.skills:
+        return
+
+    container = target
+    container_home = os.environ.get("BOT_BOTTLE_CONTAINER_HOME", "/home/node")
+    skills_dir = os.environ.get(
+        "BOT_BOTTLE_CONTAINER_SKILLS_DIR", f"{container_home}/.claude/skills"
+    )
+
+    subprocess.run(
+        ["docker", "exec", container, "mkdir", "-p", skills_dir],
+        stdout=subprocess.DEVNULL,
+        check=True,
+    )
+
+    for n in agent.skills:
+        src = host_skill_dir(n)
+        if not os.path.isdir(src):
+            die(f"skill '{n}' disappeared from host between validation and copy at {src}.")
+        dst = f"{skills_dir}/{n}"
+        info(f"copying skill {n} into {container}:{dst}")
+        subprocess.run(
+            ["docker", "exec", container, "rm", "-rf", dst],
+            stdout=subprocess.DEVNULL,
+            check=True,
+        )
+        subprocess.run(
+            ["docker", "exec", container, "mkdir", "-p", dst],
+            stdout=subprocess.DEVNULL,
+            check=True,
+        )
+        subprocess.run(
+            ["docker", "cp", f"{src}/.", f"{container}:{dst}/"],
+            stdout=subprocess.DEVNULL,
+            check=True,
+        )
@@ -0,0 +1,65 @@
+"""Supervise sidecar provisioning inside a running Docker bottle
+(PRD 0013).
+
+Registers the per-bottle supervise sidecar as an HTTP MCP server in
+the agent's claude-code config so the agent discovers the three
+stuck-recovery MCP tools (cred-proxy-block, pipelock-block,
+capability-block) at startup.
+
+Uses `claude mcp add` rather than writing JSON directly. claude-code
+owns the on-disk config format (`~/.claude.json` `mcpServers` shape,
+field names, scope semantics) and changes it between versions; the
+official command handles whatever the installed version expects.
+
+No-op when bottle.supervise is False — bottles that haven't opted
+into the supervise sidecar shouldn't get an MCP entry pointing at a
+sidecar that isn't running.
+"""
+
+from __future__ import annotations
+
+import subprocess
+
+from ....log import info, warn
+from ....supervise import SUPERVISE_HOSTNAME, SUPERVISE_PORT
+from ..bottle_plan import DockerBottlePlan
+
+
+_SUPERVISE_MCP_NAME = "supervise"
+
+
+def supervise_mcp_url() -> str:
+    return f"http://{SUPERVISE_HOSTNAME}:{SUPERVISE_PORT}/"
+
+
+def provision_supervise(plan: DockerBottlePlan, target: str) -> None:
+    """Run `claude mcp add` inside the agent container to register
+    the supervise sidecar in claude-code's user config. No-op when
+    bottle.supervise is False.
+
+    Failure is logged but not fatal: the bottle still works (you
+    just can't call supervise tools from the agent until the entry
+    is added manually). The operator sees the warning at launch."""
+    if plan.supervise_plan is None:
+        return
+    url = supervise_mcp_url()
+    argv = [
+        "docker", "exec", "-u", "node", target,
+        "claude", "mcp", "add",
+        "--scope", "user",
+        "--transport", "http",
+        _SUPERVISE_MCP_NAME,
+        url,
+    ]
+    info(f"registering supervise MCP server in agent claude config → {url}")
+    r = subprocess.run(argv, capture_output=True, text=True, check=False)
+    if r.returncode != 0:
+        warn(
+            f"`claude mcp add supervise` failed (exit {r.returncode}): "
+            f"{(r.stderr or r.stdout or '').strip()}. Inside the bottle, "
+            f"register manually with: "
+            f"claude mcp add --scope user --transport http supervise {url}"
+        )
+
+
+__all__ = ["provision_supervise", "supervise_mcp_url"]