refactor!: rename project to bot-bottle

Assisted-by: Codex
2026-05-28 17:56:14 -04:00
parent 8875d8cc17
commit c08b09dc9f
200 changed files with 1271 additions and 1271 deletions
@@ -0,0 +1,14 @@
+"""Provisioning helpers for the smolmachines backend (PRD 0023
+chunk 4).
+
+Each method maps onto one of `BottleBackend`'s `provision_*`
+overrides. They run after the VM is up + the bundle is reachable
+and copy host-side state (prompt, skills, .git, CA cert,
+supervise MCP config) into the guest via `smolvm machine cp` /
+`smolvm machine exec`.
+
+Chunk 4a ships `provision_prompt` and `provision_skills` — the
+two that don't depend on agent-image tooling (claude-code,
+update-ca-certificates) beyond `cp` and `mkdir`. provision_ca /
+provision_git / provision_supervise land once the agent-image
+gap is solved."""
@@ -0,0 +1,104 @@
+"""Install the per-bottle MITM CA into the smolmachines guest's
+trust store (PRD 0023 chunk 4d).
+
+Mirrors `backend.docker.provision.ca`: select the right CA (egress
+when the bottle has routes, else pipelock), `smolvm machine cp` it
+to Debian's `/usr/local/share/ca-certificates/` path,
+`update-ca-certificates` to rebuild the trust bundle, and log the
+fingerprint once. The selected cert depends on the agent's
+HTTP_PROXY target — same logic as the docker backend, since the
+agent dials the same daemons through the same bundle.
+
+`smolvm machine exec` runs commands as root in the VM (no `-u`
+flag exists; the VM init is root), so we don't need the explicit
+`-u 0` the docker backend uses on its `docker exec` calls."""
+
+from __future__ import annotations
+
+import hashlib
+import ssl
+from pathlib import Path
+
+from ....log import die, info
+from ...docker.provision.ca import AGENT_CA_BUNDLE, AGENT_CA_PATH
+from .. import smolvm as _smolvm
+from ..bottle_plan import SmolmachinesBottlePlan
+
+
+def _select_ca_cert(plan: SmolmachinesBottlePlan) -> tuple[Path, str]:
+    """Pick the CA cert (and a short label for the log line) that
+    matches the proxy the agent's HTTP_PROXY points at. Egress-proxy
+    wins when the bottle declares any routes; else pipelock.
+
+    The launch step minted both CAs (pipelock always; egress when
+    routes are declared) and stored their host paths back into the
+    inner Plans via `dataclasses.replace`. If those paths are empty
+    here something has gone wrong in launch's bringup."""
+    if plan.egress_plan.routes:
+        cert = plan.egress_plan.mitmproxy_ca_cert_only_host_path
+        if cert == Path() or not cert.is_file():
+            die(
+                f"egress CA cert missing at {cert or '(empty)'}; "
+                f"launch must have called egress_tls_init and "
+                f"re-bound the plan before provision"
+            )
+        return cert, "egress"
+    cert = plan.proxy_plan.ca_cert_host_path
+    if not cert or not cert.is_file():
+        die(
+            f"pipelock CA cert missing at {cert or '(empty)'}; "
+            f"launch must have called pipelock_tls_init and re-bound "
+            f"the plan before provision"
+        )
+    return cert, "pipelock"
+
+
+def provision_ca(plan: SmolmachinesBottlePlan, target: str) -> None:
+    """Copy the agent-facing CA cert into the guest, rebuild the
+    trust bundle, emit a one-line fingerprint log. Called from
+    `BottleBackend.provision` after the smolvm guest is up."""
+    cert_host_path, label = _select_ca_cert(plan)
+
+    _smolvm.machine_cp(str(cert_host_path), f"{target}:{AGENT_CA_PATH}")
+    # Mode 0644 — readable to non-root tools in the guest.
+    # update-ca-certificates rebuilds the bundle at AGENT_CA_BUNDLE,
+    # which is what curl / Python ssl / OpenSSL-based tools read by
+    # default. The env trio (NODE_EXTRA_CA_CERTS / SSL_CERT_FILE /
+    # REQUESTS_CA_BUNDLE) on the guest_env covers Node + Python
+    # `requests` / libraries that don't load the system bundle.
+    #
+    # chown + chmod + update-ca-certificates run in one
+    # `sh -c` so we only pay one machine_exec round trip; the
+    # `&&` chaining surfaces the first failure as the return
+    # code.
+    r = _smolvm.machine_exec(target, [
+        "sh", "-c",
+        f"chown root:root {AGENT_CA_PATH} && "
+        f"chmod 644 {AGENT_CA_PATH} && "
+        f"update-ca-certificates",
+    ])
+    if r.returncode != 0 or "1 added" not in (r.stdout or ""):
+        # update-ca-certificates not adding our cert is fatal —
+        # claude-code's TLS handshake against the egress-MITM'd
+        # api.anthropic.com would fail downstream. Bail early
+        # with what we can see (output is captured by smolvm so
+        # we can surface it).
+        die(
+            f"update-ca-certificates didn't add the agent CA "
+            f"(exit {r.returncode}): "
+            f"stdout={(r.stdout or '').strip()!r} "
+            f"stderr={(r.stderr or '').strip()!r}"
+        )
+
+    # Stdlib SHA-256 of the cert's DER bytes — the standard
+    # fingerprint form. Never the private key.
+    der = ssl.PEM_cert_to_DER_cert(cert_host_path.read_text())
+    fingerprint = hashlib.sha256(der).hexdigest()
+    info(f"{label} ca fingerprint: sha256:{fingerprint[:32]}...")
+
+
+# Re-exported for the launch/provision_ca caller + tests. The path
+# constants come from the docker module because they're tied to
+# Debian's `update-ca-certificates` layout — same in both backends
+# since both guest images are Debian-family.
+__all__ = ["AGENT_CA_BUNDLE", "AGENT_CA_PATH", "provision_ca"]
@@ -0,0 +1,141 @@
+"""Git provisioning inside a running smolmachines bottle
+(PRD 0023 chunk 4d).
+
+Three concerns, all about git in the agent:
+
+  1. If --cwd was passed AND the host cwd has a .git, copy that
+     .git into /home/node/workspace/.git so the agent operates on
+     the user's repo.
+  2. If the bottle declares `git` entries (PRD 0008), write a
+     ~/.gitconfig with insteadOf rules so every git operation
+     against a declared upstream transparently hits the per-bottle
+     git-gate. The gate mirrors the upstream in both directions,
+     so URL rewriting is symmetric.
+  3. If the bottle declares `git.user` (issue #86), set
+     `git config --global user.{name,email}` inside the guest so
+     the agent's commits are attributed to that identity.
+
+Differs from `backend.docker.provision.git` in one address detail:
+the TSI-allowlisted guest can only reach the bundle's pinned IP
+(no DNS resolver in the /32 allowlist), so the insteadOf URLs
+are `git://<bundle_ip>:<port>/<name>.git` rather than the
+docker backend's `git://git-gate/<name>.git`. The render itself
+is the shared `git_gate_render_gitconfig` on the platform-neutral
+git_gate module."""
+
+from __future__ import annotations
+
+import os
+import tempfile
+from pathlib import Path
+
+from ....git_gate import git_gate_render_gitconfig
+from ....log import info
+from .. import smolvm as _smolvm
+from ..bottle_plan import SmolmachinesBottlePlan
+
+
+# `node` is the agent user from the repo Dockerfile. Override via
+# BOT_BOTTLE_GUEST_HOME mirrors the docker backend's
+# BOT_BOTTLE_CONTAINER_HOME knob — same purpose, different
+# transport.
+_DEFAULT_GUEST_HOME = "/home/node"
+
+
+def _guest_home() -> str:
+    return os.environ.get("BOT_BOTTLE_GUEST_HOME", _DEFAULT_GUEST_HOME)
+
+
+def provision_git(plan: SmolmachinesBottlePlan, target: str) -> None:
+    """Set up git inside the guest. Runs all three subcases; each
+    no-ops when its condition isn't met."""
+    _provision_cwd_git(plan, target)
+    _provision_git_gate_config(plan, target)
+    _provision_git_user(plan, target)
+
+
+def _provision_cwd_git(plan: SmolmachinesBottlePlan, target: str) -> None:
+    """If --cwd was set and the host cwd has a .git directory, copy
+    it into <guest_home>/workspace/.git and fix ownership. No-op
+    otherwise."""
+    if not (plan.spec.copy_cwd and Path(plan.spec.user_cwd, ".git").is_dir()):
+        return
+    guest_workspace_git = f"{_guest_home()}/workspace/.git"
+    info(f"copying {plan.spec.user_cwd}/.git -> {target}:{guest_workspace_git}")
+    # mkdir -p the workspace dir so `machine cp` lands the .git
+    # directly there even on first-time bottles.
+    _smolvm.machine_exec(target, ["mkdir", "-p", f"{_guest_home()}/workspace"])
+    _smolvm.machine_cp(
+        f"{plan.spec.user_cwd}/.git", f"{target}:{guest_workspace_git}",
+    )
+    # `machine cp` lands files as root; the agent runs as node so
+    # the workspace tree must be chowned over.
+    _smolvm.machine_exec(
+        target, ["chown", "-R", "node:node", guest_workspace_git],
+    )
+
+
+def _provision_git_gate_config(plan: SmolmachinesBottlePlan, target: str) -> None:
+    """Write ~/.gitconfig in the guest with the git-gate insteadOf
+    rules. No-op when the bottle has no `git` entries."""
+    bottle = plan.spec.manifest.bottle_for(plan.spec.agent_name)
+    if not bottle.git:
+        return
+
+    # `127.0.0.1:<host port>` form: the bundle's git-gate port
+    # is published on host loopback at launch time so the
+    # smolvm guest (which can only reach macOS networking via
+    # TSI, not the docker bridge IP) can dial it. launch.py
+    # populates `plan.agent_git_gate_host` after bundle bringup.
+    content = git_gate_render_gitconfig(bottle.git, plan.agent_git_gate_host)
+
+    guest_gitconfig = f"{_guest_home()}/.gitconfig"
+    # Stage the file under the plan's stage_dir so `machine cp`
+    # has a stable host path. The plan's stage_dir is cleaned up
+    # by start.py's session-end teardown.
+    with tempfile.NamedTemporaryFile(
+        "w", dir=str(plan.stage_dir), prefix="gitconfig.",
+        delete=False,
+    ) as f:
+        f.write(content)
+        config_file = Path(f.name)
+    os.chmod(config_file, 0o600)
+
+    info(f"writing {guest_gitconfig} with {len(bottle.git)} insteadOf rule(s)")
+    _smolvm.machine_cp(str(config_file), f"{target}:{guest_gitconfig}")
+    _smolvm.machine_exec(target, ["chown", "node:node", guest_gitconfig])
+    _smolvm.machine_exec(target, ["chmod", "644", guest_gitconfig])
+
+
+def _provision_git_user(
+    plan: SmolmachinesBottlePlan, target: str,
+) -> None:
+    """Apply `git config --global user.{name,email}` inside the
+    guest as the node user so --global lands in the same
+    `/home/node/.gitconfig` that `_provision_git_gate_config`
+    writes to. No-op when the bottle didn't declare `git.user`.
+
+    Runs via `runuser -u node --`; HOME is forced via smolvm's
+    `-e` flag because runuser (without -l) inherits root's
+    HOME=/root, which would put --global in the wrong file."""
+    bottle = plan.spec.manifest.bottle_for(plan.spec.agent_name)
+    gu = bottle.git_user
+    if gu.is_empty():
+        return
+    env = {"HOME": _guest_home(), "USER": "node"}
+    if gu.name:
+        info(f"git config --global user.name = {gu.name!r}")
+        _smolvm.machine_exec(
+            target,
+            ["runuser", "-u", "node", "--",
+             "git", "config", "--global", "user.name", gu.name],
+            env=env,
+        )
+    if gu.email:
+        info(f"git config --global user.email = {gu.email!r}")
+        _smolvm.machine_exec(
+            target,
+            ["runuser", "-u", "node", "--",
+             "git", "config", "--global", "user.email", gu.email],
+            env=env,
+        )
@@ -0,0 +1,42 @@
+"""Copy the agent prompt into a running smolmachines bottle.
+
+The prompt file is always copied (so the in-guest path always
+exists) but `--append-system-prompt-file` only fires when the
+agent actually has a prompt — the return value signals which
+case, mirroring the docker backend's contract.
+
+`smolvm machine cp` lands files as root inside the VM; the claude
+process runs as `node`, so we chown + chmod the prompt after the
+copy. Same flow as the docker backend's provision_prompt."""
+
+from __future__ import annotations
+
+import os
+
+from .. import smolvm as _smolvm
+from ..bottle_plan import SmolmachinesBottlePlan
+
+
+# `node` is the agent user from the repo Dockerfile.
+# BOT_BOTTLE_GUEST_HOME mirrors the docker backend's
+# BOT_BOTTLE_CONTAINER_HOME knob.
+_DEFAULT_GUEST_HOME = "/home/node"
+
+
+def provision_prompt(plan: SmolmachinesBottlePlan, target: str) -> str | None:
+    """Copy the prompt file into the running smolvm guest, fix
+    ownership/mode. Returns the in-guest path if the agent has a
+    non-empty prompt (drives --append-system-prompt-file), else
+    None. The file is copied either way so the path always
+    exists — mirrors the docker backend's behavior."""
+    guest_home = os.environ.get("BOT_BOTTLE_GUEST_HOME", _DEFAULT_GUEST_HOME)
+    in_guest_prompt_path = f"{guest_home}/.bot-bottle-prompt.txt"
+
+    _smolvm.machine_cp(str(plan.prompt_file), f"{target}:{in_guest_prompt_path}")
+    # machine cp lands as root, source's 0o600 mode is preserved —
+    # node can't read its own prompt without these two.
+    _smolvm.machine_exec(target, ["chown", "node:node", in_guest_prompt_path])
+    _smolvm.machine_exec(target, ["chmod", "600", in_guest_prompt_path])
+
+    agent = plan.spec.manifest.agents[plan.spec.agent_name]
+    return in_guest_prompt_path if agent.prompt else None
@@ -0,0 +1,63 @@
+"""Copy host-side skill directories into a running smolmachines
+bottle.
+
+Skills are validated on the host before launch by
+`BottleBackend._validate_skills`; this module assumes that
+validation has already run. A skill that disappears between
+validation and copy still dies loudly rather than silently
+producing a partial guest."""
+
+from __future__ import annotations
+
+import os
+
+from ....log import die, info
+from ...util import host_skill_dir
+from .. import smolvm as _smolvm
+from ..bottle_plan import SmolmachinesBottlePlan
+
+
+# In-guest path mirrors the docker backend's claude-skills
+# convention (~/.claude/skills/<name>/) under the node user's
+# home — same path as the real bot-bottle image's
+# /home/node/.claude/skills (pre-created in the Dockerfile).
+_DEFAULT_SKILLS_DIR = "/home/node/.claude/skills"
+
+
+def provision_skills(plan: SmolmachinesBottlePlan, target: str) -> None:
+    """Copy each of the agent's named skills from the host's
+    ~/.claude/skills/<name>/ into the guest's equivalent path.
+    For each skill: `mkdir -p` the destination, `smolvm machine cp`
+    the host source dir over, then chown the result to node:node so
+    the agent can read it. No-op when the agent has no skills.
+
+    smolvm machine cp on a directory copies recursively (same
+    semantics as `cp -r`); unlike docker cp's trailing-slash
+    convention, smolvm doesn't need the `/.` suffix dance.
+
+    machine cp lands files as root inside the VM, so we chown each
+    skill tree over to node:node after the copy — same pattern as
+    the docker backend's provision_prompt."""
+    agent = plan.spec.manifest.agents[plan.spec.agent_name]
+    if not agent.skills:
+        return
+
+    skills_dir = os.environ.get(
+        "BOT_BOTTLE_GUEST_SKILLS_DIR", _DEFAULT_SKILLS_DIR,
+    )
+
+    _smolvm.machine_exec(target, ["mkdir", "-p", skills_dir])
+
+    for name in agent.skills:
+        src = host_skill_dir(name)
+        if not os.path.isdir(src):
+            die(
+                f"skill {name!r} disappeared from host between "
+                f"validation and copy at {src}."
+            )
+        dst = f"{skills_dir}/{name}"
+        info(f"copying skill {name} into {target}:{dst}")
+        # Wipe any prior copy so re-runs don't accumulate.
+        _smolvm.machine_exec(target, ["rm", "-rf", dst])
+        _smolvm.machine_cp(src, f"{target}:{dst}")
+        _smolvm.machine_exec(target, ["chown", "-R", "node:node", dst])
@@ -0,0 +1,67 @@
+"""Supervise sidecar provisioning inside a running smolmachines
+bottle (PRD 0023 chunk 4d; PRD 0013 supervise plane).
+
+Registers the per-bottle supervise sidecar as an HTTP MCP server
+in the agent's claude-code config so the agent discovers the
+stuck-recovery MCP tools (pipelock-block, capability-block) at
+startup.
+
+Mirrors `backend.docker.provision.supervise` — same `claude mcp
+add` call, just dispatched via `smolvm machine exec` instead of
+`docker exec`, and against `<bundle_ip>:<port>` instead of the
+short `supervise` alias (no DNS in the TSI-allowlisted guest)."""
+
+from __future__ import annotations
+
+from ....log import info, warn
+from .. import smolvm as _smolvm
+from ..bottle_plan import SmolmachinesBottlePlan
+
+
+_SUPERVISE_MCP_NAME = "supervise"
+
+
+def provision_supervise(plan: SmolmachinesBottlePlan, target: str) -> None:
+    """Run `claude mcp add` inside the guest to register the
+    supervise sidecar in claude-code's user config. No-op when
+    bottle.supervise is False.
+
+    The URL is the agent-side endpoint launch.py populated after
+    bundle bringup — `http://127.0.0.1:<host port>/` rather than
+    the bundle's docker bridge IP, because that bridge isn't
+    reachable from the smolvm guest on macOS.
+
+    Failure is logged but not fatal: the bottle still works (you
+    just can't call supervise tools from the agent until the entry
+    is added manually). The operator sees the warning at launch."""
+    if plan.supervise_plan is None:
+        return
+    url = plan.agent_supervise_url
+    info(f"registering supervise MCP server in agent claude config → {url}")
+    # `claude mcp add --scope user` writes to ~/.claude.json. The
+    # agent is the `node` user; smolvm machine_exec runs as root
+    # by default, so we have to switch user explicitly and set
+    # HOME so the config lands in /home/node/.claude.json (where
+    # the agent's claude actually reads it from).
+    r = _smolvm.machine_exec(
+        target,
+        [
+            "runuser", "-u", "node", "--",
+            "env", "HOME=/home/node",
+            "claude", "mcp", "add",
+            "--scope", "user",
+            "--transport", "http",
+            _SUPERVISE_MCP_NAME,
+            url,
+        ],
+    )
+    if r.returncode != 0:
+        warn(
+            f"`claude mcp add supervise` failed (exit {r.returncode}): "
+            f"{(r.stderr or r.stdout or '').strip()}. Inside the bottle, "
+            f"register manually with: "
+            f"claude mcp add --scope user --transport http supervise {url}"
+        )
+
+
+__all__ = ["provision_supervise"]