refactor!: rename project to bot-bottle
Assisted-by: Codex
This commit is contained in:
@@ -3,7 +3,7 @@
|
||||
Consolidated research on running an auth-header-injecting proxy in
|
||||
front of an AI agent so API tokens stay out of the agent's process
|
||||
space. Folds in the per-service mechanics for the Anthropic OAuth
|
||||
token and the Gitea PAT — the two cases claude-bottle hits first —
|
||||
token and the Gitea PAT — the two cases bot-bottle hits first —
|
||||
and surveys existing tools as of May 2026.
|
||||
|
||||
Companion to
|
||||
@@ -15,7 +15,7 @@ the biggest credential risk).
|
||||
|
||||
## Summary
|
||||
|
||||
Today every claude-bottle agent gets `CLAUDE_CODE_OAUTH_TOKEN` (and
|
||||
Today every bot-bottle agent gets `CLAUDE_CODE_OAUTH_TOKEN` (and
|
||||
any `bottle.env` secrets like a Gitea PAT) injected as env vars,
|
||||
which means the agent process can read them with `printenv` or
|
||||
`/proc/self/environ`. A prompt-injected or hijacked agent can ship
|
||||
@@ -28,11 +28,11 @@ level via `ptrace_may_access`; a future smolmachines backend
|
||||
enforces it harder, at the VM line.
|
||||
|
||||
Several existing tools implement this pattern, but none of them are
|
||||
a clean drop-in for claude-bottle today: the most architecturally
|
||||
a clean drop-in for bot-bottle today: the most architecturally
|
||||
aligned (nono) is alpha; the most mature open-source
|
||||
(Infisical Agent Vault) requires TLS MITM and would double up on
|
||||
pipelock's TLS-interception stack. For the Anthropic-token slice, a
|
||||
small claude-bottle-specific reverse proxy modeled on the
|
||||
small bot-bottle-specific reverse proxy modeled on the
|
||||
phantom-token shape is probably the right call. For Gitea / GitHub /
|
||||
GitLab, the same proxy generalizes by config.
|
||||
|
||||
@@ -49,7 +49,7 @@ the caller's UID/GID don't match the target's and the caller lacks
|
||||
`CAP_SYS_PTRACE` or `CAP_PERFMON`. A `node`-uid claude attempting to
|
||||
read a root-owned proxy's environ gets `EACCES`. Escape hatches
|
||||
(`--cap-add=SYS_PTRACE`, `--cap-add=PERFMON`, `--privileged`) are
|
||||
not used by claude-bottle. Yama `ptrace_scope` is irrelevant — it
|
||||
not used by bot-bottle. Yama `ptrace_scope` is irrelevant — it
|
||||
only relaxes the *same-UID* relationship check; the cross-UID
|
||||
match requirement still blocks the read. On a smolmachines backend
|
||||
the boundary becomes the VM line; same property, harder.
|
||||
@@ -77,8 +77,8 @@ The remaining credible designs reduce to three:
|
||||
|
||||
### Anthropic / Claude Code
|
||||
|
||||
**Today's wiring** (`claude_bottle/cli/start.py`): the host's
|
||||
`CLAUDE_BOTTLE_OAUTH_TOKEN` is forwarded into the bottle as
|
||||
**Today's wiring** (`bot_bottle/cli/start.py`): the host's
|
||||
`BOT_BOTTLE_OAUTH_TOKEN` is forwarded into the bottle as
|
||||
`CLAUDE_CODE_OAUTH_TOKEN` via `docker run -e CLAUDE_CODE_OAUTH_TOKEN`
|
||||
(no `=value`, so the value never lands on argv — good). Inside the
|
||||
bottle, claude runs as `node` (UID 1000) with
|
||||
@@ -128,7 +128,7 @@ never the token.
|
||||
A hijacked claude could exfil the captured token (or any other
|
||||
data) through any of these even with the proxy in place. Pair
|
||||
the proxy with an explicit egress allowlist for the full benefit
|
||||
(claude-bottle does this via pipelock).
|
||||
(bot-bottle does this via pipelock).
|
||||
- **Token refresh**: `claude setup-token` issues a ~1-year OAuth
|
||||
token with no client-side refresh, so a static proxy value is
|
||||
fine. The flip side is a one-year blast radius if the token leaks
|
||||
@@ -138,7 +138,7 @@ never the token.
|
||||
rewriting is safe.
|
||||
- **`--bare` mode** reads only `ANTHROPIC_API_KEY`, not
|
||||
`CLAUDE_CODE_OAUTH_TOKEN`. Not relevant to the interactive flow
|
||||
claude-bottle ships, but worth noting if `--bare` is ever wired in.
|
||||
bot-bottle ships, but worth noting if `--bare` is ever wired in.
|
||||
|
||||
### Gitea (`tea` + git HTTPS)
|
||||
|
||||
@@ -191,7 +191,7 @@ mitigation. Either composes cleanly with the same proxy.
|
||||
## Proxy architectures
|
||||
|
||||
Four shapes worth comparing. The first is the lowest-friction
|
||||
match for claude-bottle today.
|
||||
match for bot-bottle today.
|
||||
|
||||
| Shape | Pros | Cons |
|
||||
|---|---|---|
|
||||
@@ -200,7 +200,7 @@ match for claude-bottle today.
|
||||
| **Host-side proxy** | Token stays entirely outside the Linux VM. This is the Docker AI Sandbox shape. | A host daemon to maintain; the published port is reachable by any container on the host unless firewalled. UDS-across-VM doesn't work on Docker Desktop on macOS (no AF_UNIX `connect()` over the VM), but `host.docker.internal:<port>` over TCP works fine. |
|
||||
| **Sidecar container** | Clean isolation; portable across hosts. Matches the existing pipelock / ssh-gate / git-gate topology. | Another container to orchestrate per agent; the token is in another container's env, which is a lateral move unless the sidecar runs with stricter isolation than the agent container does. |
|
||||
|
||||
For claude-bottle today — local Docker, per-agent containers, the
|
||||
For bot-bottle today — local Docker, per-agent containers, the
|
||||
root-owned-helper pattern already established by the SSH agent —
|
||||
the **in-container reverse proxy** is the lowest-friction option
|
||||
that gives the desired property. The sidecar-container shape is
|
||||
@@ -214,7 +214,7 @@ Two categories:
|
||||
- **A. Generic LLM / API gateways** that happen to support credential
|
||||
injection as a side feature.
|
||||
- **B. Purpose-built agent credential brokers** — newer, closer to
|
||||
what claude-bottle wants.
|
||||
what bot-bottle wants.
|
||||
|
||||
| Tool | Category | License | Topology | Injection mechanism | `ANTHROPIC_BASE_URL` compatible | Per-route allowlist | Maturity |
|
||||
|---|---|---|---|---|---|---|---|
|
||||
@@ -235,7 +235,7 @@ Two categories:
|
||||
### Cluster commentary
|
||||
|
||||
- **The phantom-token pattern** (nono) is the cleanest architectural
|
||||
fit for claude-bottle. The agent receives a per-session
|
||||
fit for bot-bottle. The agent receives a per-session
|
||||
cryptographically random token scoped to the localhost proxy;
|
||||
the proxy validates and swaps for the real upstream credential.
|
||||
No TLS interception, no CA trust setup, works directly with
|
||||
@@ -275,7 +275,7 @@ is a bet on the project rather than a buy-vs-build win.
|
||||
|
||||
**Most mature OSS purpose-built:** Infisical Agent Vault. MIT,
|
||||
v0.19.0 active, v0.17.0 added a containerized agent mode that
|
||||
maps directly to claude-bottle. Friction is the TLS-MITM topology
|
||||
maps directly to bot-bottle. Friction is the TLS-MITM topology
|
||||
— another container-local CA, the Go-loopback workaround,
|
||||
duplication with pipelock's existing TLS interception layer.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user