From d90b04d34389f86e4816f3867c5ec5c923288acc Mon Sep 17 00:00:00 2001
From: didericis <eric@dideric.is>
Date: Thu, 4 Jun 2026 13:14:59 -0400
Subject: [PATCH] feat: add generic pipelock config merging for future
 extensibility

- Merge arbitrary pipelock settings from routes into global config
- Allows routes to configure new pipelock options without code changes
- Special-case tls_passthrough and ssrf_ip_allowlist (already aggregated)

Note: Pipelock doesn't currently support per-path/per-host response
scanning rules or response size limits, so response_body_scanning config
is not yet usable. For now, use tls_passthrough for binary download hosts.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
---
 bot_bottle/pipelock.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/bot_bottle/pipelock.py b/bot_bottle/pipelock.py
index bf5b607..e8e21ea 100644
--- a/bot_bottle/pipelock.py
+++ b/bot_bottle/pipelock.py
@@ -223,6 +223,15 @@ def pipelock_build_config(
     )
     if effective_ssrf_ip_allowlist:
         cfg["ssrf"] = {"ip_allowlist": effective_ssrf_ip_allowlist}
+
+    # Merge per-route pipelock config (e.g., response_body_scanning settings).
+    # Routes can specify arbitrary pipelock options that apply globally.
+    for route in bottle.egress.routes:
+        for key, value in route.Pipelock.Config.items():
+            if key not in ("tls_passthrough", "ssrf_ip_allowlist"):
+                if key not in cfg:
+                    cfg[key] = value
+
     return cfg