From db1b5238810f1b7aed6b869f31ebdf1702adac36 Mon Sep 17 00:00:00 2001 From: didericis Date: Mon, 25 May 2026 18:50:36 -0400 Subject: [PATCH] fix(egress-proxy-apply): correct misleading "egress-proxy updated" wording MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `_mirror_hosts_to_pipelock` runs BEFORE the egress-proxy write in `apply_routes_change` — if it raises, egress-proxy is left intact. The error message claimed the opposite ("egress-proxy routes updated but pipelock allowlist mirror failed"), pointing the operator at the wrong half-state. Reword to make the actual state clear: pipelock failed, egress-proxy NOT updated, fix pipelock manually with `pipelock edit ` then retry. Co-Authored-By: Claude Opus 4.7 --- claude_bottle/backend/docker/egress_proxy_apply.py | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/claude_bottle/backend/docker/egress_proxy_apply.py b/claude_bottle/backend/docker/egress_proxy_apply.py index 535552b..87af4cf 100644 --- a/claude_bottle/backend/docker/egress_proxy_apply.py +++ b/claude_bottle/backend/docker/egress_proxy_apply.py @@ -102,11 +102,14 @@ def _mirror_hosts_to_pipelock(slug: str, hosts: list[str]) -> None: return # nothing to add apply_allowlist_change(slug, render_allowlist_content(merged)) except PipelockApplyError as e: + # Mirror runs BEFORE the egress-proxy write, so egress-proxy + # is unchanged on this failure path. Report it as a + # pipelock-side problem so the operator looks in the right + # place; their `pipelock edit` flow can repair manually. raise EgressProxyApplyError( - f"egress-proxy routes updated but pipelock allowlist " - f"mirror failed: {e}. The request will 403 at pipelock " - f"until pipelock's allowlist is refreshed; retry the " - f"proposal or edit pipelock's allowlist by hand." + f"pipelock allowlist mirror failed (egress-proxy NOT " + f"updated): {e}. Fix pipelock's allowlist manually with " + f"`pipelock edit ` then retry the proposal." ) from e