fix(macos-container): mount live egress routes dir

bot_bottle/backend/docker/egress_apply.py

@@ -12,7 +12,7 @@ import subprocess
 from pathlib import Path
 
 from ...bottle_state import egress_state_dir, read_metadata
-from ...egress import EGRESS_ROUTES_IN_CONTAINER
+from ...egress import EGRESS_ROUTES_FILENAME, EGRESS_ROUTES_IN_CONTAINER
 from ...egress_addon_core import load_routes
 from ...log import warn
 from .sidecar_bundle import sidecar_bundle_container_name
@@ -58,7 +58,12 @@ def validate_routes_content(content: str) -> None:
 
 
 def _routes_path(slug: str) -> Path:
-    return egress_state_dir(slug) / "egress_routes.yaml"
+    state_dir = egress_state_dir(slug)
+    routes_path = state_dir / EGRESS_ROUTES_FILENAME
+    legacy_path = state_dir / "egress_routes.yaml"
+    if legacy_path.exists() and not routes_path.exists():
+        return legacy_path
+    return routes_path
 
 
 def _signal_bundle_reload(slug: str) -> None:

bot_bottle/backend/macos_container/launch.py

@@ -363,8 +363,8 @@ def _sidecar_mounts(
     ))
     if ep.routes:
         mounts.append((
-            str(ep.routes_path),
-            EGRESS_ROUTES_IN_CONTAINER,
+            str(ep.routes_path.parent),
+            str(Path(EGRESS_ROUTES_IN_CONTAINER).parent),
             True,
         ))
 

bot_bottle/egress.py

@@ -31,6 +31,7 @@ CODEX_HOST_CREDENTIAL_TOKEN_REF = "BOT_BOTTLE_CODEX_HOST_ACCESS_TOKEN"
 EGRESS_HOSTNAME = "egress"
 
 EGRESS_ROUTES_IN_CONTAINER = "/etc/egress/routes.yaml"
+EGRESS_ROUTES_FILENAME = Path(EGRESS_ROUTES_IN_CONTAINER).name
 
 
 @dataclass(frozen=True)
@@ -295,7 +296,7 @@ class Egress(ABC):
     ) -> EgressPlan:
         routes = egress_routes_for_bottle(bottle, provider_routes)
         log = bottle.egress.Log
-        routes_path = stage_dir / "egress_routes.yaml"
+        routes_path = stage_dir / EGRESS_ROUTES_FILENAME
         routes_path.write_text(egress_render_routes(routes, log=log))
         routes_path.chmod(0o600)
         return EgressPlan(
@@ -309,6 +310,7 @@ class Egress(ABC):
 __all__ = [
     "CODEX_HOST_CREDENTIAL_TOKEN_REF",
     "EGRESS_HOSTNAME",
+    "EGRESS_ROUTES_FILENAME",
     "EGRESS_ROUTES_IN_CONTAINER",
     "Egress",
     "EgressPlan",

tests/unit/test_egress_apply.py

@@ -90,13 +90,40 @@ class TestApplyRoutesChange(unittest.TestCase):
         self.assertEqual("routes:\n  - host: google.com\n", after)
         self.assertEqual(
             "routes:\n  - host: google.com\n",
-            (Path(self._tmp.name) / ".bot-bottle/state/dev/egress/egress_routes.yaml").read_text(encoding="utf-8"),
+            (Path(self._tmp.name) / ".bot-bottle/state/dev/egress/routes.yaml").read_text(encoding="utf-8"),
         )
         self.assertEqual(
             ["docker", "kill", "--signal", "HUP", "bot-bottle-sidecars-dev"],
             calls[0],
         )
 
+    def test_updates_legacy_routes_file_when_existing_bottle_mounted_it(self):
+        legacy_path = (
+            Path(self._tmp.name)
+            / ".bot-bottle/state/dev/egress/egress_routes.yaml"
+        )
+        legacy_path.parent.mkdir(parents=True)
+        legacy_path.write_text("routes: []\n", encoding="utf-8")
+
+        with patch(
+            "bot_bottle.backend.docker.egress_apply.subprocess.run",
+            return_value=SimpleNamespace(returncode=0, stdout="", stderr=""),
+        ):
+            before, after = apply_routes_change(
+                "dev",
+                "routes:\n  - host: google.com\n",
+            )
+
+        self.assertEqual("routes: []\n", before)
+        self.assertEqual("routes:\n  - host: google.com\n", after)
+        self.assertEqual(
+            "routes:\n  - host: google.com\n",
+            legacy_path.read_text(encoding="utf-8"),
+        )
+        self.assertFalse(
+            (Path(self._tmp.name) / ".bot-bottle/state/dev/egress/routes.yaml").exists(),
+        )
+
 
 if __name__ == "__main__":
     unittest.main()

tests/unit/test_macos_container_launch.py

@@ -27,7 +27,7 @@ def _plan(
     agent_git_gate_url: str = "",
     agent_supervise_url: str = "",
 ) -> MacosContainerBottlePlan:
-    routes_path = stage_dir / "source-routes.yaml"
+    routes_path = stage_dir / "routes.yaml"
     routes_path.write_text("routes: []\n", encoding="utf-8")
     ca_dir = stage_dir / "egress-ca"
     ca_dir.mkdir(exist_ok=True)
@@ -126,7 +126,7 @@ class TestMacosContainerLaunchArgv(unittest.TestCase):
             argv,
         )
         self.assertIn(
-            f"type=bind,source={self.stage_dir / 'source-routes.yaml'},target=/etc/egress/routes.yaml,readonly",
+            f"type=bind,source={self.stage_dir},target=/etc/egress,readonly",
             argv,
         )
         self.assertIn(