didericis/bot-bottle
1
0
Fork 0
Code Issues 5 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

fix(pipelock): auto-allow cred-proxy hostname when routes are declared
test / unit (pull_request) Successful in 13s
Details
test / integration (pull_request) Successful in 22s
Details

Browse Source 
The agent's HTTP_PROXY env points at pipelock, so an
ANTHROPIC_BASE_URL like http://cred-proxy:9099/anthropic doesn't
short-circuit through Docker's embedded DNS — it gets forwarded
through pipelock, which then checks its api_allowlist for the
hostname `cred-proxy` and 403's because the name isn't there. The
agent surfaces the failure as "API Error: 403 blocked: domain not
in allowlist: cred-proxy" on Claude's first call.

Fix: pipelock_effective_allowlist auto-adds CRED_PROXY_HOSTNAME
when bottle.cred_proxy.routes is non-empty (i.e., when the
sidecar will actually be running and reachable).

Move CRED_PROXY_HOSTNAME from backend/docker/cred_proxy.py to the
backend-agnostic claude_bottle/cred_proxy.py so pipelock can
reference it without a layering violation; the docker concrete
imports it from the same place.
This commit is contained in:
didericis
2026-05-24 13:25:21 -04:00
parent 32b62cbacc
commit f4452b391d
4 changed files with 42 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
claude_bottle/pipelock.py
+14 -4
View File
@@ -17,6 +17,7 @@ from dataclasses import dataclass
from pathlib import Path
from typing import cast
from .cred_proxy import CRED_PROXY_HOSTNAME
from .manifest import Bottle
# Baked-in default allowlist for hosts Claude Code itself needs.
@@ -74,10 +75,17 @@ def pipelock_token_hosts(bottle: Bottle) -> list[str]:
def pipelock_effective_allowlist(bottle: Bottle) -> list[str]:
"""Deduplicated union of: baked-in defaults, bottle.egress.allowlist,
and the cred-proxy upstream hosts derived from bottle.cred_proxy.routes.
Sorted for stability. Git upstreams declared in `bottle.git` do NOT
contribute here — git traffic flows through the per-agent git-gate
sidecar (PRD 0008), not pipelock."""
the cred-proxy upstream hosts derived from bottle.cred_proxy.routes,
and the cred-proxy sidecar's own hostname when any cred_proxy route
is declared. Sorted for stability. Git upstreams declared in
`bottle.git` do NOT contribute here — git traffic flows through the
per-agent git-gate sidecar (PRD 0008), not pipelock.
The cred-proxy hostname is auto-added because the agent's
HTTP_PROXY points at pipelock, so a manifest-driven URL like
`http://cred-proxy:9099/anthropic/...` arrives at pipelock as a
request for hostname `cred-proxy`. Without this auto-allow,
pipelock would 403 the request before it reached the sidecar."""
seen: dict[str, None] = {}
for h in DEFAULT_ALLOWLIST:
seen.setdefault(h, None)
@@ -86,6 +94,8 @@ def pipelock_effective_allowlist(bottle: Bottle) -> list[str]:
seen.setdefault(h, None)
for h in pipelock_token_hosts(bottle):
seen.setdefault(h, None)
if bottle.cred_proxy.routes:
seen.setdefault(CRED_PROXY_HOSTNAME, None)
return sorted(seen.keys())