Branch protection isn't being applied; remove the README CI section,
the protection + gate-verification sections of docs/ci.md, and the
matching success-criteria / scope items from PRD 0002. Workflow itself
is unchanged.
Assisted-by: Claude Code
Two integration tests fail when run inside act_runner because the
job container shares the host's docker socket — networks created on
the host daemon aren't always visible in-process, and ports published
by sibling containers aren't reachable on the job's 127.0.0.1.
Skip them when GITEA_ACTIONS=true. Document the limitation in
docs/ci.md as a follow-up to revisit.
Assisted-by: Claude Code
Add a Gitea Actions test-status badge plus a short README "CI" section
covering how to read the check and what to do when it's red. Capture
the (out-of-tree) branch-protection rule on `main` in docs/ci.md so
the gate that requires the test check is reproducible from the repo
alone — covers both the Gitea UI path and the equivalent API call.
Refs: PRD 0002
Assisted-by: Claude Code
Run tests/run_tests.py on every PR push and on push to main. The suite
uses stdlib unittest, so the workflow only needs Python; integration
tests skip cleanly when the runner has no Docker daemon reachable.
Refs: PRD 0002
Assisted-by: Claude Code
Drop the Intended design section and PRD references; keep only
What this is, Goals, Non-goals, Repository layout, Conventions,
and When you're unsure.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Replaces cli.sh + lib/*.sh with a claude_bottle/ Python package and a
cli.py entry point. No external dependencies — uses only Python's
stdlib (json, subprocess, getpass, tempfile, argparse, re, etc.).
- claude_bottle/{log,docker,manifest,env_resolve,network,pipelock,
skills,ssh,cli}.py mirror the previous lib/*.sh modules.
- Tests converted to unittest under tests/test_*.py with a stdlib
runner at tests/run_tests.py (unit | integration | path).
- .githooks/commit-msg ported to Python; same Conventional Commits rules.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Previously cmd_start unconditionally passed --remote-control to claude.
Make it a parsed flag so callers can choose. Behavior change: the
default is now disabled — pass --remote-control to opt in.
Surfaced in usage, the launch plan, and the assembled CLAUDE_ARGS.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
cmd_start declared SLUG as local, but cleanup_all (registered as the
EXIT/INT/TERM trap) calls pipelock_stop "$SLUG" after cmd_start has
returned and the local is out of scope. With set -u this aborted
shell teardown with "SLUG: unbound variable". Drop the local to
match the convention already used for MANIFEST_FILE, CONTAINER, and
STAGE_DIR.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Investigates whether the Gitea `tea` CLI can be authenticated via a
header-injecting proxy so the token never enters the container — even as
an env var. Parallels the OAuth-token research note. Recommends an
in-container root-owned reverse proxy as the lowest-friction shape, and
flags the unavoidable tradeoff that the agent retains the token's full
API scope (no exfil ≠ no harm).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Walks the current `docker run -e CLAUDE_CODE_OAUTH_TOKEN` flow, why claude
can read the token trivially via its Bash tool, why no Linux primitive
hides an env var from its own process, and why a root-owned localhost
auth-injecting reverse proxy (paired with an egress allowlist) is the
realistic mitigation. Documents `ANTHROPIC_BASE_URL` caveats (SSE,
header passthrough, issue #36998, out-of-band traffic).
didericis