bot-bottle

didericis/bot-bottle

Fork 0

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
didericis	a79b2b7be0	docs(prd-0017): nest auth.scheme + auth.token_ref under optional `auth` test / unit (pull_request) Successful in 18s Details test / integration (pull_request) Successful in 1m38s Details Earlier draft had `auth_scheme: "none"` as the unauthenticated signal — awkward sentinel. Nest the two credential-injection fields under an optional `auth` key instead. Presence of the key = authenticated; absence = unauthenticated. Empty `auth: {}` is an error (omission is what means "no auth"). Touches: scope bullet, manifest example, mitmproxy addon description's auth-handling step. Two trailing `auth_scheme: "none"` references kept as historical context for what the new shape replaces. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 13:35:47 -04:00
didericis	b0d9802469	docs(prd-0017): pivot to mitmproxy-based egress-proxy test / unit (pull_request) Successful in 18s Details test / integration (pull_request) Successful in 1m34s Details Significant rewrite of PRD 0017 based on PR #25 design discussion. Original draft proposed adding `path_allowlist` to the existing cred-proxy. That bought opt-in path filtering for tools that voluntarily routed through cred-proxy (Claude Code, git, npm) — but raw `curl https://github.com/foo` from the agent goes to HTTPS_PROXY=pipelock and bypasses cred-proxy entirely, so any universal enforcement claim was a lie. New design: replace cred-proxy with a mitmproxy-based egress-proxy that becomes the agent's HTTP_PROXY/HTTPS_PROXY. Every agent HTTP/HTTPS request flows through it before reaching pipelock. Path-level allow/deny enforcement is universal because the proxy is on every leg. The proxy also absorbs cred-proxy's credential injection role (mitmproxy addon hooks request → strip + inject Authorization). Net sidecar count: unchanged. cred-proxy is replaced 1:1 by egress-proxy. Pipelock stays as hostname allow + DLP downstream of egress-proxy. Decisions baked in per PR-#25 discussion: - Tool: mitmproxy (designed for this; Python addons; well-maintained). - CA custody: egress-proxy holds the per-bottle MITM CA key (concentration accepted; documented in trust-domain section). - Migration: hard cutover. Existing `bottle.cred_proxy.routes[]` manifests fail-fast at load time with a pointer at this PRD. Open questions retained for the implementation PRs: addon distribution (bake vs mount), prefix-vs-glob match, double-strip of Authorization between egress-proxy and pipelock, whether pipelock keeps TLS interception or stays hostname-only post-cutover, performance under two-MITM-hops. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 13:28:53 -04:00

didericis

a79b2b7be0

docs(prd-0017): nest auth.scheme + auth.token_ref under optional auth

test / unit (pull_request) Successful in 18s

Details

test / integration (pull_request) Successful in 1m38s

Details

Earlier draft had `auth_scheme: "none"` as the unauthenticated
signal — awkward sentinel. Nest the two credential-injection
fields under an optional `auth` key instead. Presence of the key
= authenticated; absence = unauthenticated. Empty `auth: {}` is
an error (omission is what means "no auth").

Touches: scope bullet, manifest example, mitmproxy addon
description's auth-handling step. Two trailing `auth_scheme:
"none"` references kept as historical context for what the new
shape replaces.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-25 13:35:47 -04:00

didericis

b0d9802469

docs(prd-0017): pivot to mitmproxy-based egress-proxy

test / unit (pull_request) Successful in 18s

Details

test / integration (pull_request) Successful in 1m34s

Details

Significant rewrite of PRD 0017 based on PR #25 design discussion.

Original draft proposed adding `path_allowlist` to the existing
cred-proxy. That bought opt-in path filtering for tools that
voluntarily routed through cred-proxy (Claude Code, git, npm) —
but raw `curl https://github.com/foo` from the agent goes to
HTTPS_PROXY=pipelock and bypasses cred-proxy entirely, so any
universal enforcement claim was a lie.

New design: replace cred-proxy with a mitmproxy-based egress-proxy
that becomes the agent's HTTP_PROXY/HTTPS_PROXY. Every agent
HTTP/HTTPS request flows through it before reaching pipelock.
Path-level allow/deny enforcement is universal because the proxy
is on every leg. The proxy also absorbs cred-proxy's credential
injection role (mitmproxy addon hooks request → strip + inject
Authorization).

Net sidecar count: unchanged. cred-proxy is replaced 1:1 by
egress-proxy. Pipelock stays as hostname allow + DLP downstream
of egress-proxy.

Decisions baked in per PR-#25 discussion:
- Tool: mitmproxy (designed for this; Python addons; well-maintained).
- CA custody: egress-proxy holds the per-bottle MITM CA key
  (concentration accepted; documented in trust-domain section).
- Migration: hard cutover. Existing `bottle.cred_proxy.routes[]`
  manifests fail-fast at load time with a pointer at this PRD.

Open questions retained for the implementation PRs: addon
distribution (bake vs mount), prefix-vs-glob match, double-strip
of Authorization between egress-proxy and pipelock, whether
pipelock keeps TLS interception or stays hostname-only post-cutover,
performance under two-MITM-hops.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-25 13:28:53 -04:00

2 Commits