218 Commits

Author	SHA1	Message	Date
didericis-claude	9f65b137b9	feat(smolmachines): end-to-end launch + Bottle.exec + smoke + probes (PRD 0023 chunk 2d) ... End-to-end launch flow for the smolmachines backend. Brings up the per-bottle docker bridge + sidecar bundle, creates and starts the smolvm guest pointed at the bundle's pinned IP via TSI's `--allow-cidr <bundle-ip>/32`, yields a SmolmachinesBottle handle that routes exec/cp through `smolvm machine exec / cp`, tears everything down on context exit. launch.py: - ExitStack-managed: create_bundle_network → start_bundle → machine_create → machine_start (each registered for reverse teardown). - daemons_csv="" for chunk 2d — bundle init logs "no daemons selected" and idles. Real daemon bringup with inner-Plan-driven env + volumes lands in chunk 4. bottle.py: - SmolmachinesBottle.exec → smolvm.machine_exec (captured). - SmolmachinesBottle.exec_claude → direct subprocess.run with inherited TTY for interactive sessions. - SmolmachinesBottle.cp_in → smolvm.machine_cp. Architecture pivots forced by smolvm 0.8.0's CLI shape: 1. `--from <smolmachine>` and `--smolfile <toml>` are MUTUALLY EXCLUSIVE in smolvm 0.8.0. We need --from to avoid the registry-pull race that bit us on machine_start (libkrun agent's network attempt got refused by macOS with "connect: permission denied" on IPv6). So Smolfile is dropped entirely; per-bottle env + allow_cidrs flow as CLI flags (`--allow-cidr CIDR`, `-e K=V`) directly to machine_create. 2. `smolvm pack create --image` doesn't pull from the local docker daemon — only OCI registries via crane. The real claude-bottle:latest image lives in the local docker daemon and isn't reachable that way. Chunk 2d ships with an alpine placeholder; the agent-image-conversion gap belongs to chunk 4 (push the image to a registry, or smolvm grows a docker-daemon transport). Other changes: - machine_create grew `image=` / `from_path=` / `allow_cidrs=` / `env=` kwargs; smolfile= dropped. - bottle_plan: smolfile_path → agent_from_path + guest_env. - prepare: pack_create against `alpine:latest`, cached under ~/.cache/claude-bottle/smolmachines/ keyed by image ref. - Deleted smolfile.py + test_smolfile.py (dead code now). Tests: - Unit: 540 passing (smolvm wrapper grew 4 new flag forms; one test renamed to reflect --from + --allow-cidr + -e combo). - Integration: 3 new cases in tests/integration/ test_smolmachines_launch.py, gated on Darwin + smolvm on PATH + docker + not GITEA_ACTIONS: * smoke: bottle.exec("echo hello-from-vm") round-trips with the correct stdout + returncode. * localhost-reach probe: agent dials 127.0.0.1:9 → connect refused (TSI's <bundle-ip>/32 allowlist doesn't include loopback). The regression test for the gap the PRD design pivot was about. * egress-port-bypass probe: agent dials <bundle-ip>:9099 (egress's port) → connect refused. Chunk 2d has no daemons running so nothing's listening anyway; chunk 3 will preserve this property once egress is up but bound to 127.0.0.1 inside the bundle. End-to-end smoke + both probes green locally on macOS with smolvm 0.8.0. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-27 04:39:52 -04:00
didericis-claude	495be7f9c0	feat(smolmachines): bundle bringup on per-bottle docker bridge (PRD 0023 chunk 2c) ... claude_bottle/backend/smolmachines/sidecar_bundle.py — primitives for the per-bottle bridge + bundle container with pinned IP: - bundle_network_name(slug) / bundle_container_name(slug) - create_bundle_network(name, subnet, gateway) - remove_bundle_network(name) - start_bundle(BundleLaunchSpec, env=) - stop_bundle(slug) `BundleLaunchSpec` carries the launch-time fields (network + subnet + gateway + bundle_ip + daemons_csv + environment + volumes). Wiring it up from the inner Plans (PipelockProxyPlan, EgressPlan, GitGatePlan, SupervisePlan) is chunk 2d's job; this module is the docker-argv surface only. Pinning the bundle IP via `docker run --ip <bundle-ip>` is what makes smolvm's TSI allowlist (`<bundle-ip>/32`) safe to compute at prepare time — without pinning, we'd have to inspect the assigned IP after start and feed it back into the Smolfile. Idempotent semantics where it matters: `create_bundle_network` treats "already exists" as success, `remove_bundle_network` + `stop_bundle` treat "no such ..." as success. Other failures die / warn depending on whether the launch flow can recover. Tests: - 15 unit cases (mocked subprocess.run): argv shape for create / remove / start / stop, idempotent paths, host-env inheritance to docker run subprocess. - 1 integration case (real docker daemon, gated on docker available + not GITEA_ACTIONS): end-to-end bringup of an empty-daemons bundle on a 192.168.211.0/24 bridge, confirms the container lands at the pinned IP. Skipped if the claude-bottle-sidecars:latest image isn't built (operator hasn't run a docker bottle yet). 546 unit tests passing. Real-docker bundle bringup green locally. Launch wiring + provisioning + PRD 0022 acceptance probes land in chunk 2d. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-27 04:19:31 -04:00
didericis-claude	9c333bc130	feat(smolmachines): smolvm subprocess wrapper (PRD 0023 chunk 2b) ... claude_bottle/backend/smolmachines/smolvm.py — one thin Python function per smolvm CLI subcommand the launch flow needs: - pack_create(image, output) → smolvm pack create - machine_create(name, from_path, smolfile) → smolvm machine create - machine_start(name) → smolvm machine start - machine_stop(name) → smolvm machine stop - machine_delete(name) → smolvm machine delete -f - machine_exec(name, argv, env, workdir, timeout) → smolvm machine exec - machine_cp(src, dst) → smolvm machine cp - is_available() → shutil.which check The wrapper hides the CLI's inconsistent name-flag style (positional NAME on create/delete, --name on start/stop/exec/ status) behind a uniform `name=` kwarg. Two return shapes: - SmolvmRunResult (returncode + stdout + stderr) from machine_exec, because callers care about the in-VM command's exit code. - Raises SmolvmError on non-zero for all other commands; failure to create/start/stop a VM is fatal to the launch flow, not branched on. Tests: - 15 unit cases mocking subprocess.run, covering argv shape per subcommand (the --name vs positional inconsistency locked down), SmolvmError on non-zero for non-exec paths, SmolvmRunResult passthrough on exec, empty-path cp no-op. - 2 integration cases against the real smolvm binary (gated on Darwin + smolvm on PATH + not GITEA_ACTIONS): smolvm --help responds, machine ls --json parses as a list (the contract chunk 4's list_active will consume). 531 unit tests passing. Real-smolvm smoke green locally. Bundle bringup + launch wiring + the localhost-reach / egress-port-bypass probes land in chunks 2c + 2d. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-27 04:11:36 -04:00
didericis-claude	c73d717f71	feat(smolmachines): rewrite Smolfile to smolvm 0.8.0 schema + drop gvproxy (PRD 0023 chunk 2a) ... First sub-PR of chunk 2: rewrite the renderer chunk 1 shipped to match smolvm 0.8.0's actual Smolfile shape, delete the dead gvproxy renderer + its tests, simplify the prepare flow now that there's no gvproxy socket + no loopback-port allocation. Smolfile renderer: - Old shape (under the abandoned gvproxy design): name = ..., command = [...], [[net]] attachment = "unixgram", socket = "...". - New shape (smolvm 0.8.0): env = [...] (sorted K=V pairs), [network] allow_cidrs = ["<bundle-ip>/32"]. Nothing else. image / entrypoint / cmd come from the .smolmachine artifact built in chunk 2b; cpus / memory left at smolvm defaults. - Tests assert no leakage of TSI's --outbound-localhost-only or the old gvproxy/unixgram keys. util.py: - smolmachines_gvproxy_subnet → smolmachines_bundle_subnet, returning (subnet, gateway, bundle_ip). bundle_ip is always at .2 (gateway .1); subnet is /24, third octet derived from the slug hash, skipping the docker-default 17 to avoid the common 192.168.17.x collision. - allocate_loopback_port: deleted. The bundle gets a pinned docker IP now; the agent dials that IP directly through TSI. - smolmachines_preflight: dropped the gvproxy check; only smolvm is required. prepare.py: - Drops the gvproxy.yaml render + the loopback port allocation + the gvproxy_socket field on the plan. - Derives subnet / gateway / bundle_ip from the slug and populates the new SmolmachinesBottlePlan fields. - Agent env now uses IP-literal URLs (http://<bundle-ip>:8888 etc) since the guest will have no DNS resolver inside TSI's allowlist. bottle_plan.py: - Old fields: gvproxy_config_path, gvproxy_socket, gvproxy_subnet, gvproxy_gateway, host_port_map. - New fields: bundle_subnet, bundle_gateway, bundle_ip, smolfile_path. (smolmachine artifact path lands in chunk 2b.) Net: -410 lines. Full unit suite: 516 passing. The VM lifecycle + bundle bringup + launch wiring + smoke tests land in chunk 2b. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-27 04:01:07 -04:00
didericis	20f411b22e	feat(smolmachines): backend skeleton + Smolfile/gvproxy renderers (PRD 0023 chunk 1) ... Ships the smolmachines backend's prepare side: subpackage layout, `_BACKENDS` registration under "smolmachines", preflight check for `smolvm` + `gvproxy` on PATH, and the two config-file renderers (Smolfile TOML + gvproxy YAML). Launch raises NotImplementedError until chunk 2. New module layout (mirrors backend/docker/): claude_bottle/backend/smolmachines/ __init__.py re-exports SmolmachinesBottleBackend backend.py SmolmachinesBottleBackend façade bottle.py SmolmachinesBottle stub (NotImpl until ch2) bottle_plan.py SmolmachinesBottlePlan + .print() bottle_cleanup_plan.py SmolmachinesBottleCleanupPlan stub prepare.py resolve_plan: writes both config files smolfile.py TOML renderer (stdlib, no tomli_w dep) gvproxy_config.py YAML renderer (same shape as pipelock_yaml) util.py preflight + per-slug subnet + loopback port The renderers are pure functions. `resolve_plan` runs the preflight, allocates one host-side loopback port per active sidecar (pipelock always; git-gate / supervise conditional), derives a per-slug gvproxy subnet (hash-mod-254, skipping the docker-default 17), and writes: - <stage>/gvproxy.yaml: subnet + DNS rule resolving only `proxy.internal` + port_forwards (one per active sidecar). - <stage>/smolfile.toml: guest command/env + virtio-net device backed by gvproxy's unixgram socket. No TSI flags — see PRD 0023 "Why gvproxy, not TSI". The agent's HTTPS_PROXY etc. point at `proxy.internal:<gateway- port>` so the guest dials through gvproxy. gvproxy resolves only `proxy.internal` → the gateway IP, and forwards exactly the listed ports to the host-side sidecar bundle (PRD 0024); every other destination — host LAN, host loopback, public internet directly — is unreachable by construction. 29 new unit tests covering renderer correctness, subnet derivation stability + collision-avoidance, loopback port allocation, and preflight error paths. Full unit suite: 532 passing. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-27 02:22:08 -04:00
didericis	5b9ceaaaee	fix(sidecars): per-daemon pipelock restart keeps supervise socket alive ... `apply_allowlist_change` used `docker restart <bundle>` to make pipelock reload, which bounced ALL four daemons — including supervise, whose MCP socket the agent's claude-code client had open. That dropped the connection. A second apply works because supervise has come back up by then. Fix: per-daemon restart via SIGUSR1. - New `_Supervisor.restart_daemon(name)` terminates one named child and spawns a replacement in place. Other daemons keep running. - main() wires SIGUSR1 → `restart_daemon("pipelock")`. Pipelock has no in-process reload, so this is its analog of egress's SIGHUP-reload-addon path. Pipelock is the only daemon that currently needs hot-config reload via restart; if others acquire the need, add a new signal. - `apply_allowlist_change` now `docker kill --signal USR1 <bundle>` instead of `docker restart`. Supervise / egress / git-gate keep running across the apply. Tests: - New `_Supervisor.restart_daemon` cases: replaces in place (different pid post-restart, sibling daemon unchanged), unknown name is a no-op, restart-during-shutdown is a no-op. - `test_pipelock_apply` rewritten to bring up the bundle image with `CLAUDE_BOTTLE_SIDECAR_DAEMONS=pipelock` so the supervisor is PID 1 and handles SIGUSR1. The previous standalone-pipelock setup wouldn't survive SIGUSR1 (pipelock default disposition is terminate). Test builds the bundle image in setUpClass (cached layers make repeat runs fast). 531 tests passing locally (unit + integration). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-27 02:12:37 -04:00
didericis	0848344438	fix(sidecars): apply_routes_change targets the bundle + SIGHUP forwarding ... Two bugs surfaced when applying an egress route change: 1. egress_apply.py still targeted claude-bottle-egress-<slug> — the legacy per-sidecar container that no longer exists (it's a docker-network alias on the bundle now). Switched it to sidecar_bundle_container_name(slug), matching the chunk-5 fix already made to pipelock_apply.py. 2. `docker kill --signal HUP <bundle>` lands SIGHUP on the supervisor (PID 1 in the bundle), which previously had no SIGHUP handler — the signal was ignored. Added `_Supervisor.forward_signal(sig, daemon_name)` and a SIGHUP handler in main() that forwards to the egress daemon so mitmdump's addon reload still works under the bundle. Tests: - New _Supervisor.forward_signal cases: forwards to the named child (Python subprocess as the SIGHUP target — bash trap + stdout=PIPE deferral interferes with the production-style test); unknown-daemon name is a no-op. Stale-reference cleanup (separate issue surfaced while looking at this): - claude_bottle/{egress,git_gate,egress_addon, egress_addon_core,supervise_server}.py: Dockerfile.egress / Dockerfile.git-gate / Dockerfile.supervise references updated to Dockerfile.sidecars (the old per-sidecar Dockerfiles were deleted in PRD 0024 chunk 5). - tests/README.md: dropped the entry for test_pipelock_sidecar_smoke (deleted in chunk 3) and added the new bundle integration tests. - git_gate.py: stale `DockerGitGate.start via docker cp` reference (the method was deleted in chunk 3) rewritten to the bind-mount path the renderer uses now. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-27 01:56:38 -04:00
didericis	62f6f8db34	refactor(sidecars): bundle is the only shape (PRD 0024 chunk 5) ... The CLAUDE_BOTTLE_SIDECAR_BUNDLE feature flag is gone. Every bottle ships with the agent + bundle pair — no opt-in, no legacy four-sidecar fallback. Changes: - Renderer (compose.py): bottle_plan_to_compose unconditionally emits {agent, sidecars}. Deleted _pipelock_service, _git_gate_service, _egress_service, _supervise_service helpers. _agent_service.depends_on collapses to ["sidecars"]. - sidecar_bundle.py: deleted sidecar_bundle_enabled (the flag parser). SIDECAR_BUNDLE_IMAGE + container-name helper stay. - pipelock_apply.py: docker cp + docker restart now target sidecar_bundle_container_name(slug). Bundle restart bounces all four daemons together (per-daemon reload is the eventual feature, not v1). - Per-sidecar modules trimmed: - egress.py: dropped EGRESS_IMAGE, EGRESS_DOCKERFILE, build_egress_image, egress_url. Kept EGRESS_PORT, CA paths, egress_container_name (still used by the renderer's network aliases). - git_gate.py: dropped GIT_GATE_IMAGE, GIT_GATE_DOCKERFILE, build_git_gate_image. Kept git_gate_host + GIT_GATE_PORT. - supervise.py: dropped SUPERVISE_IMAGE, SUPERVISE_DOCKERFILE, build_supervise_image, supervise_url. - Deleted Dockerfile.{egress,git-gate,supervise}. The bundle's Dockerfile.sidecars is the only sidecar image now. - test_compose.py: deleted TestPipelockAlwaysPresent, TestConditionalGitGate, TestConditionalEgress, TestConditionalSupervise, TestFullMatrix (legacy-shape only), TestSidecarBundleFlag (flag is gone). TestSidecarBundleShape drops its patch.dict wrapper. TestAgentAlwaysPresent's depends_on cases collapse to one. - test_pipelock_apply.py: bringup container name uses sidecar_bundle_container_name(slug) to match the production target. - README.md Architecture section rewritten to describe the agent + bundle pair. Net: -626 lines. Test status: 498 unit + 27 integration + 1 skipped (chunk-4 pending — superseded by this chunk's rewrite). Locally verified end-to-end bottle launch produces exactly 2 containers (claude-bottle-<slug> + claude-bottle-sidecars-<slug>). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-27 01:37:21 -04:00
didericis	a1180adec1	feat(compose): emit bundle shape behind feature flag (PRD 0024 chunk 2) ... The docker backend's compose renderer now emits a single `sidecars` service in place of the four per-sidecar services when CLAUDE_BOTTLE_SIDECAR_BUNDLE is truthy. Default (unset/0/ false) keeps the legacy five-service shape so existing operators don't have to migrate atomically; chunks 4-5 flip the default and delete the flag. New module claude_bottle/backend/docker/sidecar_bundle.py owns the bundle image constant (CLAUDE_BOTTLE_SIDECAR_IMAGE env var override + claude-bottle-sidecars:latest default), the Dockerfile reference, the container-name helper, and the flag-parser. The bundle service: - joins both internal + egress networks with aliases for every legacy shortname + per-slug long form so the agent's HTTPS_PROXY URL (which dials `egress` or `claude-bottle-pipelock-<slug>`) keeps resolving with no agent-side change - carries CLAUDE_BOTTLE_SIDECAR_DAEMONS=<csv> for the init supervisor to narrow which daemons to start - carries the union of the four prior services' daemon-private env vars (EGRESS_UPSTREAM_PROXY, SUPERVISE_*, token env names) - does NOT carry HTTPS_PROXY/HTTP_PROXY/NO_PROXY — those would route git-gate's git fetches through pipelock by mistake - union'd bind-mounts at the same in-container paths as before HTTPS_PROXY scoping moved into egress_entrypoint.sh so only mitmdump's subprocess sees it. In the legacy four-sidecar shape the env vars also lived in the egress service's compose env; the shell script's export is additionally defensive. Tests: - All 44 existing TestCompose cases pass unchanged (flag off → legacy shape). - 20 new TestSidecarBundleShape cases assert on the bundle's services / aliases / env / volumes / depends_on under the flag. - 8 new TestSidecarBundleFlag cases lock down the env-var parser (unset / 0 / false / no / off → disabled; everything else → enabled). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-27 00:43:08 -04:00
didericis	62109a1caf	fix(sidecars): child death no longer tears down the bundle ... Reverses chunk 1's "any unexpected child death tears down the rest" policy. New behavior: a daemon dying is logged but does NOT initiate shutdown — the surviving daemons keep running and whatever the dead one served starts failing visibly on the agent side. The supervisor exits only when (a) it receives SIGTERM/SIGINT, or (b) every child has died on its own. Eventual design is restart-the-dead-daemon plus a notification to the supervise sidecar so the operator sees the event explicitly; this commit ships only the "log and leave alone" half. PRD 0024 open question 1 updated to reflect the new intent. Tests updated: replaced "crash propagates exit code via auto-teardown" with three cases that exercise the new policy (crash without shutdown leaves survivors up, crash-then-signal surfaces the nonzero code, all-children-die-unattended still converges the loop). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-27 00:19:50 -04:00
didericis	61f63684ac	feat(sidecars): bundle image + Python init supervisor (PRD 0024 chunk 1) ... New Dockerfile.sidecars multi-stage build: pulls the pinned pipelock and gitleaks binaries into a mitmproxy-base final image, installs git + openssh-client, and ships the project's egress addon + supervise server alongside a stdlib-Python init at /app/sidecar_init.py. The init supervisor (claude_bottle/sidecar_init.py) is PID 1 in the bundle. It spawns the daemons named in CLAUDE_BOTTLE_SIDECAR_DAEMONS (or all four by default), propagates SIGTERM/SIGINT to children with an 8s grace before SIGKILL, and exits with the first-unexpected-child exit code so a daemon crash tears down the bundle (per PRD 0024 open question 1's default). claude_bottle/egress_entrypoint.sh extracted verbatim from Dockerfile.egress's prior inline sh -c so the supervisor can call it as a normal child. Tests: - unit: _selected_daemons env-var subset behavior (7 cases), _Supervisor signal/exit-code semantics including SIGKILL escalation, and end-to-end main() via subprocess. - integration: builds the image and probes that pipelock, gitleaks, mitmdump, and the supervise Python module are present + executable, plus a no-daemons-selected smoke test of the entrypoint wiring. Skipped under act_runner (200+MB base pulls + multi-stage build). Renderer collapse and the deletion of Dockerfile.{egress,git-gate, supervise} land in chunk 2 + 3. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-27 00:05:06 -04:00
didericis	23f50f7720	fix(pipelock): scan all request headers + fix attack-3 destination ... Two related changes the PRD 0022 sandbox-escape test surfaced: 1. `pipelock_build_config` now emits `request_body_scanning.scan_headers: true` and `header_mode: all`. Pipelock's default `header_mode: sensitive` only checks Authorization / Cookie / X-Api-Key / X-Token / Proxy-Authorization / X-Goog-Api-Key — an agent attempting exfil could trivially pick a non-sensitive header (`X-Custom: $SECRET`) and slip through. `all` closes the gap; pipelock caps it by the same max_body_bytes the body scan uses. 2. Test 3 (HTTP exfil shapes) now targets raw.githubusercontent.com instead of api.anthropic.com. api.anthropic.com is in `DEFAULT_TLS_PASSTHROUGH` — pipelock can't MITM it because real LLM conversation bodies false-positive on DLP scanners (BIP-39 etc.). The trade-off is documented in `pipelock.DEFAULT_TLS_PASSTHROUGH`; the test now exercises a host where the sandbox is actually supposed to block. All 5 sandbox-escape attacks now produce HTTP 403 with the expected sandbox marker (`egress:`, `pipelock`, or `blocked:`): - Attack 1 (non-allowlisted host) ✓ egress - Attack 2 (non-allowlisted IP + spoof) ✓ egress - Attack 3a (URL path) ✓ pipelock DLP - Attack 3b (URL query) ✓ pipelock DLP - Attack 3c (request body) ✓ pipelock DLP - Attack 3d (request header) ✓ pipelock DLP (scan_headers) - Attack 4a (crafted subdomain) ✓ egress - Attack 4b (direct dig @8.8.8.8) ✓ network isolation - Attack 5 (README push, 3 secret shapes) ✓ gitleaks (pre-upstream) 489 unit tests pass (1 updated for the new request_body_scanning shape). Full integration suite passes in ~6s.	2026-05-26 22:38:38 -04:00
didericis	1a1ba6abd5	fix(dashboard): fall back to fresh claude when --continue has no session ... `--continue` exits non-zero when an agent has been spun up but never typed at — there's no transcript to resume. Re-attaching to such an agent via Enter (tmux mode) was crashing the pane. Wrap the resume invocation in `sh -c '<cmd> --continue || <cmd>'` so a failed `--continue` cleanly falls through to a fresh claude. The shell adds microseconds and the fallback only kicks in when --continue would have failed anyway. New `_build_resume_argv_with_fallback(bottle)` builds the shell-wrapped docker exec argv with proper shlex quoting (so paths-with-spaces in `--append-system-prompt-file` survive). Only the tmux re-attach path uses it; first-attach + foreground handoff are unchanged. 489 unit tests pass (4 new for the fallback builder).	2026-05-26 15:34:21 -04:00
didericis	8d6e382af5	feat(dashboard): auto-focus next agent on stop, or close pane ... After `x` stops a dashboard-owned bottle, slide focus to the next agent in the agents pane (the one filling the stopped row, or the new last row if the stopped was last) and respawn the right pane with that agent's claude session via `--continue`. If no agents remain, close the right pane via `tmux kill-pane`. Two new helpers: - `_tmux_close_right_pane(tmux_state)` — kills the tracked pane (if it exists) and clears pane_id / slug. - `_pick_next_after_stop(agents_before, selected_index, stopped_slug)` — pure chooser returning (new_index, agent) or None. Tested directly. Outside tmux, only the selected_agent index slides; no auto-attach (foreground handoff would take over the terminal, disruptive). 485 unit tests pass (6 new for the pick helper).	2026-05-26 15:21:20 -04:00
didericis	2ba84c5ba0	feat(dashboard): stop hook clears tmux state + right-pane row marker ... PRD 0021 chunk 4 (final). Two adjustments to close the split-pane loop: 1. `_stop_bottle_flow` clears `tmux_state['slug']` when the stopped bottle was the right-pane occupant. The pane itself stays in place (claude exits with "container not found"); the operator presses Enter on a different agent to repurpose it via respawn-pane. 2. `_render` accepts `right_pane_slug` and marks the matching agents-pane row with a `*` prefix + A_BOLD (when it's not also the focused row — focused selection still wins for visibility). Gives the operator a clear visual link between which agent the dashboard says is "active right now" and which one is visible to their right. Wired through `_main_loop`: passes `tmux_state` to `_stop_bottle_flow` on `x`, and `tmux_state.get('slug')` to `_render` on every tick. 479 unit tests pass (1 new for the tmux_state-preservation on non-owned stop). PRD 0021 implementation complete pending merge.	2026-05-26 14:29:59 -04:00
didericis	9944878277	feat(dashboard): tmux split-pane helpers + Enter dispatch ... PRD 0021 chunk 2. New tmux integration: when `\$TMUX` is set and the operator presses Enter on a focused agent row, the dashboard spawns / respawns the right pane with that bottle's claude session instead of taking over the terminal via curses.endwin. Mechanics: - `_in_tmux()` — true when `\$TMUX` is set. - `_tmux_split_pane_create` — first attach: `tmux split-window -h -P -F '#{pane_id}'` opens a right pane and prints its id for tracking. - `_tmux_respawn_pane` — subsequent attaches: `tmux respawn-pane -k -t <id>` swaps the content without re-splitting. - `_tmux_pane_exists` — `tmux list-panes` check before respawn so a manually-closed pane gracefully falls back to a fresh split. - `_attach_in_tmux` — owns the create-or-respawn state machine, mutates `tmux_state` ({pane_id, slug}) so the main loop tracks the right-pane occupant. - `_attach_via_handoff` — the previous curses-endwin path, extracted as the fallback when tmux is missing or fails. - `_attach_to_bottle` dispatches: in tmux + state available → `_attach_in_tmux`; otherwise → handoff. Main loop gets `tmux_state: dict = {"pane_id": None, "slug": None}`. Chunks 3 + 4 wire it through the new-agent flow and the stop hook. `FileNotFoundError`-safe `subprocess.run` calls around every tmux invocation — a missing tmux binary cleanly falls back to the handoff for that keypress. 478 unit tests pass (10 new for the pure argv builders + `_claude_runtime_args`).	2026-05-26 14:26:40 -04:00
didericis	2303cbc0be	refactor(bottle): extract claude_docker_argv from exec_claude ... PRD 0021 chunk 1. The tmux split-pane helpers (chunk 2+) need the same docker-exec argv that `exec_claude` builds — including the `--append-system-prompt-file <path>` flag the bottle's provisioner copies into place. Extract the argv construction into a pure `claude_docker_argv(argv, *, tty)` method so both foreground (`subprocess.run`) and tmux paths (`tmux respawn-pane …`) build from the same source. `exec_claude` becomes a one-liner that runs subprocess.run on the argv. No behavior change; 472 unit tests pass (7 new for the pure builder).	2026-05-26 14:21:04 -04:00
didericis	3ed3745982	feat(dashboard): x stops a dashboard-owned bottle (PRD 0020 chunk 4) ... Final PRD 0020 chunk. `x` on a focused agents-pane row tears down the selected bottle if the dashboard owns it (started via the chunk-2 `n` flow): pops `(cm, bottle, identity)` from the main loop's bottles map, snapshots the transcript best-effort, calls `cm.__exit__(None, None, None)` to drive the existing compose-down + network-remove sequence, then `settle_state` to honor any pre-existing preserve marker. On a non-owned slug (discovered via `list_active_slugs` but not in the dashboard's bottles dict — i.e., previous-dashboard or external `./cli.py start` bottle), `x` is a no-op with a status hint pointing at `./cli.py cleanup`. Matches the PRD's cross-dashboard re-attach model: the dashboard can re-attach either kind, but can only tear down its own. The PRD's chunk 5 ("quit-cleanup") is satisfied by the existing no-op behavior of `q` — per the user's resolved-question answer, quit leaves bottles running unchanged. No code change needed for that. Footer surfaces `[x] stop`. 465 unit tests pass (1 new for the non-owned no-op path; the owned path is integration territory because it drives a real compose-down).	2026-05-26 03:46:57 -04:00
didericis	572306ddb6	feat(dashboard): Enter on agents pane re-attaches to bottle ... PRD 0020 chunk 3. Enter on a focused agents-pane row drops to a claude session inside the selected bottle. Works for both dashboard-owned bottles (looks up the stored Bottle handle in the main loop's `bottles` dict) and externally-discovered ones (synthesizes a DockerBottle from the slug → `claude-bottle-<slug>` container name). For the synthesized path, the `--append-system-prompt-file` target resolves via metadata.json + the manifest's agent prompt if both can be read; otherwise the re-attach runs without the flag (claude defaults to no system prompt, the bottle's other state is untouched). Shares the curses.endwin → attach → refresh handoff with the chunk-2 new-agent flow via a new `_attach_to_bottle` helper. Footer reshuffled to advertise `[Enter] view/attach`. 464 unit tests pass (3 new for `_bottle_for_slug`).	2026-05-26 03:39:58 -04:00
didericis	309ffaa4ab	feat(dashboard): agent picker modal + new-agent (n) flow ... PRD 0020 chunk 2. Pressing `n` opens a modal that lists every agent from the manifest with `(N running)` suffixes for ones that already have bottles up. Type to filter (substring, case-insensitive); j/k or arrows to navigate; Enter to confirm; Esc clears the filter on first press, exits the picker on the second. On confirmation, the dashboard runs: - `prepare_with_preflight` from chunk 1 with curses-modal render + prompt callables (the preflight modal centers the plan summary + captures [y/N]). - `backend.launch(plan).__enter__()` — enters but doesn't bind the context to a `with`. The (cm, bottle, identity) tuple lands in the main loop's `bottles` dict keyed by slug. - `curses.endwin()` → `attach_claude(bottle)` → `stdscr.refresh()` handoff. The agent's claude session takes over the terminal; on exit the dashboard re-renders with the bottle now visible in the agents pane. Crucially the context manager is held alive in `bottles` — never `__exit__`'d at quit. Chunk 4 will wire `x` to that exit; for now bottles started from the dashboard stay running until explicit cleanup. Matches the PRD's "q does not tear down" decision. Footer surfaces `[n] new agent`. 461 unit tests pass (8 new for `_filter_agents` and `_running_counts`).	2026-05-26 03:22:44 -04:00
didericis	a56be6beb5	refactor(start): extract prepare_with_preflight + attach_claude ... PRD 0020 chunk 1. `cli/start.py`'s `_launch_bottle` did three things in one function: prepare + preflight, attach claude, and settle state on teardown. Split them so the dashboard (PRD 0020 chunk 2+) can reuse the prepare + attach pieces piecewise without going through the CLI's one-shot orchestrator: - `prepare_with_preflight(spec, *, stage_dir, render_preflight, prompt_yes, dry_run)` — injects render + prompt callables so the CLI binds them to stderr/stdin while the dashboard binds them to a curses modal. Returns `(plan, identity)`; identity is set after `backend.prepare` returns so callers can reap the prepare-time state dir on abort via `settle_state` in their finally — preserving today's preflight-N cleanup. - `attach_claude(bottle, *, remote_control)` — runs claude inside the bottle and returns its exit code. The dashboard calls this from inside a `curses.endwin` → … → `stdscr.refresh()` handoff. - `capture_session_state` / `settle_state` lose their leading underscore; the dashboard will call them on session-end + explicit-stop respectively. `_launch_bottle` becomes a thin orchestrator over those helpers. No behavior change; all 453 unit tests pass and `./cli.py start implementer --dry-run` produces identical preflight output.	2026-05-26 03:12:29 -04:00
didericis	c9825cf701	refactor(egress): write routes.yaml as actual YAML, not JSON-in-yml ... `egress_render_routes` now emits hand-rolled YAML in the same style as `pipelock_render_yaml`. The egress addon parses it via `yaml_subset.parse_yaml_subset` — the same parser the manifest loader + pipelock_apply use. Why bother: routes.yaml is bind-mounted into the egress sidecar AND surfaced to operators through `routes edit` (PRD 0019). JSON- in-yml renders ugly in $EDITOR and signals "this is data" rather than "this is config you can read at a glance". Real YAML reads cleanly. Mechanics: - `yaml_subset.py` drops its `claude_bottle.log` dependency. Errors now raise `YamlSubsetError` (a `ValueError`); the manifest loader + pipelock_apply catch it at the boundary and forward to `die` / `PipelockApplyError` so callers see the same behavior they did before. - `Dockerfile.egress` adds one COPY line for `yaml_subset.py` so it sits flat in `/app/` next to the addon. The addon uses an absolute-import-with-fallback shim so the same file works inside the container AND from the host's unit tests. - `egress_apply._merge_single_route` round-trips current routes.yaml through `parse_yaml_subset` + a new `_render_routes_payload` helper instead of `json.loads` + `json.dumps`. End-to-end: rebuilt the egress image, ran `./cli.py start` to a full bring-up, confirmed the addon's boot log shows `egress: loaded 9 route(s)` — i.e., the YAML parses inside the container. 453 unit + 3 integration tests pass.	2026-05-26 02:17:42 -04:00
didericis	7b29c81f27	feat(dashboard): agent-scoped e/p, drop discover-and-prompt path ... PRD 0019 chunk 4 (final). The `e` (routes edit) and `p` (pipelock edit) keys now require an agent selection in the agents pane. Pressing them with the proposals pane focused, with no active agents, or with an out-of-range selection is a no-op with a status hint ("no agent selected; Tab into the agents pane first"). The discover-and-prompt scaffolding inside `_operator_edit_routes_flow` / `_operator_edit_allowlist_flow` / `_operator_edit_flow` is gone. The flows now take an `ActiveAgent` + required-service name; they refuse with a clear message when the bottle lacks the requested sidecar (e.g., `routes edit` against a bottle with no `bottle.egress.routes` declared). The `discover_egress_slugs` + `discover_pipelock_slugs` + `_discover_active_with_service` helpers come out — they had no remaining callers. Footer now reads `[e/p] edit selected agent`.	2026-05-26 01:50:28 -04:00
didericis	0abffc4d90	feat(dashboard): Tab toggle + per-pane selection state ... PRD 0019 chunk 3. The TUI now has two focusable panes — proposals and agents — and `Tab` toggles which one the `j/k`/arrow keys move through. Each pane keeps its own selection index. Switching panes doesn't lose the position in the other; the cursor (`>` + reverse-video row) appears only in the focused pane. The label line on each pane shows "(focused)" when active. Footer reshuffled: `[Tab] switch pane [j/k] move [Enter] view [a/m/r] proposal [e/p] edit [q] quit`. When the agents pane is focused and there's no status message to display, the idle status line surfaces the currently-selected agent (or "[no active agents]" / "[no agent selected]" fallbacks) so the operator knows what an agent-scoped edit verb will target after chunk 4 wires them up. Proposal action keys (a/m/r/Enter) are gated on the proposals pane being focused — pressing them with the agents pane focused is a no-op. e/p still use the global discover-and-prompt flow for one more chunk; chunk 4 swaps them to read the agents-pane selection.	2026-05-26 01:37:23 -04:00
didericis	cfd8f269ba	feat(dashboard): render active agents pane below proposals ... PRD 0019 chunk 2. The TUI's main render now draws two panes: proposals on top (existing), active agents on the bottom (new). Header counts both totals. The agents pane refreshes on the same 1s tick — agents starting/stopping reflect without operator action. Each agent row shows slug, agent name, started-time (HH:MM:SS of the metadata.json timestamp), and the bracketed list of sidecars currently up. The `agent` service is filtered out of the displayed list — it's always present so it'd be noise; the sidecars are the differentiator. A bottle whose only running service is `agent` (sidecars still warming up) renders as `(starting)`. No selection model yet — that's chunk 3. The cursor stays in the proposals pane; `j/k`/arrow nav and the proposal action keys are unchanged.	2026-05-26 01:23:59 -04:00
didericis	6e4a9f606f	feat(dashboard): discover_active_agents helper + ActiveAgent dataclass ... PRD 0019 chunk 1. New `discover_active_agents()` in dashboard.py returns one `ActiveAgent(slug, agent_name, started_at, services)` per currently-running compose project: - Slugs come from `list_active_slugs()` (chunk-5 shared helper). - The service set per project comes from ONE label-filtered `docker ps` call (PRD open question #1: avoids N per-bottle `compose ps` invocations on each 1s refresh tick). - agent_name + started_at come from each bottle's metadata.json; "?" / "" fallbacks when the file is missing so the row renders rather than vanishes. Not wired into the TUI yet — chunk 2 renders the agents pane. The parser (`_parse_services_by_project`) is split out as a pure function so the conditional-input shape can be unit-tested without docker.	2026-05-26 01:11:54 -04:00
didericis	1fa3745832	refactor(dashboard): discover via docker compose ls ... PRD 0018 chunk 5. The dashboard's operator-edit verbs (`routes edit`, `pipelock edit`) enumerated running sidecars via `docker ps --filter name=...` prefix scans. Switch to `docker compose ls`-based discovery so the dashboard, cleanup CLI, and launch step all agree on what's running. Mechanics: - `claude_bottle/backend/docker/compose.py` grows three shared helpers: `list_compose_projects` (the JSON parse moved out of cleanup), `slug_from_compose_project` (inverse of `compose_project_name`), and `list_active_slugs` (sugar over the first two for the common "what's running?" question). - cleanup.py drops its private `_list_compose_projects` + `_PROJECT_PREFIX` in favor of the shared ones; `list_active` simplifies (one compose-ls call, not two). - dashboard.py's `_discover_sidecar_slugs` becomes `_discover_active_with_service`: cross-references the active slug list with a label-filtered `docker ps` so only bottles whose given service container is actually up surface in the edit menu. Bottles without an egress sidecar (no bottle.egress.routes) no longer appear for `routes edit`. 3 new unit tests cover the slug ↔ compose-project naming contract; manual probe with a fake compose project confirms both `discover_egress_slugs` and `discover_pipelock_slugs` return the expected slug.	2026-05-26 00:14:16 -04:00
didericis	aee249f119	refactor(cleanup): compose-ls driven, plus orphan state-dir reaping ... PRD 0018 chunk 4. `claude-bottle cleanup` now derives its work from `docker compose ls --all --format json`, filtered to projects whose name starts with `claude-bottle-`. Per project: one `compose down --volumes` removes the containers + the compose-managed networks atomically. The plan also enumerates three fallback buckets: - Stray containers — `claude-bottle-*` containers with no `com.docker.compose.project` label (left over from pre-compose code paths). Cleared via `docker rm -f`. - Stray networks — `claude-bottle-*` networks with no compose project label. Cleared via `docker network rm`. - Orphan state dirs — per-bottle `~/.claude-bottle/state/<id>/` dirs with no live project AND no `.preserve` marker. The `.preserve` marker (capability-block or auto-preserve-on-crash) explicitly opts-out of reaping; manual `rm -rf` is the only path for preserved state. cli/cleanup.py collapses to a single y/N prompt — backend.prepare_cleanup returns everything in one plan, backend.cleanup processes everything, no more double-prompt for state. The CLI-side state-dir enumeration + `_state_summary` flags from PR #25 are gone; the backend's orphan-detection rules subsume them.	2026-05-25 23:48:02 -04:00
didericis	f1c5816d1f	refactor(compose): drop pre-create networks + pipelock CIDR allowlist ... PRD 0018 chunk 4 spike: empirically verified that pipelock's SSRF guard checks proxied-request destinations (e.g. api.anthropic.com → public IP) and not source IPs of incoming connections. The bottle's own internal CIDR was being added to ssrf.ip_allowlist defensively, but that defense isn't load-bearing — direct pipelock probe (`curl --proxy http://pipelock https://api.anthropic.com/`) returns 404 from upstream rather than blocking on SSRF. So: - Networks become compose-managed (`internal: true` on the internal network; the egress one is a normal user-defined bridge). Compose creates + removes them via up/down. - launch.py drops the `docker network create` + `network_inspect_cidr` + pipelock yaml re-render dance. - The pre-create/external scaffolding from chunk 3 goes with it. End-to-end `./cli.py start` still works; cleanup leaves no orphans. If real-world use surfaces an SSRF block we hadn't predicted, the allowlist can come back via subnet-pinning rather than pre-create.	2026-05-25 23:48:02 -04:00
didericis	cefdc8c6e9	feat(launch): switch start to docker compose project per bottle ... PRD 0018 chunk 3. Each instance is now one `docker compose` project: - launch.py renders the compose spec via chunk-1's bottle_plan_to_compose, writes it to state/<slug>/docker-compose.yml, `docker compose up -d`s, and (on teardown) dumps `docker compose logs --no-color --timestamps` to state/<slug>/compose.log before `docker compose down`. - Networks are pre-created (`docker network create --internal` + user-defined bridge) so pipelock yaml can know the internal CIDR before compose-up. Compose references them with `external: true`; the launch step's ExitStack still owns network removal. - Agent still runs `sleep infinity`; claude reaches it via `docker exec -it` exactly like before (per the PRD's resolved TTY question). - metadata.json grows a `compose_project` field so dashboard / cleanup tooling can derive compose invocations without re-deriving the slug. Security follow-ups from chunk-2 review: (b) CA private keys: pipelock + egress ca-key.pem land at 0o600 explicitly. The mitmproxy cert+key concat stays 0o644 because the egress container's uid-1000 user reads it through the bind mount; parent dir at 0o700 still restricts host-side reach. (c) Apply atomicity: egress_apply + pipelock_apply switch from `docker cp` to host-side write-temp-then-rename on the bind-mount source. POSIX rename is atomic on the same filesystem, so a sidecar SIGHUP racing the apply can't see a half-written routes.yaml / pipelock.yaml. Per-sidecar Docker{Sidecar}.start/stop methods stay in place — the integration test suite drives them directly to validate each image in isolation, which is still useful. launch.py no longer calls them; a follow-up chunk can prune if the integration tests move to the compose lifecycle. git-gate entrypoint's chmod 600 on the keyfile + known_hosts now tolerates EROFS (`|| true`) — the host SSH key is already 0600 (SSH refuses to load otherwise), so the inside-container chmod was already a no-op in the docker-cp path and now just needs to not error on the read-only bind mount. 422 unit tests pass; supervise integration test passes; end-to-end `./cli.py start implementer` brings up the project, attaches, captures full merged logs on teardown, and reaps all containers + networks.	2026-05-25 23:16:40 -04:00
didericis	4760a09263	feat(compose): pure renderer for bottle plan -> compose dict ... PRD 0018 chunk 1. New module `claude_bottle/backend/docker/compose.py` exposing `bottle_plan_to_compose(plan) -> dict` — a pure function that translates a fully-resolved DockerBottlePlan into a Compose v2 spec. Not wired in yet. Tests cover the conditional-service matrix (git on/off × egress on/off × supervise on/off) plus per-service shape (images vs builds, network aliases, bind mounts, env vars, depends_on).	2026-05-25 22:28:50 -04:00
didericis	1e5b0dcfca	refactor: rename egress-proxy → egress everywhere ... The manifest key is `egress:` now; finish the rename so the rest of the codebase matches. Files (Dockerfile.egress, claude_bottle/egress.py etc.), classes (Egress, EgressConfig, EgressRoute, EgressPlan, DockerEgress), constants (EGRESS_HOSTNAME, EGRESS_ROUTES, ...), container name prefix (claude-bottle-egress-*), docker network alias (egress), the introspection host (_egress.local), the MCP tool IDs (egress-block, list-egress-routes), and the preflight label all drop the `-proxy` suffix.	2026-05-25 21:59:47 -04:00
didericis	14c8a51c16	refactor(manifest): rename egress_proxy key to egress ... Now that `bottle.egress` (the old allowlist/dlp_action block) is gone, the longer `egress_proxy:` disambiguator isn't needed. The manifest field reads more naturally as just `egress:` with the same nested `routes: [...]` shape. Renamed: - Manifest YAML key: `egress_proxy:` → `egress:` - Bottle dataclass attr: `bottle.egress_proxy` → `bottle.egress` - `_BOTTLE_KEYS` entry, schema docstring, and all user-facing error message labels (`egress.routes[N]`, `egress has unknown key …`, etc.). Kept (these refer to the egress-proxy SIDECAR, not the manifest field): - File names: `egress_proxy.py`, `egress_proxy_apply.py`, `egress_proxy_addon.py`, `egress_proxy_addon_core.py`. - Class names: `EgressProxyConfig`, `EgressProxyRoute`, `EgressProxyPlan`, `EgressProxy`, `DockerEgressProxy`. - Helper names: `egress_proxy_manifest_routes`, `egress_proxy_routes_for_bottle`, `egress_proxy_token_env_map`, etc. - Constants: `EGRESS_PROXY_HOSTNAME`, `EGRESS_PROXY_ROLES`, `EGRESS_PROXY_AUTH_SCHEMES`, `EGRESS_PROXY_FORWARD_PROXY`, `EGRESS_PROXY_INTROSPECT_URL`, `EGRESS_PROXY_PORT`, etc. - Container name prefix `claude-bottle-egress-proxy-*`, the `egress-proxy` docker network alias, the `egress-proxy-block` + `list-egress-proxy-routes` MCP tool IDs, the `egress-proxy` audit-log component label. Local bottle migrated (`~/.claude-bottle/bottles/dev.md` already updated). The legacy `egress_proxy` key isn't surfaced anywhere anymore; the generic unknown-key validator catches typos with a "did you mean: egress, env, git, supervise" hint. 409 unit + integration tests pass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 21:25:51 -04:00
didericis	6456904763	refactor(manifest): drop bottle.egress field, egress_proxy is the only allowlist ... Goal: one allowlist surface (egress_proxy.routes), no second free-form `egress:` knob. Anything that used to live there now goes in `egress_proxy.routes` as a bare-pass entry (`- host: <name>`). Removed: - `BottleEgress` dataclass + DLP_ACTIONS constant + bottle.egress field on `Bottle`. - `pipelock_bottle_allowlist` helper. - `pipelock_allowlist_summary` helper (the compact preflight summary stopped using it after PR #31). - `allowlist_summary` field on `DockerBottlePlan`. - `bottle.egress.allowlist` folding in `egress_proxy_routes_for_bottle` — only DEFAULT_ALLOWLIST auto-folds now. - The two-branch logic in `pipelock_effective_allowlist` (egress-proxy-present vs not) — pipelock now just mirrors `egress_proxy_routes_for_bottle` unconditionally. Hard-coded: - `request_body_scanning.action = "block"` in `pipelock_build_config` (was driven by `bottle.egress.dlp_action`). The previous default was already "block" — the knob to switch to "warn" was a foot-gun in a sandboxed agent context, so it's gone. Tests: - `test_pipelock_allowlist.py` rewritten to assert the mirrored-from-egress-proxy semantics directly. - `test_manifest_md_load.py`, `test_pipelock_yaml.py`, `test_egress_proxy.py` fixtures migrated to put hosts in `egress_proxy.routes` instead of `egress.allowlist`. Local bottle migrated too: `~/.claude-bottle/bottles/dev.md` loses the `egress: { allowlist: [example.com] }` block, picks up a bare-pass `- host: example.com` route. 409 unit + integration tests pass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 21:12:56 -04:00
didericis	572106d98f	refactor(cli): drop --format=json end-to-end ... Companion to the compact preflight in #31 — the JSON format was the structured alternative to the verbose text summary. With the new compact text already on screen, no consumer was using the JSON shape, and the abstract `BottlePlan.to_dict` was the biggest piece of API surface no one is implementing against. Removed: - `--format` CLI flag from `start` and `resume`. - `output_format` kwarg from `_launch_bottle`. - `BottlePlan.to_dict` abstract method. - `DockerBottlePlan.to_dict` (60-line dict builder). - The `_PlanView` dataclass — `print` was the only remaining caller, so the env-name computation is inlined. - `tests/integration/test_dry_run_plan.py` (JSON-shape integration test). - `tests/unit/test_cli_start_format.py` (flag-conflict unit). Plan-introspection is still possible by reading the `DockerBottlePlan` dataclass directly — fields like `image`, `container_name`, `stage_dir`, `use_runsc` are all there. Tooling that needs a stable wire shape can JSON-serialize the dataclass themselves. 411 unit + integration tests pass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 20:54:51 -04:00
didericis	6c886200d9	revert(egress-proxy): drop wildcard host support entirely ... The apex-vs-subdomain question, the cert/SNI mismatch when pipelock-passthrough hosts have wildcard certs, and the mirror-divergence corner cases stacked up faster than the feature earned its keep. Going back to exact-host match only. Addon (`match_route`): single pass, case-insensitive exact match. `*.foo.com` in a route table is now a literal string that won't match anything — operators that want subdomains declare them individually. Pipelock mirror (`_pipelock_safe_hosts`): silently drops hosts that don't fit pipelock's `[A-Za-z0-9_.-]+` charset (wildcards, IPv6 literals, stray chars). Previously normalised wildcards to their suffix; now just drops them, which matches egress-proxy's behavior of not matching them either. 8 wildcard test cases removed; 2 lightweight "wildcards are not supported" assertions retained as documentation. 386 unit pass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 19:48:35 -04:00
didericis	6177c0518e	fix(egress-proxy-addon): wildcard hosts also match the apex ... `*.example.com` now matches `example.com` itself in addition to every subdomain. RFC 6125 TLS-wildcard semantics excluded the apex; an allowlist's natural reading of `*.example.com` is "all of example.com" — and the pipelock mirror already strips `*.example.com` to `example.com`, so without the apex match the two layers disagreed (pipelock allowed the apex, egress-proxy blocked it). Behavior: - `*.example.com` matches `example.com` (apex) - `*.example.com` matches `foo.example.com` (subdomain) - `*.example.com` matches `a.b.example.com` (nested) - `*.example.com` does NOT match `barexample.com` (label boundary required) Test renamed: `test_wildcard_does_not_match_apex` → `test_wildcard_matches_apex`. 395 tests pass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 19:16:33 -04:00
didericis	811a6fbfe9	feat(egress-proxy-addon): wildcard host matching with exact-match precedence ... PRD 0017 v1 deliberately punted wildcards ("Exact match in v1 — globs / wildcards are a follow-up"). Now that the supervise mirror strips `*.` to its suffix for pipelock, the addon needs to actually match wildcard hosts on its side or the route is dead weight. Addon `match_route` now does two passes: 1. Exact (case-insensitive) literal match on the hostname. 2. Wildcard suffix match: a route whose host starts with `*.` matches any request host that ends with `.<suffix>`. So `*.example.com` matches `foo.example.com` and `a.b.example.com`, but NOT the apex `example.com` and not `barexample.com` (the leading `.` of the suffix is required). Exact wins — operators can layer a specific route (e.g. `api.github.com` with auth) on top of a broader wildcard (e.g. `*.github.com` bare-pass). 8 new unit tests: direct subdomain match, nested subdomain match, apex rejection, overlapping-suffix rejection, case-insensitive, exact-wins-over-wildcard (both route orders), no-match fall-through. 395 unit + integration pass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 19:10:22 -04:00
didericis	e26fe874e4	fix(egress-proxy-apply): wildcard hosts normalise to suffix in pipelock mirror ... Previous fix stripped wildcard hosts entirely from the pipelock mirror; the operator wanted the suffix kept so pipelock pins the base hostname. Now `*.example.com` becomes `example.com` in the mirror — egress-proxy keeps the wildcard for its own host match, pipelock allows the suffix. Behavior change: - `*.example.com` → `example.com` (was: dropped) - `*.foo.bar.com` → `foo.bar.com` (one `*.` strip, not recursive) - `*` → dropped (normalises to empty) - `example.com` → `example.com` (unchanged) - `[::1]`, etc. → dropped (still off pipelock's charset after any prefix strip) Adds explicit de-dup so `*.example.com` + `example.com` collapse to one entry. Existing wildcard-strip test reshaped + 3 new edge-case tests. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 19:00:06 -04:00
didericis	93f7d248f6	fix(egress-proxy-apply): strip pipelock-incompatible hosts from mirror ... Pipelock's allowlist parser only accepts `[A-Za-z0-9_.-]+` literal hostnames. Wildcard routes (`*.example.com`) that egress-proxy's route table accepts trip pipelock's parser the moment the mirror tries to render them into the new yaml; the whole apply fails before pipelock is even touched. Symptom: operator approves an egress-proxy-block proposal, gets "pipelock allowlist mirror failed: allowlist line N: '<wildcard>' has disallowed characters." Fix: `_mirror_hosts_to_pipelock` filters through `_pipelock_safe_hosts` before merging — anything outside pipelock's allowed charset is silently skipped. Wildcard routes stay live on egress-proxy; pipelock just won't pin a hostname for the wildcard-matched traffic (caller's call to accept the hostname-only enforcement gap there). Adds 4 unit tests covering normal hostnames pass-through, wildcard stripping, IPv6-literal stripping, and order preservation. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 18:54:30 -04:00
didericis	1542ee0b93	feat(egress-proxy-block): single-route input + merge-on-apply ... Instead of asking the agent to compose and submit a full routes file, the tool now takes ONE proposed route — host + optional path_allowlist + optional auth — and the supervisor merges it into the live routes table at approval time. The agent no longer needs to fetch / reproduce / extend the existing allowlist; it just describes the host it wants reachable. Tool input (new): - `host` (required) - `path_allowlist` (optional, array of absolute path prefixes) - `auth` (optional, {scheme, token_ref}) - `justification` (required) Merge semantics (in `egress_proxy_apply._merge_single_route`): - Host NOT in current routes → append the proposed route as a new entry. If `auth` is set, assign the next EGRESS_PROXY_TOKEN_N slot. - Host already present → union the proposed `path_allowlist` with the existing one (proposed entries appended after existing, deduped). Existing `auth_scheme` / `token_env` preserved; proposed `auth` ignored (operator-controlled, not agent-controlled). - Hostname comparison is case-insensitive. Dashboard wiring: `approve()` on an egress-proxy-block proposal now calls `add_route(slug, proposed_route_json)` instead of `apply_routes_change(slug, full_file)`. add_route fetches the current routes from the running egress-proxy, merges, and calls apply_routes_change with the merged content — so the pipelock-mirror + SIGHUP plumbing from chunk 3 still runs end-to-end. Audit diff still captures the full-file before/after. Tool description rewritten to make the new shape obvious and to stop pointing the agent at the routes file. The `list-egress-proxy-routes` tool stays available for agents that want to see what's currently allowed. Tests: 9 new `_merge_single_route` cases (host absent/present, path-allowlist union+dedup, auth-slot indexing, case-insensitive match, existing-auth preservation, missing-host rejection, malformed-current rejection). 407 unit + integration pass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 18:45:17 -04:00
didericis	3be70eb07a	feat(supervise): list-egress-proxy-routes MCP tool, defaults on egress-proxy ... Reshape the allowlist topology so the egress-proxy is the bottle's single allowlist surface, and replace the agent-side routes/allowlist file mounts with a live MCP tool. Policy change (move defaults to egress-proxy): - `egress_proxy_routes_for_bottle(bottle)` now folds in DEFAULT_ALLOWLIST (the claude-code defaults) and `bottle.egress.allowlist` (user adds) as bare-pass routes (no auth, no path filter), on top of the bottle's `egress_proxy.routes`. Manifest routes win on host collision. - `pipelock_effective_allowlist(bottle)` mirrors egress-proxy's effective host set when egress-proxy is in use. Pipelock is no longer the bottle's primary allowlist authority; it enforces a downstream copy as defense-in-depth + does DLP body scanning. - Split out `egress_proxy_manifest_routes(bottle)` for callers that want just the manifest entries (tests, internal use). - DEFAULT_ALLOWLIST moves from `pipelock.py` to `egress_proxy.py` (pipelock re-imports for the no-egress-proxy fallback path). - Dropped the `egress-proxy` auto-allow on pipelock's allowlist — the agent never dials egress-proxy via the proxy mechanism; pipelock only sees upstream hostnames from egress-proxy's CONNECTs. Introspection endpoint (existing mitmproxy feature): - Egress-proxy addon recognises requests to the magic host `_egress-proxy.local` and synthesizes responses via `flow.response = http.Response.make(...)` — no upstream connection, no allowlist enforcement on the magic host. - `GET /allowlist` returns the in-memory route table as JSON (host + path_allowlist + auth_scheme + token_env per route; no token VALUES). - Smoke-tested end-to-end against a real egress-proxy container. MCP tool (existing supervise plumbing): - New `list-egress-proxy-routes` tool (no inputs, no operator approval). Handler fetches via egress-proxy's introspection endpoint using urllib's ProxyHandler against `EGRESS_PROXY_FORWARD_PROXY`. Returns the JSON payload as the tool's text content; `isError: true` if the proxy is unreachable. - `egress-proxy-block` description now points the agent at `list-egress-proxy-routes` instead of a staged file path. - `pipelock-block` description acknowledges the mirror — agents should prefer `egress-proxy-block` to add hosts; pipelock-block stays for the rare divergence case. Drop agent-side file mounts: - Supervise's `current-config` dir staging no longer writes routes.yaml / allowlist. Only `Dockerfile` remains (capability-block still reads it from `/etc/claude-bottle/current-config/Dockerfile`). - `prepare.py` stops passing `routes_content` / `allowlist_content` to `supervise.prepare`. - `Supervise.prepare` signature simplified to one `dockerfile_content` kwarg. Tests: 400 unit + integration pass. Added coverage for defaults-folding (`TestRoutesForBottleFoldsDefaults`), the new tool definition + handler, and the updated supervise.prepare shape. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 18:23:01 -04:00
didericis	1cec0d9aa6	feat(egress-proxy-apply): mirror new route hosts into pipelock allowlist ... When the operator approves an egress-proxy-block proposal that adds a host to egress-proxy's routes, the request would still 403 downstream at pipelock — pipelock's hostname allowlist is set at bottle launch and doesn't learn about routes added later. The agent saw "Approved" but the very next retry still failed. Fix: `apply_routes_change` now mirrors every host in the proposed routes onto pipelock's allowlist before flipping egress-proxy. Order matters — pipelock first so a pipelock failure doesn't leave egress-proxy in a half-state: 1. Validate the new routes content. 2. Extract the hosts. 3. Merge them onto pipelock's current allowlist (`apply_allowlist_change` — restarts pipelock with the merged yaml). No-op when every host is already present. 4. docker cp the new routes.yaml into egress-proxy + SIGHUP. If pipelock's restart fails, egress-proxy is untouched and the operator gets a clear error pointing at the pipelock half-state. If egress-proxy's update fails after pipelock succeeded, pipelock just has the host pre-allowlisted — harmless extra-permissive until the operator retries. Adds `_hosts_in_routes` helper using the addon's own parser (so the mirrored host set matches exactly what the addon will match on). 4 new unit tests; 368 total pass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 17:34:10 -04:00
didericis	fad76d3364	fix(supervise): stage current-config routes file as routes.yaml ... The supervise sidecar mounted a snapshot named routes.json into the agent at /etc/claude-bottle/current-config/routes.json, but the egress-proxy-block tool description (and the live proxy file the apply step writes) say routes.yaml. The agent couldn't find the file at the documented path, composed proposals against stale or empty current state, and reported "routes wasn't updated on disk" because it was looking at the wrong filename. Rename the staged file to routes.yaml so the tool description, the staged snapshot, and the live proxy file all agree on the name. Content stays JSON-in-a-yaml-extension (per PRD 0017 chunk 1's decision: every JSON document is valid YAML, stdlib parsers handle it on both ends). Note: the staged file is still a one-shot snapshot taken at bottle prep time. It does NOT auto-update when the operator approves an egress-proxy-block. Agents that want to verify their proposal took effect should retry the request that triggered the block — a successful upstream response is the real signal. Fixing the snapshot-staleness UX is a separate follow-up. Tests migrated from routes.json → routes.yaml. 364 pass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 17:01:12 -04:00
didericis	f807ed1149	fix(egress-proxy): force traffic through pipelock + block unallowlisted hosts ... Two issues stopping the bottle's egress allowlist from being enforced: 1. mitmproxy was bypassing pipelock. We set HTTPS_PROXY=pipelock in the egress-proxy container's env, but mitmproxy is a proxy *server* — it does NOT honor HTTP(S)_PROXY env vars on its outbound side the way HTTP-client libraries do. All post-MITM traffic was going direct to the upstream, never touching pipelock's hostname allowlist or DLP scanner. Fix: use mitmproxy's `--mode upstream:URL` flag. The Dockerfile entrypoint now reads a new `EGRESS_PROXY_UPSTREAM_PROXY` env (set by `DockerEgressProxy.start` to the pipelock URL when pipelock is in the topology) and switches mitmdump to upstream-proxy mode. Standalone runs of the image without the env still get `--mode regular@9099` direct-to-upstream — useful for unit-test boots. Confirmed in the boot log: "HTTP(S) proxy (upstream mode) listening at *:9099." 2. egress-proxy was forwarding unrecognized hosts. The addon's `decide()` returned `Decision(action="forward")` whenever no route matched the request host, deferring to pipelock to gate. With #1 broken pipelock wasn't gating either; even with #1 fixed, defense-in-depth wants both layers enforcing. Fix: no-route-match → 403 with a "host not in allowlist" reason. The egress allowlist is now strictly the set of hosts declared in `bottle.egress_proxy.routes`; bare-pass routes (host with no auth, no path_allowlist) cover the passthrough case for hosts that just need reach. path_allowlist enforcement on matched routes is unchanged. Test updated: `test_no_matching_route_forwards` → `test_no_matching_route_blocks`. 364 unit tests pass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 16:38:18 -04:00
didericis	f04fbb68a9	feat(egress-proxy): drive claude-code OAuth placeholder off a role marker ... The chunk 2 detection keyed on `token_ref == "CLAUDE_CODE_OAUTH_TOKEN"`, which broke any bottle whose host env var has a different name (e.g. `CLAUDE_BOTTLE_OAUTH_TOKEN`). The token_ref is the user's choice — the placeholder-env trigger shouldn't be locked to one specific string. Restoring a minimal `role` marker on `EgressProxyRoute`: - `EGRESS_PROXY_ROLES = frozenset({"claude_code_oauth"})` — one marker for now; the field is back so we can grow it. - `EGRESS_PROXY_SINGLETON_ROLES` — claude_code_oauth is a singleton (only one route per bottle can carry it). - `Role: tuple[str, ...]` field on `EgressProxyRoute` (manifest + runtime), parsed as string or list-of-strings; unknown roles are rejected so typos can't become silent no-ops. `prepare.py:has_anthropic_auth` now checks for `"claude_code_oauth" in r.roles` instead of matching a literal token_ref string. Bottles can name their host OAuth env var anything; the role marker is what flips on `CLAUDE_CODE_OAUTH_TOKEN=<placeholder>` and the telemetry-off env vars on the agent. Test coverage: 7 new manifest tests (omitted / string / list / unknown role rejected / non-string rejected / list-item non-string rejected / singleton enforced). 364 tests pass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 15:28:11 -04:00
didericis	9cd583fbbb	feat(egress-proxy): retarget remediation at egress-proxy (PRD 0017 chunk 3) ... Finishes PRD 0017. The `cred-proxy-block` MCP tool is renamed and its remediation apply path is repointed at egress-proxy. - `claude_bottle/supervise.py` — `TOOL_CRED_PROXY_BLOCK` → `TOOL_EGRESS_PROXY_BLOCK`; `COMPONENT_FOR_TOOL` maps the new tool ID to `egress-proxy` for audit-log routing. - `claude_bottle/supervise_server.py` — tool definition renamed + description rewritten: "Call when egress-proxy refused your HTTPS request ... Read the current routes.yaml from /etc/ claude-bottle/current-config/routes.yaml, compose a modified version, pass the full new file plus a justification." The syntactic validator dispatches on the new tool ID. - `claude_bottle/backend/docker/egress_proxy_apply.py` — renamed from `cred_proxy_apply.py`. Reads routes.yaml from /etc/egress-proxy/routes.yaml via `docker exec cat`; validates via `egress_proxy_addon_core.load_routes` (so both sides use the same parser); writes via `docker cp`; SIGHUPs egress-proxy with `docker kill --signal HUP`. `EgressProxyApplyError` replaces `CredProxyApplyError`. - `claude_bottle/cli/dashboard.py` — wires the new apply + `discover_egress_proxy_slugs` helper; the operator-initiated `routes edit <bottle>` verb now writes to egress-proxy with `.yaml` suffix. Stale follow-up comment about path-aware filtering removed — PRD 0017 settled that question. - `tests/integration/test_supervise_sidecar.py` — restores the approval round-trip test (chunk 2 had switched it to a reject path because no cred-proxy existed). Approval stubs `apply_routes_change` so the test focuses on the supervise queue/response plumbing rather than docker-exec into a real egress-proxy sidecar (that's covered separately). - `tests/unit/test_egress_proxy_apply.py` — rewritten against the new validator; covers JSON shape, missing routes key, partial-auth-pair rejection (the addon-core parser catches these before SIGHUP). - PRDs 0010 + 0014 — status headers updated to Superseded / Retargeted with a callout block pointing at PRD 0017's migration section. Historical text preserved. 384 unit + integration tests pass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 15:13:44 -04:00
didericis	4abea282e0	revert(egress-proxy): drop Role + agent provisioner (keep git-push block) ... Partial revert of fa06a3a. The role + agent-side provisioner felt overengineered: anthropic-base-url + npm-registry's only realistic host values match the tool defaults, so the role tags drove no-op dotfile writes most of the time. If non-default npm registry / tea config is needed in a future bottle, we can ship it through a more direct mechanism then. What stays from fa06a3a: - Universal HTTPS git-push block in the egress-proxy addon (`is_git_push_request` in egress_proxy_addon_core, called from the request hook before route matching; 403s git-receive-pack regardless of route). This is the security backstop so git-gate remains the only outbound write path; PR #29 keeps it. What gets reverted: - `Role` field on EgressProxyRoute (manifest + runtime). - `EGRESS_PROXY_ROLES` + `EGRESS_PROXY_SINGLETON_ROLES` constants and singleton-role validation. - `backend/docker/provision/egress_proxy.py` (npmrc + tea config). - `provision_egress_proxy` slot in `BottleBackend.provision`. - `prepare.py`'s role-based ANTHROPIC_BASE_URL detection (back to the token_ref="CLAUDE_CODE_OAUTH_TOKEN" auto-detect). - Manifest + provisioner tests for the above. 355 unit + 24 integration tests pass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 15:02:15 -04:00
didericis	fa06a3a0ab	feat(egress-proxy): block HTTPS git push + restore role provisioner ... Two related fixes on top of PR #29's chunk-2 cutover: 1. Universal HTTPS git-push block in the egress-proxy addon (`is_git_push_request` in egress_proxy_addon_core, called from the mitmproxy request hook before route matching). 403s any `/git-receive-pack` or `info/refs?service=git-receive-pack` — defense in depth so git-gate (PRD 0008) remains the only outbound path for writes, gitleaks-scanned by its pre-receive. Replicates cred-proxy's `is_git_push_request` behavior. 2. Restored agent-side role provisioner. Brings back `Role` on EgressProxyRoute (manifest + runtime) with three roles — `anthropic-base-url`, `npm-registry`, `tea-login`. Singleton constraint on the first two carries over from cred-proxy. `git-insteadof` is intentionally absent (option 1 above handles the push-bypass concern, and the canonical-URL rewrite has no function when egress-proxy is on HTTPS_PROXY). The provisioner (`backend/docker/provision/egress_proxy.py`): - `~/.npmrc` registry= the canonical upstream URL. - `~/.config/tea/config.yml` logins[] entry per tea-login route. - `ANTHROPIC_BASE_URL` env set in prepare.py based on the anthropic-base-url role (was a token_ref="CLAUDE_CODE_OAUTH_TOKEN" check in this PR's earlier draft — the role marker is cleaner and matches the cred-proxy precedent the user wants kept). All three dotfile values point at canonical upstream URLs; the agent's HTTPS_PROXY=egress-proxy routes them through the proxy automatically. Tests: 11 new role-validation tests, 11 new provisioner-render tests, the chunk-1 manifest fixture exercise role=anthropic-base-url. 400 tests pass (was 376). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 14:48:13 -04:00
didericis	70f773ac61	feat(egress-proxy): cutover from cred-proxy (PRD 0017 chunk 2) ... Hard cutover. cred-proxy is deleted; egress-proxy is now the agent's HTTP_PROXY (when routes are declared) with pipelock on its outbound leg. Two per-bottle CAs are minted: egress-proxy's (agent trust store) and pipelock's (egress-proxy's outbound trust store). Manifest: - `bottle.cred_proxy` → hard error with a migration recipe. - `bottle.egress_proxy` is the new shape (PRD 0017 chunk 1). - CredProxy* types + role validators removed. Wiring: - launch.py: `egress_proxy_tls_init` mints the egress-proxy CA (cert+key concat for mitmproxy + cert-only for agent trust); `DockerEgressProxy.start` docker-cps both CAs in, sets `HTTPS_PROXY=pipelock` + `EGRESS_PROXY_UPSTREAM_CA` so mitmdump trusts pipelock's MITM. Agent's HTTP_PROXY points at egress-proxy when routes exist, else falls back to pipelock (no-routes bottles unchanged). - prepare.py / backend.py: `cred_proxy` arg → `egress_proxy`; sidecar-orphan probe + plan field + dashboard view all renamed. - provision_ca: selects the egress-proxy CA when present, else pipelock's (filename renamed to claude-bottle-mitm-ca.crt). - bottle.provision: cred-proxy dotfile rewrites (~/.npmrc, ~/.gitconfig insteadOf, tea config) are gone — HTTP_PROXY catches everything respecting it. Pipelock helpers: - `pipelock_token_hosts` → `pipelock_route_hosts` (now reading egress_proxy.routes). - cred-proxy hostname auto-allow → egress-proxy hostname auto-allow. - Anthropic seed-phrase workaround now triggers when an egress_proxy route targets api.anthropic.com (was based on the cred-proxy `anthropic-base-url` role). Dockerfile.egress-proxy: - Entrypoint conditionally passes `--set ssl_verify_upstream_trusted_ca=$EGRESS_PROXY_UPSTREAM_CA` (via the `${VAR:+...}` shell expansion) so standalone runs without a mounted pipelock CA still boot. - mkdirs `/home/mitmproxy/.mitmproxy` ahead of `docker cp`. Deleted: claude_bottle/{cred_proxy,cred_proxy_server}.py, backend/docker/{cred_proxy,provision/cred_proxy}.py, Dockerfile.cred-proxy, plus the corresponding unit + integration tests. backend/docker/cred_proxy_apply.py stays as a stub for chunk 3 to rewrite (its container-name + routes-path constants are inlined so it survives without the deleted module). Test changes: - test_pipelock_allowlist rewritten against egress-proxy routes + the new `pipelock_route_hosts`. - test_manifest_md_load + test_pipelock_yaml + test_yaml_subset fixtures migrated to the `egress_proxy: { routes: [...] }` shape. - test_supervise_sidecar's round-trip test switched from `dashboard.approve` to `dashboard.reject`: the approval-apply path on cred-proxy-block proposals hits a deleted sidecar in chunk 2's transitional state. Chunk 3 restores the approval test once the remediation flow is retargeted at egress-proxy. 376 tests pass (was 427; net delta is removed cred-proxy tests). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-25 14:30:39 -04:00