bot-bottle

didericis/bot-bottle

Fork 0

Commit Graph

Author	SHA1	Message	Date
didericis	a21115e032	fix(pipelock): verify and document sidecar argv against pinned image PR #1 reviewer flagged the sidecar argv as unverified. Pulled the pinned digest (ghcr.io/luckypipewrench/pipelock@sha256:3b1a39…6de9), inspected ENTRYPOINT (`/pipelock`) and CMD (`run --listen 0.0.0.0:8888`), and read `pipelock run --help` directly from the image. The forward-proxy listen flag is `--listen` (no `--mcp-` prefix) — `--mcp-listen` is for the separate MCP HTTP listener, not the forward proxy we use. Smoke-tested the exact argv against the digest and confirmed the /health endpoint responded on :8888. The argv was already correct; this commit records the verification in a load-bearing comment so future readers don't have to re-derive it. Assisted-by: Claude Code	2026-05-08 01:17:18 -04:00
didericis	55bb230969	fix(network): create user-defined egress bridge for pipelock sidecar Docker's legacy `bridge` network has no embedded DNS resolver — only user-defined bridges do — so attaching the pipelock sidecar to `bridge` made it unable to resolve `api.anthropic.com` and dead-ended Claude Code traffic. Add `network_create_egress`, refactored around a shared `_network_create_with_prefix` helper, and wire it through `pipelock_start` and `cli.sh` so the sidecar straddles the agent's --internal network and a per-agent user-defined egress bridge instead. The agent container itself still attaches to the internal network only. Assisted-by: Claude Code	2026-05-08 01:16:46 -04:00
didericis	18e34af583	feat(pipelock): add lib/pipelock.sh sidecar lifecycle + YAML generator Adds the pipelock half of the PRD 0001 egress topology: - Pins the pipelock image by digest (sha256:3b1a39...) for the multi-arch ghcr.io/luckypipewrench/pipelock:2.3.0 manifest list, resolved on 2026-05-08. The registry uses unprefixed tags, so the v2.3.0 GitHub release maps to the 2.3.0 Docker tag. - Bakes in the default allowlist for Claude Code's required hosts (api.anthropic.com, statsig.anthropic.com, sentry.io, claude.ai, platform.claude.com, downloads.claude.ai, raw.githubusercontent.com) and unions it with the bottle's egress.allowlist for the effective list. - Generates a minimum-viable YAML config at mode 600: strict mode + enforce + api_allowlist + forward_proxy.enabled + DLP defaults + scan_env. No env values, no secrets, hostnames only. Schema keys cite pipelock's docs/configuration.md inline. - Sidecar lifecycle: docker create → docker cp the YAML in → connect to the default bridge for upstream egress → docker start. Avoids bind mounts (Docker Desktop ownership quirks). Stop is idempotent for use in cli.sh's exit trap. - Helper for the y/N preflight: one-line summary "<N> hosts allowed (host1, host2, host3 +M more)". Refs: docs/prds/0001-per-agent-egress-proxy-via-pipelock.md Refs: docs/research/pipelock-assessment.md Assisted-by: Claude Code	2026-05-08 00:58:37 -04:00

Author

SHA1

Message

Date

didericis

a21115e032

fix(pipelock): verify and document sidecar argv against pinned image

PR #1 reviewer flagged the sidecar argv as unverified. Pulled the pinned
digest (ghcr.io/luckypipewrench/pipelock@sha256:3b1a39…6de9), inspected
ENTRYPOINT (`/pipelock`) and CMD (`run --listen 0.0.0.0:8888`), and read
`pipelock run --help` directly from the image. The forward-proxy listen
flag is `--listen` (no `--mcp-` prefix) — `--mcp-listen` is for the
separate MCP HTTP listener, not the forward proxy we use. Smoke-tested
the exact argv against the digest and confirmed the /health endpoint
responded on :8888.

The argv was already correct; this commit records the verification in a
load-bearing comment so future readers don't have to re-derive it.

Assisted-by: Claude Code

2026-05-08 01:17:18 -04:00

didericis

55bb230969

fix(network): create user-defined egress bridge for pipelock sidecar

Docker's legacy `bridge` network has no embedded DNS resolver — only
user-defined bridges do — so attaching the pipelock sidecar to `bridge`
made it unable to resolve `api.anthropic.com` and dead-ended Claude Code
traffic. Add `network_create_egress`, refactored around a shared
`_network_create_with_prefix` helper, and wire it through `pipelock_start`
and `cli.sh` so the sidecar straddles the agent's --internal network and
a per-agent user-defined egress bridge instead. The agent container
itself still attaches to the internal network only.

Assisted-by: Claude Code

2026-05-08 01:16:46 -04:00

didericis

18e34af583

feat(pipelock): add lib/pipelock.sh sidecar lifecycle + YAML generator

Adds the pipelock half of the PRD 0001 egress topology:

- Pins the pipelock image by digest (sha256:3b1a39...) for the
  multi-arch ghcr.io/luckypipewrench/pipelock:2.3.0 manifest list,
  resolved on 2026-05-08. The registry uses unprefixed tags, so the
  v2.3.0 GitHub release maps to the 2.3.0 Docker tag.
- Bakes in the default allowlist for Claude Code's required hosts
  (api.anthropic.com, statsig.anthropic.com, sentry.io, claude.ai,
  platform.claude.com, downloads.claude.ai, raw.githubusercontent.com)
  and unions it with the bottle's egress.allowlist for the effective
  list.
- Generates a minimum-viable YAML config at mode 600: strict mode +
  enforce + api_allowlist + forward_proxy.enabled + DLP defaults +
  scan_env. No env values, no secrets, hostnames only. Schema keys
  cite pipelock's docs/configuration.md inline.
- Sidecar lifecycle: docker create → docker cp the YAML in → connect
  to the default bridge for upstream egress → docker start. Avoids
  bind mounts (Docker Desktop ownership quirks). Stop is idempotent
  for use in cli.sh's exit trap.
- Helper for the y/N preflight: one-line summary "<N> hosts allowed
  (host1, host2, host3 +M more)".

Refs: docs/prds/0001-per-agent-egress-proxy-via-pipelock.md
Refs: docs/research/pipelock-assessment.md

Assisted-by: Claude Code

2026-05-08 00:58:37 -04:00

3 Commits