Two related bugs:
1. Auth chain bypassed egress. After the Docker-Desktop port
pivot, the agent always dialed pipelock directly — meaning
egress (which holds the real OAuth token and rewrites the
Authorization header) wasn't in the request path. Bearer
placeholder reached anthropic verbatim → 401 "Invalid bearer
token". Fix: when the bottle declares egress.routes, the
agent's first hop is egress (publish egress port 9099 to host
loopback, leave pipelock bundle-internal). Without routes,
the agent dials pipelock directly. Same hop order as the
docker backend.
2. provision_ca's update-ca-certificates SIGKILLed at ~100ms
on Docker Desktop. Back-to-back `smolvm machine exec` calls
immediately after machine_start hit a VM warm-up race in
libkrun's exec channel; the second exec's child got
SIGKILL'd before producing more than the first line of
stdout. The agent's trust store never got the egress MITM
CA's hash symlink, so curl/openssl couldn't validate the
TLS chain. Fix: 1.5s sleep after machine_start (empirically
enough), plus fold provision_ca's chown + chmod +
update-ca-certificates into one `sh -c` so we only pay one
exec round trip. Bail with a clear error if update-ca-
certificates doesn't report "1 added" (failing silently was
how the original SIGKILL went unnoticed).
Net effect on Docker Desktop / macOS: claude's HTTPS_PROXY is
`http://127.0.0.1:<egress port>`, egress rewrites auth, pipelock
allowlists + DLPs, request reaches api.anthropic.com with a
real token. End-to-end verified.
Also drops the PRD-0023-chunk-3 EGRESS_LISTEN_HOST=127.0.0.1
mitigation. The original concern (agent bypassing pipelock by
dialing egress's port on the bundle IP) doesn't apply in this
topology: the agent can only reach whatever port we publish on
host loopback, and egress is the only HTTP/HTTPS chokepoint
that gets published.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
End-to-end provisioning parity with the docker backend. After this
chunk a smolmachines bottle has a working trust store, git-gate
gitconfig, and supervise MCP registration — same shape as docker,
dispatched via `smolvm machine cp` / `smolvm machine exec` instead
of `docker cp` / `docker exec`.
Adds three new provision modules:
- ca.py: select egress vs pipelock CA (same logic as
docker), machine cp + update-ca-certificates,
log sha256 fingerprint.
- git.py: copy host .git when --cwd was passed; render
~/.gitconfig with insteadOf URLs. URL prefix is
`git://<bundle_ip>:9418/...` (no DNS in the
TSI-allowlisted guest) vs docker's
`git://git-gate/...`.
- supervise.py: `claude mcp add` via machine_exec; URL is
`http://<bundle_ip>:9100/`. Failure is logged but
non-fatal (matches docker).
Shared render: `render_git_gate_gitconfig` moves out of
backend/docker/provision/git.py into the platform-neutral
claude_bottle/git_gate.py (renamed to git_gate_render_gitconfig
for consistency with the existing git_gate_render_* helpers),
parameterized on a `gate_host` argument so both backends use the
same logic with different addresses.
Path/user fixups for the post-chunk-4c agent image (real
claude-bottle image, USER node, $HOME=/home/node):
- prompt.py default path moves from /root/... to
/home/node/.claude-bottle-prompt.txt; chown + chmod after
machine cp.
- skills.py default skills dir moves from /root/.claude/skills to
/home/node/.claude/skills; chown -R per skill.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
didericis-claude