bot-bottle

Author	SHA1	Message	Date
didericis-claude	909029085e	feat(sidecars): egress binds 127.0.0.1 when EGRESS_LISTEN_HOST is set (PRD 0023 chunk 3) test / unit (pull_request) Successful in 21s Details test / integration (pull_request) Successful in 41s Details Egress's bind address is now env-driven via EGRESS_LISTEN_HOST. Unset → mitmdump's default (all interfaces) — the docker backend's behavior, unchanged. Set to `127.0.0.1` → mitmdump binds localhost only. The smolmachines launch sets EGRESS_LISTEN_HOST=127.0.0.1 in the bundle's env unconditionally. TSI's allowlist is `<bundle-ip>/32` (IP-only, not port-granular), which would otherwise let the agent dial `<bundle-ip>:9099` and bypass pipelock's DLP by talking to egress directly. Binding egress to localhost inside the bundle closes that gap at the socket level — the agent still reaches the IP (TSI permits it) but egress refuses the connect because it's not listening on the docker bridge interface. The docker backend doesn't set the env var because its agent dials egress directly via the docker network alias — egress MUST be reachable from outside the bundle there. The asymmetry is documented in the entrypoint script's comment. Changes: - egress_entrypoint.sh: read EGRESS_LISTEN_HOST, conditionally pass `--listen-host <host>` to mitmdump. - smolmachines/launch.py: BundleLaunchSpec.environment now includes `EGRESS_LISTEN_HOST=127.0.0.1`. - New unit tests (5): the entrypoint script's argv shape under various env combinations, verified via a fake mitmdump shim that prints its argv. 545 unit + 3 integration tests passing. The egress-port-bypass probe from chunk 2d still passes (chunk 2d ran with daemons_csv="" so no egress was up; chunk 3 makes the probe preserve its property once egress IS up in chunk 4). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-27 04:49:22 -04:00
didericis	2287b0dd08	test(sidecars): integration sweep for the bundle path (PRD 0024 chunk 4) test / unit (pull_request) Successful in 20s Details test / integration (pull_request) Successful in 40s Details Three deliverables: 1. Rewrite test_pipelock_apply bringup with a direct `docker run`. Replaces the .start-based bringup deleted in chunk 3. Stages the yaml + CAs to the real pipelock_state_dir so the bind- mount target matches what apply_allowlist_change writes to — the legacy .start path did this implicitly because it lived inside the production flow; the new bringup needs to be explicit about the path. All 4 cases pass. 2. New tests/integration/test_sidecar_bundle_compose.py: end- to-end smoke with CLAUDE_BOTTLE_SIDECAR_BUNDLE=1. Brings up a real bottle via the compose path and verifies the agent can reach pipelock + supervise through the bundle's legacy aliases (no agent-side config changes between flag positions). Skipped under act_runner — multi-stage build + bind mounts. 3. Two bundle-path bugs surfaced and fixed while running PRD 0022 with the flag on: - egress_entrypoint.sh: add `--set confdir=/home/mitmproxy/ .mitmproxy` so mitmdump finds the bind-mounted CA. The legacy Dockerfile.egress runs as user mitmproxy (~mitmproxy resolves correctly); the bundle runs as root and otherwise would look in /root/.mitmproxy/ and mint a NEW CA the agent doesn't trust. Symptom: PRD 0022 attack-3 curl failed with "unable to get local issuer certificate". - sidecar_init.py: add `--listen 0.0.0.0:8888` to pipelock's argv. Without it pipelock defaults to 127.0.0.1, so the in-bundle egress's upstream connect to the `claude-bottle-pipelock-<slug>` alias arrives over the docker network and gets refused. The legacy renderer passed this flag verbatim; the bundle dropped it. Symptom: egress returned HTTP 502 with "Connect call failed ('172.x.x.x', 8888)". PRD 0022's 5-attack sandbox-escape suite now passes with the bundle flag on AND off. Test status: - Unit: 533 passing. - Integration: 9 passing locally with flag off, 5 passing with flag on. Bundle compose smoke + PRD 0022 sandbox-escape both green under CLAUDE_BOTTLE_SIDECAR_BUNDLE=1. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-27 01:15:14 -04:00
didericis	a1180adec1	feat(compose): emit bundle shape behind feature flag (PRD 0024 chunk 2) test / unit (pull_request) Successful in 21s Details test / integration (pull_request) Successful in 1m12s Details The docker backend's compose renderer now emits a single `sidecars` service in place of the four per-sidecar services when CLAUDE_BOTTLE_SIDECAR_BUNDLE is truthy. Default (unset/0/ false) keeps the legacy five-service shape so existing operators don't have to migrate atomically; chunks 4-5 flip the default and delete the flag. New module claude_bottle/backend/docker/sidecar_bundle.py owns the bundle image constant (CLAUDE_BOTTLE_SIDECAR_IMAGE env var override + claude-bottle-sidecars:latest default), the Dockerfile reference, the container-name helper, and the flag-parser. The bundle service: - joins both internal + egress networks with aliases for every legacy shortname + per-slug long form so the agent's HTTPS_PROXY URL (which dials `egress` or `claude-bottle-pipelock-<slug>`) keeps resolving with no agent-side change - carries CLAUDE_BOTTLE_SIDECAR_DAEMONS=<csv> for the init supervisor to narrow which daemons to start - carries the union of the four prior services' daemon-private env vars (EGRESS_UPSTREAM_PROXY, SUPERVISE_*, token env names) - does NOT carry HTTPS_PROXY/HTTP_PROXY/NO_PROXY — those would route git-gate's git fetches through pipelock by mistake - union'd bind-mounts at the same in-container paths as before HTTPS_PROXY scoping moved into egress_entrypoint.sh so only mitmdump's subprocess sees it. In the legacy four-sidecar shape the env vars also lived in the egress service's compose env; the shell script's export is additionally defensive. Tests: - All 44 existing TestCompose cases pass unchanged (flag off → legacy shape). - 20 new TestSidecarBundleShape cases assert on the bundle's services / aliases / env / volumes / depends_on under the flag. - 8 new TestSidecarBundleFlag cases lock down the env-var parser (unset / 0 / false / no / off → disabled; everything else → enabled). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-27 00:43:08 -04:00
didericis	61f63684ac	feat(sidecars): bundle image + Python init supervisor (PRD 0024 chunk 1) test / unit (pull_request) Successful in 22s Details test / integration (pull_request) Successful in 1m12s Details New Dockerfile.sidecars multi-stage build: pulls the pinned pipelock and gitleaks binaries into a mitmproxy-base final image, installs git + openssh-client, and ships the project's egress addon + supervise server alongside a stdlib-Python init at /app/sidecar_init.py. The init supervisor (claude_bottle/sidecar_init.py) is PID 1 in the bundle. It spawns the daemons named in CLAUDE_BOTTLE_SIDECAR_DAEMONS (or all four by default), propagates SIGTERM/SIGINT to children with an 8s grace before SIGKILL, and exits with the first-unexpected-child exit code so a daemon crash tears down the bundle (per PRD 0024 open question 1's default). claude_bottle/egress_entrypoint.sh extracted verbatim from Dockerfile.egress's prior inline sh -c so the supervisor can call it as a normal child. Tests: - unit: _selected_daemons env-var subset behavior (7 cases), _Supervisor signal/exit-code semantics including SIGKILL escalation, and end-to-end main() via subprocess. - integration: builds the image and probes that pipelock, gitleaks, mitmdump, and the supervise Python module are present + executable, plus a no-daemons-selected smoke test of the entrypoint wiring. Skipped under act_runner (200+MB base pulls + multi-stage build). Renderer collapse and the deletion of Dockerfile.{egress,git-gate, supervise} land in chunk 2 + 3. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-27 00:05:06 -04:00

4 Commits