- Remove unused Bottle import from docker/backend.py (pyright)
- Suppress wrong-import-position on circular-import-avoiding
deferred imports in backend/__init__.py (pylint C0413)
- Add encoding="utf-8" to read_text() in smolmachines provision
test (pylint W1514)
- Suppress consider-using-with on TemporaryDirectory setUp pattern
in both provision test files (pylint R1732)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add _load_user_plugin: loads AgentProvider subclass from
~/.bot-bottle/contrib/<name>/agent_provider.py; get_provider()
checks there first before falling back to built-ins
- Add Dockerfile cascade to docker prepare: per-bottle override →
manifest dockerfile → user plugin Dockerfile → provider default
- Move provision_ca and provision_git from backend-specific
provision/ modules to AgentProvider ABC as overridable defaults;
delete docker/provision/ca.py, docker/provision/git.py,
smolmachines/provision/ca.py, smolmachines/provision/git.py
- Add git_gate_insteadof_host/scheme properties to BottlePlan base;
SmolmachinesBottlePlan overrides them to return agent_git_gate_host
and "http" so provision_git works correctly on both backends
- Move SIGKILL retry from smolmachines provision/ca.py into
SmolmachinesBottle.exec via _exec_raw helper — all exec calls
on smolmachines now transparently retry once on exit 137
- Relax manifest_agent template validation to allow user-defined
template names; keep auth_token/forward_host_credentials guards
for built-in-only features
- Update tests: rewrite test_docker_provision_git_user and
test_smolmachines_provision to call provider methods directly;
add TestSmolmachinesBottleExec for SIGKILL retry coverage
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Renames docs/prds/0052-user-provider-plugins.md to 0053-user-provider-plugins.md
and updates the heading inside the file. 0052 is now reserved for the egress
DLP addon.
codex_auth.py was moved into contrib/codex/ but still used `.log`/
`.util` relative imports that resolved to the parent bot_bottle
package before the move — update to `...log` / `...util`.
_read_winsize() called sys.stdin.fileno() outside the OSError guard;
pytest's redirected stdin raises UnsupportedOperation (an OSError
subclass) there, breaking test_returns_first_tty_size. Move fileno()
inside the try block so any non-TTY stream is skipped cleanly.
Drops `egress-block` from the supervise sidecar, removes
`_merge_single_route`, `add_route`, and `apply_routes_change` from
egress_apply.py, and strips the proposal/approve/reject flow for egress
from the supervise CLI. The list-egress-routes and capability-block tools
are unaffected. Tests updated throughout.
Closes#198
Removes socat, openssh-client, and dnsutils from Dockerfile.claude
and Dockerfile.codex.
- socat was the privileged forwarder for the in-container ssh-agent
that PRD 0009 removed; nothing in bot_bottle references it.
- openssh-client was needed back when the agent talked ssh:// to
upstreams; git-gate's insteadOf rewrites now route every upstream
through HTTP/git-protocol, and ssh-keygen runs host-side from the
deploy-key provisioner.
- dnsutils was only used by tests/integration/test_sandbox_escape.py
(attack 4b runs dig from inside the agent container).
Splits python3/python3-pip/python3-venv onto a separate layer with
a comment noting they're app-specific and a candidate to move to a
downstream image.
Implements #213: PRDs use prd-new-<slug>.md while a PR is open; a
post-merge workflow on main assigns sequential numbers and renames the
file. A required PR check blocks prd-new-*.md from landing on main
without going through the workflow.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Pipelock was removed in PR #193. Update the five remaining places
where current documentation (README, examples/bottles/claude.md,
tests/README.md, docs/ci.md, sidecar_bundle.py comment) still
described the old pipelock + cred-proxy topology.
The old patterns required a trailing ] that badge markdown doesn't have,
so sed never matched and the README was never updated. Switch to matching
only the /badge/tool-... URL segment, which is stable and unambiguous.
Also encode / as %2F in the pylint score for a valid shields.io URL.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Capture full output with || true instead of pipefail-sensitive | tail -1
- Use lookbehind for pylint score to avoid matching "previous run" value
- Use lookahead for pyright error count to search full output not just last line
- Remove hardcoded fallback values that masked parse failures
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Badges should reflect the current score even when there are lint/type
errors, not abort the job entirely.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Zero-indented lines in the commit message body broke the block scalar,
preventing Gitea from parsing the file at all.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Token detection is already handled by the token_patterns detector
running separately — calling it again from scan_naive_injection was
redundant. New logic:
- Warn on any disclosure phrase
- Warn on any jailbreak phrase
- Block when both appear within 500 chars of each other
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Research doc: close open questions with decisions from review — hard
cutover on path_allowlist, drop glob (regex sufficient), stick with
Gateway API OR semantics for headers, case-insensitive method names.
PRD 0053: adopt Gateway API HTTPRoute match vocabulary (paths, methods,
headers) as the route schema replacement for path_allowlist. Add
MatchEntry / PathMatch / HeaderMatch types to EgressRoute design; cite
the route matching research doc; fold match restructure into chunk 1
alongside the dlp block.
Adds the product requirements document for replacing pipelock's DLP
capability with a per-route mitmproxy addon. Covers three implementation
chunks: token-pattern detection, known-secret detection, and naive prompt
injection scanning. References the research in PR #192 and issue #195.
- Remove bot-bottle.demo.json (unused artifact from pre-YAML-migration era)
- Update AGENTS.md to reflect current manifest system (YAML markdown in ~/.bot-bottle/)
- Fix stale docstring in test_docker_bottle.py that referenced superseded PRD 0021
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- test_supervise.py: drop TOOL_PIPELOCK_BLOCK import; update TOOLS
assertion to match the 3-item tuple (egress, capability, list-egress)
- test_supervise_server.py: remove pipelock from tools-list assertion,
fix test_rejected_response_sets_isError to use capability-block
- contrib/claude and contrib/codex: remove tls_passthrough=True from
EgressRoute constructors (field removed with pipelock)
- test_egress.py: drop tls_passthrough parameter from _provider_route,
remove tls_passthrough-only tests, fix EgressRoute constructions
- test_agent_provider.py: drop route.tls_passthrough assertions
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Strip pipelock from all unit and integration test fixtures:
proxy_plan fields removed from DockerBottlePlan/SmolmachinesBottlePlan
constructors; pipelock-specific test classes deleted or renamed
- Update test_sidecar_init: remove test_pipelock_loses_egress_tokens,
rename "pipelock" daemon fixtures to "git-gate" throughout
- Remove test_pipelock_binary_present_and_versioned from integration test
- Remove test_pipelock_answers_on_bundle_ip from smolmachines launch test
- Update _SANDBOX_BLOCK_MARKERS: remove "pipelock" marker (egress blocks)
- Dockerfile.sidecars: remove pipelock build stage and COPY; update layout
comments and port table
- egress_entrypoint.sh: update comments now that egress is sole proxy
- Clean up pipelock references in comments/docstrings across backend,
network, manifest, supervise, git_gate, yaml_subset, agent_provider,
sidecar_bundle, sidecar_init, egress_addon_core modules
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Remove pipelock_state_dir, _PIPELOCK_SUBDIR from bottle_state.py
- Remove proxy_plan: PipelockProxyPlan from DockerBottlePlan
- Remove EGRESS_PIPELOCK_CA_IN_CONTAINER from docker/egress.py
- Remove pipelock TLS init and proxy_plan population from launch.py
- Remove PipelockProxy import and pipelock_dir setup from prepare.py
- Remove pipelock volumes, daemon entry, and network alias from compose.py
- Remove pipelock mirroring entirely from egress_apply.py
- Agent HTTP_PROXY now always points at egress (no pipelock fallback)
- Delete bot_bottle/pipelock.py, backend/docker/pipelock.py,
backend/docker/pipelock_apply.py
- Delete all pipelock unit/integration/canary tests
- Remove PipelockRoutePolicy from manifest_egress.py; drop the
Pipelock field from EgressRoute and the 'pipelock' key from
EgressRoute.from_dict
- Remove PipelockRoutePolicy re-export from manifest.py __all__
Add analysis of Google DeepMind's CaMeL (arXiv:2503.18813), which
prevents prompt injections architecturally rather than detecting them.
Key findings:
- CaMeL operates at the agent execution layer (P-LLM/Q-LLM split +
capability-based data flow tracking), not the network layer
- Not a replacement for pipelock/DLP — different threat surface
- Not viable today: research artifact, requires agent rearchitecture,
doubles LLM costs, 7% utility loss on AgentDojo
- Worth watching: its capability model could complement bot-bottle's
network controls if it matures into production software
Also clarifies pipelock's actual detection capabilities (no prompt
injection detection) and adds naive detector sketch.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove all time estimates (2-3 weeks, 1-2 weeks, etc.)
- Add detailed analysis of using LLM for prompt injection detection
- Survey existing models (none purpose-built for this)
- Sketch DistilBERT fine-tuning approach (~67MB quantized)
- Analyze latency/footprint tradeoffs (50-150ms vs. <5ms for patterns)
- Recommend pattern-based Phase 2, with LLM as optional Phase 2b
- Include code sketch of LLM detector with timeout fallback
- List open questions for LLM deployment
Conclusion: Patterns are faster/simpler for now; LLM only if patterns
miss sophisticated attacks in production.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Per feedback from PR 192:
- Restructure around outbound_detectors (requests to upstream) and
inbound_detectors (responses from upstream)
- Rename to 'secret exfiltration' detection for Phase 1
- Add 'known_secrets' detector for provisioned credentials
- Make scanning enabled by default per detector type
- Clarify that multiple encodings of secrets should be checked
Phase 1 now focuses on preventing outbound credential leaks.
Phase 2 handles inbound prompt injection attacks.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Investigates replacing pipelock with a custom mitmproxy-based DLP addon
that supports per-route configuration, response-specific rules, and
AI-specific threat detection (tokens, prompt injection).
Recommends building the addon in-repo to align with bot-bottle's
per-route design model and keep security logic auditable.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Remove .keys() iteration in favor of direct dictionary iteration
- Remove redundant os module reimport in tui.py
- Disable unnecessary-ellipsis rule in pylintrc to avoid conflict with pyright's
Protocol type requirements
pyright: 0 errors
pylint: 9.93/10
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Runs on push to main when Python files change
- Can be manually triggered via workflow_dispatch
- Executes pylint and pyright to extract quality scores
- Updates README.md badges with current metrics
- Auto-commits changes with [skip ci] to prevent loops
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
The issue: Both the original file object (tty_fd) and the FileIO object
created in _run_picker() were managing the same file descriptor. When
both tried to close it (or during garbage collection), we got
'Bad file descriptor' errors.
The solution: Use os.dup() to create an independent copy of the fd that
FileIO can own exclusively. The original file object closes its copy,
and FileIO closes its independent copy, preventing conflicts.
This properly separates fd ownership between the two objects.
Fixes the 'Exception ignored while finalizing file' errors on agent startup.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
The sync() function is used in two contexts:
1. As a signal handler: signal.signal(signal.SIGWINCH, sync)
- Called with (signum: int, frame: FrameType | None)
2. As a threading.Timer callback: Timer(..., sync)
- Called with no arguments
Made parameters optional with defaults to support both call patterns.
Added type: ignore for signal.signal() since the type signature differs.
Fixes: TypeError when Timer tries to call sync() with no arguments.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
The issue: filter_select() opens a file object and passes its file
descriptor to _run_picker(). Inside _run_picker(), a FileIO object is
created from that same fd number. When filter_select() then calls
tty_fd.close(), it closes the underlying fd. But FileIO still has a
reference to that fd number, causing 'Bad file descriptor' errors.
Solution: Don't explicitly close tty_fd. Let it be garbage collected,
which naturally closes the fd. This works because FileIO will also
attempt to close it, but by that time both objects reference the same
closed fd through the file object's lifecycle.
The fd is properly closed by the time the function returns.
Fixes agent startup failure.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Fixed ImportError in test_pipelock_apply.py:
- PIPELOCK_CA_CERT_IN_CONTAINER and PIPELOCK_CA_KEY_IN_CONTAINER
are defined in bot_bottle.pipelock, not bot_bottle.backend.docker.pipelock
- Corrected import statement to import from correct module
- Removed unnecessary type: ignore comments
This fixes the integration test import failure.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Quality metrics are now visible via badges in README.md
and maintained automatically by the update-badges workflow.
A separate status doc is redundant.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
didericis
didericis-claude
Quality Badge Bot