bot-bottle

didericis/bot-bottle

Fork 0

Commit Graph

Author	SHA1	Message	Date
didericis	579a9dae3e	docs: add PRD 0011 for cwd-manifest trust boundary test / unit (pull_request) Successful in 12s Details test / integration (pull_request) Successful in 23s Details Bottles defined in $CWD/claude-bottle.json can redefine cred_proxy.routes / git / env / egress on key conflict, which gives a cloned repo's manifest the ability to redirect a host env var (CLAUDE_BOTTLE_OAUTH_TOKEN, GITHUB_TOKEN, ...) to an attacker-controlled upstream on first launch — no agent compromise required. This PRD proposes drawing the trust boundary at the bottle level: $HOME owns bottle definitions; $CWD can only declare agents that reference home-defined bottles. Six success criteria + the resolver-split design. PRD-only; no code in this commit.	2026-05-24 14:59:11 -04:00

Author

SHA1

Message

Date

didericis

579a9dae3e

docs: add PRD 0011 for cwd-manifest trust boundary

test / unit (pull_request) Successful in 12s

Details

test / integration (pull_request) Successful in 23s

Details

Bottles defined in $CWD/claude-bottle.json can redefine
cred_proxy.routes / git / env / egress on key conflict, which
gives a cloned repo's manifest the ability to redirect a host
env var (CLAUDE_BOTTLE_OAUTH_TOKEN, GITHUB_TOKEN, ...) to an
attacker-controlled upstream on first launch — no agent
compromise required.

This PRD proposes drawing the trust boundary at the bottle
level: $HOME owns bottle definitions; $CWD can only declare
agents that reference home-defined bottles. Six success
criteria + the resolver-split design.

PRD-only; no code in this commit.

2026-05-24 14:59:11 -04:00

1 Commits