merge: update tests/unit/test_supervise_server.py from issue-277-coverage-ci

.coveragerc

@@ -0,0 +1,9 @@
+[run]
+branch = True
+source = .
+
+[report]
+omit =
+    bot_bottle/egress_addon.py
+    bot_bottle/cli/tui.py
+    tests/*

.gitea/workflows/test.yml

@@ -39,8 +39,14 @@ jobs:
         with:
           python-version: "3.12"
 
+      - name: Install dev requirements
+        run: python3 -m pip install -r requirements-dev.txt
+
       - name: Run unit tests
-        run: python3 -m unittest discover -t . -s tests/unit -v
+        run: python3 -m coverage run -m unittest discover -t . -s tests/unit -v
+
+      - name: Report unit coverage
+        run: python3 -m coverage report -m
 
   integration:
     runs-on: ubuntu-latest

.gitignore

@@ -22,3 +22,4 @@ venv/
 .pytest_cache/
 .mypy_cache/
 .ruff_cache/
+.coverage

bot_bottle/cli/supervise.py

@@ -2,9 +2,8 @@
 act on them (approve / modify / reject).
 
 Curses-based TUI; modify-then-approve shells out to $EDITOR. The
-approval handler wires to PRD 0016 (capability-block), which rebuilds
-the bottle Dockerfile. Egress proposals are queued for operator review
-as full routes.yaml updates.
+Egress proposals are queued for operator review as full routes.yaml
+updates.
 """
 
 from __future__ import annotations
@@ -22,10 +21,6 @@ from pathlib import Path
 
 from .. import supervise as _supervise
 from ..bottle_state import read_metadata
-# from ..backend.docker.capability_apply import (
-#     CapabilityApplyError,
-#     apply_capability_change,
-# )
 from ..backend.docker.egress_apply import (
     EgressApplyError,
     applicator as _docker_applicator,
@@ -38,10 +33,6 @@ from ..backend.smolmachines.egress_apply import (
 )
 from ..log import Die, error, info
 
-
-class CapabilityApplyError(RuntimeError):
-    """Placeholder while capability_apply is disabled."""
-
 from ..supervise import (
     COMPONENT_FOR_TOOL,
     AuditEntry,
@@ -50,12 +41,10 @@ from ..supervise import (
     STATUS_APPROVED,
     STATUS_MODIFIED,
     STATUS_REJECTED,
-    TOOL_CAPABILITY_BLOCK,
     TOOL_EGRESS_ALLOW,
     TOOL_EGRESS_BLOCK,
     TOOL_GITLEAKS_ALLOW,
     TOOL_EGRESS_TOKEN_ALLOW,
-    archive_proposal,
     list_pending_proposals,
     render_diff,
     write_audit_entry,
@@ -83,7 +72,7 @@ class QueuedProposal:
 # Errors any remediation engine may raise. Caught by the TUI key
 # handlers and surfaced in the status line so a failed apply keeps
 # the proposal pending rather than crashing curses.
-ApplyError = (CapabilityApplyError, EgressApplyError)
+ApplyError = (EgressApplyError,)
 
 
 def apply_routes_change(slug: str, content: str) -> tuple[str, str]:
@@ -143,8 +132,6 @@ def _detail_lines(
 
 
 def _suffix_for_tool(tool: str) -> str:
-    if tool == TOOL_CAPABILITY_BLOCK:
-        return ".dockerfile"
     if tool in (TOOL_EGRESS_ALLOW, TOOL_EGRESS_BLOCK):
         return ".yaml"
     if tool in (TOOL_GITLEAKS_ALLOW, TOOL_EGRESS_TOKEN_ALLOW):
@@ -166,17 +153,6 @@ def approve(
     file_to_apply = final_file if final_file is not None else qp.proposal.proposed_file
 
     diff_before, diff_after = "", ""
-    # if qp.proposal.tool == TOOL_CAPABILITY_BLOCK:
-    #     _meta = read_metadata(qp.proposal.bottle_slug)
-    #     if _meta is not None and not _meta.compose_project:
-    #         raise CapabilityApplyError(
-    #             "capability-block remediation is not supported for smolmachines "
-    #             "bottles. Reject this proposal or handle the capability change "
-    #             "manually, then restart the bottle."
-    #         )
-    #     diff_before, diff_after = apply_capability_change(
-    #         qp.proposal.bottle_slug, file_to_apply,
-    #     )
     if qp.proposal.tool in (TOOL_EGRESS_ALLOW, TOOL_EGRESS_BLOCK):
         diff_before, diff_after = apply_routes_change(
             qp.proposal.bottle_slug,
@@ -194,9 +170,6 @@ def approve(
         qp, action=status, notes=notes,
         diff_before=diff_before, diff_after=diff_after,
     )
-    if qp.proposal.tool == TOOL_CAPABILITY_BLOCK:
-        archive_proposal(qp.queue_dir, qp.proposal.id)
-
 
 def reject(qp: QueuedProposal, *, reason: str) -> None:
     """Write a rejection response and an audit entry."""
@@ -346,7 +319,7 @@ def _list_once() -> int:
     return 0
 
 
-def _try_init_green() -> int:
+def _try_init_green() -> int:  # pragma: no cover
     """Initialise a green color pair and return its attr, or 0."""
     try:
         curses.start_color()
@@ -357,7 +330,7 @@ def _try_init_green() -> int:
         return 0
 
 
-def _main_loop(stdscr: "curses._CursesWindow") -> None:  # type: ignore
+def _main_loop(stdscr: "curses._CursesWindow") -> None:  # type: ignore  # pragma: no cover
     curses.curs_set(0)
     stdscr.timeout(_REFRESH_INTERVAL_MS)
     green_attr = _try_init_green()
@@ -447,7 +420,7 @@ def _render(
     status_line: str,
     *,
     green_attr: int = 0,  # noqa: F841 — unused, but required by interface
-) -> None:
+) -> None:  # pragma: no cover
     stdscr.erase()
     h, w = stdscr.getmaxyx()
     header = f"bot-bottle supervise  ({len(pending)} pending)"
@@ -498,7 +471,7 @@ def _detail_view(
     qp: QueuedProposal,
     *,
     green_attr: int = 0,
-) -> None:
+) -> None:  # pragma: no cover
     """Render the full proposal. Scrollable. Press q to return."""
     lines = _detail_lines(qp, green_attr=green_attr)
     offset = 0
@@ -550,7 +523,7 @@ def _detail_view(
             return
 
 
-def _modify(stdscr: "curses._CursesWindow", qp: QueuedProposal) -> str | None:  # type: ignore
+def _modify(stdscr: "curses._CursesWindow", qp: QueuedProposal) -> str | None:  # type: ignore  # pragma: no cover
     """Suspend curses, open $EDITOR on the proposed file, return edited content."""
     suffix = _suffix_for_tool(qp.proposal.tool)
     curses.endwin()
@@ -561,7 +534,7 @@ def _modify(stdscr: "curses._CursesWindow", qp: QueuedProposal) -> str | None:
     return edited
 
 
-def _prompt(stdscr: "curses._CursesWindow", label: str) -> str:  # type: ignore
+def _prompt(stdscr: "curses._CursesWindow", label: str) -> str:  # type: ignore  # pragma: no cover
     """One-line input at the bottom of the screen."""
     curses.curs_set(1)
     h, _ = stdscr.getmaxyx()

bot_bottle/contrib/gitea/deploy_key_provisioner.py

@@ -21,11 +21,6 @@ from pathlib import Path
 
 from ...deploy_key_provisioner import DeployKeyCollisionError, DeployKeyProvisioner
 
-# Timeout for ssh-keygen and Gitea API HTTP calls. A hung Gitea instance at
-# prepare time would stall bottle launch indefinitely without this bound.
-_API_TIMEOUT_SECS = 30
-_KEYGEN_TIMEOUT_SECS = 10
-
 
 class GiteaDeployKeyProvisioner(DeployKeyProvisioner):
     """Manages deploy keys on a Gitea instance."""
@@ -51,7 +46,6 @@ class GiteaDeployKeyProvisioner(DeployKeyProvisioner):
                 check=True,
                 stdout=subprocess.DEVNULL,
                 stderr=subprocess.DEVNULL,
-                timeout=_KEYGEN_TIMEOUT_SECS,
             )
             private_key = key_path.read_bytes()
             public_key = key_path.with_suffix(".pub").read_text().strip()
@@ -73,7 +67,7 @@ class GiteaDeployKeyProvisioner(DeployKeyProvisioner):
             method="POST",
         )
         try:
-            with urllib.request.urlopen(req, timeout=_API_TIMEOUT_SECS) as resp:
+            with urllib.request.urlopen(req) as resp:
                 body = json.loads(resp.read())
         except urllib.error.HTTPError as exc:
             _body = _read_error_body(exc)
@@ -104,7 +98,7 @@ class GiteaDeployKeyProvisioner(DeployKeyProvisioner):
             method="DELETE",
         )
         try:
-            with urllib.request.urlopen(req, timeout=_API_TIMEOUT_SECS):
+            with urllib.request.urlopen(req):
                 pass
         except urllib.error.HTTPError as exc:
             if exc.code == 404:

bot_bottle/git_gate.py

@@ -43,10 +43,10 @@ from .manifest import ManifestBottle, ManifestGitEntry
 # Short network alias for git-gate inside the sidecar bundle. The
 # agent's `.gitconfig` insteadOf rewrites resolve through this name.
 GIT_GATE_HOSTNAME = "git-gate"
-# Shared timeout (seconds) for all git-gate subprocess and CGI calls:
-# git daemon (--timeout/--init-timeout), the access-hook subprocess in
-# git_http_backend, and the git http-backend CGI subprocess.
-GIT_GATE_TIMEOUT_SECS = 15
+# Bound half-open git client sessions. If an agent/tool runner is
+# interrupted during push, git daemon should reap the receive-pack
+# child instead of keeping the gate wedged indefinitely.
+GIT_GATE_DAEMON_TIMEOUT_SECS = 15
 
 
 @dataclass(frozen=True)
@@ -217,8 +217,8 @@ def git_gate_render_entrypoint(upstreams: tuple[GitGateUpstream, ...]) -> str:
         "",
         "exec git daemon \\",
         "  --reuseaddr \\",
-        f"  --timeout={GIT_GATE_TIMEOUT_SECS} \\",
-        f"  --init-timeout={GIT_GATE_TIMEOUT_SECS} \\",
+        f"  --timeout={GIT_GATE_DAEMON_TIMEOUT_SECS} \\",
+        f"  --init-timeout={GIT_GATE_DAEMON_TIMEOUT_SECS} \\",
         "  --base-path=/git \\",
         "  --export-all \\",
         "  --enable=receive-pack \\",

bot_bottle/git_http_backend.py

@@ -16,8 +16,6 @@ from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
 from pathlib import Path
 from urllib.parse import urlsplit
 
-from .git_gate import GIT_GATE_TIMEOUT_SECS
-
 
 DEFAULT_PORT = 9420
 
@@ -49,7 +47,6 @@ class GitHttpHandler(BaseHTTPRequestHandler):
                 [hook_path, "upload-pack", str(repo_dir), peer, peer],
                 capture_output=True,
                 check=False,
-                timeout=GIT_GATE_TIMEOUT_SECS,
             )
             if hook.returncode != 0:
                 detail = (hook.stderr or hook.stdout).decode(
@@ -113,7 +110,6 @@ class GitHttpHandler(BaseHTTPRequestHandler):
             env=env,
             capture_output=True,
             check=False,
-            timeout=GIT_GATE_TIMEOUT_SECS,
         )
         self._write_cgi_response(proc.stdout)
 
@@ -152,13 +148,7 @@ class GitHttpHandler(BaseHTTPRequestHandler):
             key, _, value = line.decode("latin1").partition(":")
             value = value.strip()
             if key.lower() == "status":
-                try:
-                    status = int(value.split()[0])
-                except (ValueError, IndexError):
-                    self.log_message(
-                        "malformed CGI Status header %r; using 500", value,
-                    )
-                    status = 500
+                status = int(value.split()[0])
             else:
                 headers.append((key, value))
         self.send_response(status)

bot_bottle/supervise_server.py

@@ -90,19 +90,19 @@ def parse_jsonrpc(body: bytes) -> JsonRpcRequest:
     try:
         raw = json.loads(body)
     except json.JSONDecodeError as e:
-        raise _RpcClientError(ERR_PARSE, f"parse error: {e}") from e
+        raise _RpcError(ERR_PARSE, f"parse error: {e}") from e
     if not isinstance(raw, dict):
-        raise _RpcClientError(ERR_INVALID_REQUEST, "request must be a JSON object")
+        raise _RpcError(ERR_INVALID_REQUEST, "request must be a JSON object")
     if raw.get("jsonrpc") != JSONRPC_VERSION:
-        raise _RpcClientError(ERR_INVALID_REQUEST, "jsonrpc field must be '2.0'")
+        raise _RpcError(ERR_INVALID_REQUEST, "jsonrpc field must be '2.0'")
     method = raw.get("method")
     if not isinstance(method, str):
-        raise _RpcClientError(ERR_INVALID_REQUEST, "method must be a string")
+        raise _RpcError(ERR_INVALID_REQUEST, "method must be a string")
     params = raw.get("params", {})
     if params is None:
         params = {}
     if not isinstance(params, dict):
-        raise _RpcClientError(ERR_INVALID_PARAMS, "params must be an object")
+        raise _RpcError(ERR_INVALID_PARAMS, "params must be an object")
     rpc_id = raw.get("id", _NO_ID)
     is_notification = rpc_id is _NO_ID
     return JsonRpcRequest(
@@ -117,23 +117,12 @@ _NO_ID = object()
 
 
 class _RpcError(Exception):
-    """Base class for all typed RPC errors that surface as JSON-RPC error responses."""
     def __init__(self, code: int, message: str):
         super().__init__(message)
         self.code = code
         self.message = message
 
 
-class _RpcClientError(_RpcError):
-    """Caller sent a bad request; returned verbatim, no server-side logging."""
-
-
-class _RpcInternalError(_RpcError):
-    """Server-side fault; logged at ERROR with cause, always returns ERR_INTERNAL."""
-    def __init__(self, message: str) -> None:
-        super().__init__(ERR_INTERNAL, message)
-
-
 def jsonrpc_result(request_id: object, result: object) -> bytes:
     payload = {"jsonrpc": JSONRPC_VERSION, "id": request_id, "result": result}
     return (json.dumps(payload) + "\n").encode("utf-8")
@@ -301,7 +290,7 @@ def validate_proposed_file(tool: str, content: str) -> None:
     catches obvious paste-errors / wrong-tool selections before they
     enter the queue."""
     if not content.strip():
-        raise _RpcClientError(ERR_INVALID_PARAMS, f"{tool}: proposed file is empty")
+        raise _RpcError(ERR_INVALID_PARAMS, f"{tool}: proposed file is empty")
     if tool == _sv.TOOL_CAPABILITY_BLOCK:
         # Dockerfiles are too varied to validate syntactically beyond
         # non-empty. The operator reads the diff in the TUI.
@@ -310,17 +299,17 @@ def validate_proposed_file(tool: str, content: str) -> None:
         try:
             config = load_config(content)
         except ValueError as e:
-            raise _RpcClientError(
+            raise _RpcError(
                 ERR_INVALID_PARAMS,
                 f"{tool}: proposed routes.yaml is not valid: {e}",
             ) from e
         if config.log != LOG_OFF:
-            raise _RpcClientError(
+            raise _RpcError(
                 ERR_INVALID_PARAMS,
                 f"{tool}: proposed routes.yaml must not change egress logging",
             )
     else:
-        raise _RpcClientError(ERR_INVALID_PARAMS, f"unknown tool {tool!r}")
+        raise _RpcError(ERR_INVALID_PARAMS, f"unknown tool {tool!r}")
 
 
 # --- MCP handlers ----------------------------------------------------------
@@ -393,17 +382,17 @@ def handle_tools_call(
     doesn't need operator approval."""
     name = params.get("name")
     if not isinstance(name, str):
-        raise _RpcClientError(ERR_INVALID_PARAMS, "tools/call missing 'name'")
+        raise _RpcError(ERR_INVALID_PARAMS, "tools/call missing 'name'")
     if name == _sv.TOOL_LIST_EGRESS_ROUTES:
         return handle_list_egress_routes(typing.cast(dict[str, object], params.get("arguments", {})), config)
 
     args_raw = params.get("arguments", {})
     if not isinstance(args_raw, dict):
-        raise _RpcClientError(ERR_INVALID_PARAMS, "tools/call 'arguments' must be an object")
+        raise _RpcError(ERR_INVALID_PARAMS, "tools/call 'arguments' must be an object")
 
     justification = args_raw.get("justification")
     if not isinstance(justification, str) or not justification.strip():
-        raise _RpcClientError(
+        raise _RpcError(
             ERR_INVALID_PARAMS,
             f"{name}: 'justification' is required and must be a non-empty string",
         )
@@ -412,13 +401,13 @@ def handle_tools_call(
         file_field = PROPOSED_FILE_FIELD[name]
         proposed_file = args_raw.get(file_field)
         if not isinstance(proposed_file, str):
-            raise _RpcClientError(
+            raise _RpcError(
                 ERR_INVALID_PARAMS,
                 f"{name}: '{file_field}' is required and must be a string",
             )
         validate_proposed_file(name, proposed_file)
     else:
-        raise _RpcClientError(ERR_INVALID_PARAMS, f"unknown tool {name!r}")
+        raise _RpcError(ERR_INVALID_PARAMS, f"unknown tool {name!r}")
 
     proposal = _sv.Proposal.new(
         bottle_slug=config.bottle_slug,
@@ -427,10 +416,7 @@ def handle_tools_call(
         justification=justification,
         current_file_hash=_sv.sha256_hex(proposed_file),
     )
-    try:
-        _sv.write_proposal(config.queue_dir, proposal)
-    except OSError as e:
-        raise _RpcInternalError(f"failed to write proposal to queue: {e}") from e
+    _sv.write_proposal(config.queue_dir, proposal)
     sys.stderr.write(
         f"supervise: queued proposal {proposal.id} ({name}) "
         f"for bottle {config.bottle_slug}; waiting for operator...\n"
@@ -450,10 +436,7 @@ def handle_tools_call(
             "content": [{"type": "text", "text": text}],
             "isError": False,
         }
-    try:
-        _sv.archive_proposal(config.queue_dir, proposal.id)
-    except OSError as e:
-        raise _RpcInternalError(f"failed to archive proposal: {e}") from e
+    _sv.archive_proposal(config.queue_dir, proposal.id)
 
     text = format_response_text(response)
     return {
@@ -529,7 +512,7 @@ class MCPHandler(http.server.BaseHTTPRequestHandler):
 
         try:
             req = parse_jsonrpc(body)
-        except _RpcClientError as e:
+        except _RpcError as e:
             self._write_jsonrpc(jsonrpc_error(None, e.code, e.message))
             return
 
@@ -537,19 +520,11 @@ class MCPHandler(http.server.BaseHTTPRequestHandler):
 
         try:
             result = self._dispatch(req, config)
-        except _RpcClientError as e:
+        except _RpcError as e:
             self._write_jsonrpc(jsonrpc_error(req.id, e.code, e.message))
             return
-        except _RpcInternalError as e:
-            cause = e.__cause__
-            detail = f": {cause}" if cause else ""
-            sys.stderr.write(f"supervise: internal error: {e.message}{detail}\n")
-            sys.stderr.flush()
-            self._write_jsonrpc(jsonrpc_error(req.id, ERR_INTERNAL, "internal error"))
-            return
-        except Exception as e:  # noqa: W0718 — unexpected errors
-            sys.stderr.write(f"supervise: unexpected error: {type(e).__name__}: {e}\n")
-            sys.stderr.flush()
+        except Exception as e:  # noqa: W0718 — catch-all for RPC dispatch errors
+            sys.stderr.write(f"supervise: internal error: {e}\n")
             self._write_jsonrpc(jsonrpc_error(req.id, ERR_INTERNAL, "internal error"))
             return
 
@@ -568,7 +543,7 @@ class MCPHandler(http.server.BaseHTTPRequestHandler):
             return handle_tools_list(req.params)
         if method == "tools/call":
             return handle_tools_call(req.params, config)
-        raise _RpcClientError(ERR_METHOD_NOT_FOUND, f"method not found: {method}")
+        raise _RpcError(ERR_METHOD_NOT_FOUND, f"method not found: {method}")
 
     def _write_jsonrpc(self, body: bytes) -> None:
         self.send_response(200)

requirements-dev.txt

@@ -4,3 +4,4 @@
 
 pylint>=3.0.0
 pyright>=1.1.300
+coverage>=7.0.0

tests/integration/test_sandbox_escape.py

@@ -92,9 +92,9 @@ class TestSandboxEscape(unittest.TestCase):
                     "on PATH: curl -sSL https://smolmachines.com/install.sh | sh"
                 )
 
-        # Throwaway "identity file" for the git-gate's `identity` field.
-        # It need not be a real SSH key: test 5 reaches gitleaks before
-        # any SSH attempt anyway.
+        # Throwaway static key for the git-gate fixture. It need not
+        # be a real SSH key: test 5 reaches gitleaks before any SSH
+        # attempt anyway.
         fd, kp = tempfile.mkstemp(prefix="sandbox-test-key.")
         os.close(fd)
         cls._key_path = Path(kp)
@@ -123,7 +123,10 @@ class TestSandboxEscape(unittest.TestCase):
                     "git-gate": {"repos": {
                         "throwaway": {
                             "url": "ssh://git@unreachable.invalid:22/throwaway.git",
-                            "identity": str(cls._key_path),
+                            "key": {
+                                "provider": "static",
+                                "path": str(cls._key_path),
+                            },
                         },
                     }},
                 },

tests/integration/test_smolmachines_launch.py

@@ -198,6 +198,7 @@ class TestSmolmachinesLaunch(unittest.TestCase):
         # connect fails, which is the property chunk 3 will
         # preserve once egress is actually running.
         r = self.bottle.exec(
+            "env -u HTTPS_PROXY -u HTTP_PROXY -u https_proxy -u http_proxy "
             f"curl -s --show-error --max-time 3 http://{self.plan.bundle_ip}:9099 "
             "2>&1 || true"
         )

tests/unit/test_contrib_gitea_deploy_key.py

@@ -10,8 +10,6 @@ from unittest.mock import MagicMock, patch
 
 from bot_bottle.contrib.gitea.deploy_key_provisioner import (
     GiteaDeployKeyProvisioner,
-    _API_TIMEOUT_SECS,
-    _KEYGEN_TIMEOUT_SECS,
     _split_owner_repo,
 )
 from bot_bottle.deploy_key_provisioner import DeployKeyCollisionError
@@ -85,25 +83,6 @@ class TestCreate(unittest.TestCase):
         self.assertEqual(str(fake_key_id), key_id)
         self.assertEqual(fake_private, private_bytes)
 
-    def test_create_passes_timeout_to_ssh_keygen_and_urlopen(self):
-        provisioner = _provisioner()
-        with patch(
-            "bot_bottle.contrib.gitea.deploy_key_provisioner.subprocess.run"
-        ) as mock_run, patch(
-            "bot_bottle.contrib.gitea.deploy_key_provisioner.urllib.request.urlopen"
-        ) as mock_urlopen, patch(
-            "bot_bottle.contrib.gitea.deploy_key_provisioner.Path.read_bytes",
-            return_value=b"PRIVATE",
-        ), patch(
-            "bot_bottle.contrib.gitea.deploy_key_provisioner.Path.read_text",
-            return_value="ssh-ed25519 AAAA\n",
-        ):
-            mock_urlopen.return_value = _urlopen_response({"id": 1})
-            provisioner.create("owner/repo", "title")
-
-        self.assertEqual(_KEYGEN_TIMEOUT_SECS, mock_run.call_args.kwargs.get("timeout"))
-        self.assertEqual(_API_TIMEOUT_SECS, mock_urlopen.call_args.kwargs.get("timeout"))
-
     def test_create_raises_on_http_error(self):
         provisioner = _provisioner()
         with patch(
@@ -160,16 +139,6 @@ class TestDelete(unittest.TestCase):
         self.assertIn("/api/v1/repos/didericis/bot-bottle/keys/99", req.full_url)
         self.assertEqual("DELETE", req.get_method())
 
-    def test_delete_passes_timeout_to_urlopen(self):
-        provisioner = _provisioner()
-        with patch(
-            "bot_bottle.contrib.gitea.deploy_key_provisioner.urllib.request.urlopen"
-        ) as mock_urlopen:
-            mock_urlopen.return_value = _urlopen_response({})
-            provisioner.delete("owner/repo", "7")
-
-        self.assertEqual(_API_TIMEOUT_SECS, mock_urlopen.call_args.kwargs.get("timeout"))
-
     def test_delete_tolerates_404(self):
         provisioner = _provisioner()
         with patch(

tests/unit/test_git_http_backend.py

@@ -9,7 +9,6 @@ import urllib.request
 from pathlib import Path
 from unittest import mock
 
-from bot_bottle.git_gate import GIT_GATE_TIMEOUT_SECS
 from bot_bottle.git_http_backend import GitHttpHandler, MAX_BODY_BYTES
 
 
@@ -151,61 +150,6 @@ class TestGitHttpBackend(unittest.TestCase):
             )
             self.assertEqual("git/test", env["HTTP_USER_AGENT"])
 
-    def test_subprocess_calls_include_timeout(self):
-        """Both subprocess.run calls (access-hook and git http-backend) must
-        pass timeout= so a hung upstream cannot wedge the sidecar."""
-        from http.server import ThreadingHTTPServer
-
-        with tempfile.TemporaryDirectory() as tmp:
-            root = Path(tmp)
-            (root / "repo.git").mkdir()
-
-            old_root = os.environ.get("GIT_PROJECT_ROOT")
-            os.environ["GIT_PROJECT_ROOT"] = str(root)
-            self.addCleanup(self._restore_env, old_root)
-            old_hook = os.environ.get("GIT_GATE_ACCESS_HOOK")
-            hook = root / "access-hook"
-            hook.write_text("#!/bin/sh\nexit 0\n")
-            hook.chmod(0o700)
-            os.environ["GIT_GATE_ACCESS_HOOK"] = str(hook)
-            self.addCleanup(self._restore_hook, old_hook)
-
-            server = ThreadingHTTPServer(("127.0.0.1", 0), GitHttpHandler)
-            thread = threading.Thread(target=server.serve_forever, daemon=True)
-            thread.start()
-            self.addCleanup(server.shutdown)
-            self.addCleanup(server.server_close)
-
-            backend_response = (
-                b"Status: 200 OK\r\n"
-                b"Content-Type: application/x-git-upload-pack-result\r\n"
-                b"\r\n"
-                b"0000"
-            )
-            calls = [
-                subprocess.CompletedProcess(["hook"], 0, b"", b""),
-                subprocess.CompletedProcess(["git"], 0, backend_response, b""),
-            ]
-            with mock.patch(
-                "bot_bottle.git_http_backend.subprocess.run",
-                side_effect=calls,
-            ) as run:
-                req = urllib.request.Request(
-                    f"http://127.0.0.1:{server.server_port}"
-                    "/repo.git/git-upload-pack",
-                    data=b"",
-                    method="POST",
-                )
-                with urllib.request.urlopen(req, timeout=5):
-                    pass
-
-            for call in run.call_args_list:
-                self.assertEqual(
-                    GIT_GATE_TIMEOUT_SECS,
-                    call.kwargs.get("timeout"),
-                    f"subprocess.run call missing timeout: {call}",
-                )
-
     def test_access_hook_denial_is_logged_to_stdout(self):
         """When the access-hook exits non-zero we still return 403 to the
         client, but the hook's stderr must also appear on the handler's
@@ -312,57 +256,6 @@ class TestGitHttpBackend(unittest.TestCase):
             os.environ["GIT_GATE_ACCESS_HOOK"] = value
 
 
-class TestMalformedStatusHeader(unittest.TestCase):
-    """Malformed CGI Status: headers must not propagate as unhandled exceptions;
-    the handler should fall back to HTTP 500."""
-
-    def setUp(self):
-        from http.server import ThreadingHTTPServer
-        import tempfile
-        self._tmp = tempfile.mkdtemp()
-        os.environ["GIT_PROJECT_ROOT"] = self._tmp
-        self._server = ThreadingHTTPServer(("127.0.0.1", 0), GitHttpHandler)
-        self._thread = threading.Thread(
-            target=self._server.serve_forever, daemon=True,
-        )
-        self._thread.start()
-        self._port = self._server.server_port
-
-    def tearDown(self):
-        self._server.shutdown()
-        self._server.server_close()
-        os.environ.pop("GIT_PROJECT_ROOT", None)
-        import shutil
-        shutil.rmtree(self._tmp, ignore_errors=True)
-
-    def _get_with_backend_response(self, cgi_response: bytes) -> int:
-        with mock.patch(
-            "bot_bottle.git_http_backend.subprocess.run",
-            return_value=mock.Mock(returncode=0, stdout=cgi_response),
-        ):
-            req = urllib.request.Request(
-                f"http://127.0.0.1:{self._port}/repo.git/info/refs",
-                method="GET",
-            )
-            try:
-                with urllib.request.urlopen(req, timeout=3) as resp:
-                    return resp.status
-            except urllib.error.HTTPError as e:  # type: ignore
-                return e.code
-
-    def test_empty_status_value_returns_500(self):
-        status = self._get_with_backend_response(
-            b"Status: \r\nContent-Type: text/plain\r\n\r\n"
-        )
-        self.assertEqual(500, status)
-
-    def test_non_numeric_status_returns_500(self):
-        status = self._get_with_backend_response(
-            b"Status: bad\r\nContent-Type: text/plain\r\n\r\n"
-        )
-        self.assertEqual(500, status)
-
-
 class TestContentLengthBounds(unittest.TestCase):
     """PRD 0041: malformed or oversized Content-Length is rejected before
     git http-backend is invoked."""

tests/unit/test_supervise_server.py

@@ -50,15 +50,15 @@ from bot_bottle.supervise_server import (
 
 
 class TestValidation(unittest.TestCase):
-    def test_capability_block_accepts_anything_nonempty(self):
-        validate_proposed_file(
-            _sv.TOOL_CAPABILITY_BLOCK,
-            "FROM python:3.13\nRUN apk add git\n",
-        )
-
     def test_empty_proposed_file_rejected_for_tools_with_file_field(self):
         with self.assertRaises(_RpcError):
-            validate_proposed_file(_sv.TOOL_CAPABILITY_BLOCK, "   \n\t")
+            validate_proposed_file(_sv.TOOL_EGRESS_ALLOW, "   \n\t")
+
+    def test_capability_block_rejected_as_unknown_tool(self):
+        with self.assertRaises(_RpcError) as cm:
+            validate_proposed_file("capability-block", "FROM python:3.13\n")
+        self.assertEqual(ERR_INVALID_PARAMS, cm.exception.code)
+        self.assertIn("unknown tool", cm.exception.message)
 
     def test_egress_routes_yaml_is_validated(self):
         validate_proposed_file(
@@ -127,9 +127,9 @@ class TestRpcInternalErrorOnIoFailure(unittest.TestCase):
         with self.assertRaises(_RpcInternalError) as cm:
             handle_tools_call(
                 {
-                    "name": _sv.TOOL_CAPABILITY_BLOCK,
+                    "name": _sv.TOOL_EGRESS_ALLOW,
                     "arguments": {
-                        "dockerfile": "FROM python:3.13\n",
+                        "routes_yaml": "routes:\n  - host: example.com\n",
                         "justification": "x",
                     },
                 },
@@ -219,7 +219,6 @@ class TestHandleToolsList(unittest.TestCase):
         self.assertEqual(
             sorted([
                 _sv.TOOL_EGRESS_ALLOW,
-                _sv.TOOL_CAPABILITY_BLOCK,
                 _sv.TOOL_EGRESS_BLOCK,
                 _sv.TOOL_LIST_EGRESS_ROUTES,
             ]),
@@ -295,10 +294,10 @@ class TestHandleToolsCall(unittest.TestCase):
         try:
             result = handle_tools_call(
                 {
-                    "name": _sv.TOOL_CAPABILITY_BLOCK,
+                    "name": _sv.TOOL_EGRESS_BLOCK,
                     "arguments": {
-                        "dockerfile": "FROM python:3.13\n",
-                        "justification": "need git",
+                        "routes_yaml": "routes:\n  - host: example.com\n",
+                        "justification": "need example.com",
                     },
                 },
                 self.config,
@@ -335,9 +334,9 @@ class TestHandleToolsCall(unittest.TestCase):
         try:
             result = handle_tools_call(
                 {
-                    "name": _sv.TOOL_CAPABILITY_BLOCK,
+                    "name": _sv.TOOL_EGRESS_ALLOW,
                     "arguments": {
-                        "dockerfile": "FROM python:3.13\n",
+                        "routes_yaml": "routes:\n  - host: example.com\n",
                         "justification": "needed for tests",
                     },
                 },
@@ -359,20 +358,52 @@ class TestHandleToolsCall(unittest.TestCase):
         with self.assertRaises(_RpcError):
             handle_tools_call(
                 {
-                    "name": _sv.TOOL_CAPABILITY_BLOCK,
-                    "arguments": {"dockerfile": "FROM python:3.13\n"},
+                    "name": _sv.TOOL_EGRESS_ALLOW,
+                    "arguments": {"routes_yaml": "routes:\n  - host: example.com\n"},
                 },
                 self.config,
             )
 
+    def test_missing_name_raises(self):
+        with self.assertRaises(_RpcError) as cm:
+            handle_tools_call({"arguments": {}}, self.config)
+        self.assertEqual(ERR_INVALID_PARAMS, cm.exception.code)
+
+    def test_arguments_must_be_object(self):
+        with self.assertRaises(_RpcError) as cm:
+            handle_tools_call(
+                {
+                    "name": _sv.TOOL_EGRESS_ALLOW,
+                    "arguments": [],
+                },
+                self.config,
+            )
+        self.assertEqual(ERR_INVALID_PARAMS, cm.exception.code)
+        self.assertIn("must be an object", cm.exception.message)
+
+    def test_capability_block_call_raises_unknown_tool(self):
+        with self.assertRaises(_RpcError) as cm:
+            handle_tools_call(
+                {
+                    "name": "capability-block",
+                    "arguments": {
+                        "dockerfile": "FROM python:3.13\n",
+                        "justification": "need git",
+                    },
+                },
+                self.config,
+            )
+        self.assertEqual(ERR_INVALID_PARAMS, cm.exception.code)
+        self.assertIn("unknown tool", cm.exception.message)
+
     def test_archives_proposal_after_response(self):
         responder = self._respond_when_proposal_appears(_sv.STATUS_APPROVED)
         try:
             handle_tools_call(
                 {
-                    "name": _sv.TOOL_CAPABILITY_BLOCK,
+                    "name": _sv.TOOL_EGRESS_ALLOW,
                     "arguments": {
-                        "dockerfile": "FROM python:3.13\n",
+                        "routes_yaml": "routes:\n  - host: example.com\n",
                         "justification": "x",
                     },
                 },
@@ -394,10 +425,10 @@ class TestHandleToolsCall(unittest.TestCase):
         )
         result = handle_tools_call(
             {
-                "name": _sv.TOOL_CAPABILITY_BLOCK,
+                "name": _sv.TOOL_EGRESS_ALLOW,
                 "arguments": {
-                    "dockerfile": "FROM python:3.13\n",
-                    "justification": "need a capability",
+                    "routes_yaml": "routes:\n  - host: example.com\n",
+                    "justification": "need egress",
                 },
             },
             config,
@@ -412,6 +443,31 @@ class TestHandleToolsCall(unittest.TestCase):
 
 
 class TestHandleListEgressRoutes(unittest.TestCase):
+    def test_success_returns_body_text(self):
+        class _Resp:
+            def __enter__(self):
+                return self
+
+            def __exit__(self, exc_type: type[BaseException] | None, exc: BaseException | None, tb: object) -> bool:
+                return False
+
+            def read(self):
+                return b"[{\"host\": \"example.com\"}]"
+
+        class _Opener:
+            def open(self, *args, **kwargs):  # noqa: ANN001, ANN002, ANN003  # type: ignore
+                return _Resp()
+
+        with patch.object(supervise_server.urllib.request, "build_opener", return_value=_Opener()):
+            result = handle_list_egress_routes(
+                {},
+                ServerConfig(bottle_slug="dev", queue_dir=Path("/unused")),
+            )
+
+        self.assertFalse(result["isError"])  # type: ignore[index]
+        text = result["content"][0]["text"]  # type: ignore[index]
+        self.assertIn("example.com", text)
+
     def test_url_error_returns_tool_error(self):
         class _Opener:
             def open(self, *args, **kwargs):  # noqa: ANN001, ANN002, ANN003  # type: ignore
@@ -471,6 +527,13 @@ class TestFormatResponseText(unittest.TestCase):
         self.assertIn("the operator modified", text.lower())
 
 
+class TestFormatPendingResponseText(unittest.TestCase):
+    def test_formats_timeout_message(self):
+        text = supervise_server.format_pending_response_text(12.5)
+        self.assertIn("status: pending", text)
+        self.assertIn("12.5s", text)
+
+
 # --- End-to-end HTTP sanity ------------------------------------------------
 
 
@@ -521,7 +584,7 @@ class TestHttpEndToEnd(unittest.TestCase):
         self.assertEqual("2.0", result["jsonrpc"])
         self.assertEqual(1, result["id"])
         names = [t["name"] for t in result["result"]["tools"]]  # type: ignore[index]
-        self.assertIn(_sv.TOOL_CAPABILITY_BLOCK, names)
+        self.assertNotIn("capability-block", names)
         self.assertIn(_sv.TOOL_EGRESS_ALLOW, names)
         self.assertIn(_sv.TOOL_EGRESS_BLOCK, names)
 
@@ -541,9 +604,9 @@ class TestHttpEndToEnd(unittest.TestCase):
                 "id": 99,
                 "method": "tools/call",
                 "params": {
-                    "name": _sv.TOOL_CAPABILITY_BLOCK,
+                    "name": _sv.TOOL_EGRESS_ALLOW,
                     "arguments": {
-                        "dockerfile": "FROM python:3.13\n",
+                        "routes_yaml": "routes:\n  - host: example.com\n",
                         "justification": "x",
                     },
                 },