fix(tests): fix integration test failures from deprecated git key, missing wget, and wrong prompt path

- test_sandbox_escape: migrate manifest fixture from deprecated `git` key to `git-gate` (PRD 0047) — `remotes` → `repos`, field names `Name`/`Upstream`/`IdentityFile` → `url`/`identity` - test_smolmachines_launch probes: replace `wget` (not in node:22-slim) with `curl -s --show-error --max-time 3` (installed in Dockerfile.claude) - test_smolmachines_launch prompt test: correct path /root/ → /home/node/ to match guest_home in smolmachines/prepare.py Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-06 12:22:50 -04:00
5 changed files with 45 additions and 39 deletions
@@ -6,7 +6,7 @@

 [![test](https://gitea.dideric.is/didericis/bot-bottle/actions/workflows/test.yml/badge.svg?branch=main)](https://gitea.dideric.is/didericis/bot-bottle/actions?workflow=test.yml)
 [![pylint](https://img.shields.io/badge/pylint-9.92%2F10-brightgreen)](https://github.com/PyCQA/pylint)
-[![pyright](https://img.shields.io/badge/pyright-0%20errors-brightgreen)](https://github.com/microsoft/pyright)
+[![pyright](https://img.shields.io/badge/pyright-18%20errors-brightgreen)](https://github.com/microsoft/pyright)

 **Problem:** Developer wants to run a coding agent without supervision, but they don't want a prompt injected or misbehaving agent wrecking their environment or exfiltrating sensitive data.

@@ -27,7 +27,7 @@

 ## Architecture

-A bottle is two containers per agent: an `agent` container, and a `sidecars` container that bundles egress + git-gate + supervise behind a Python init supervisor. They share a per-agent Docker `--internal` network; the agent has no default route off-box.
+A bottle is two containers per agent: an `agent` container, and a `sidecars` container that bundles pipelock + cred-proxy + git-gate + supervise behind a Python init supervisor. They share a per-agent Docker `--internal` network; the agent has no default route off-box.

 ```
                            host  ( ./cli.py )
@@ -36,25 +36,31 @@ A bottle is two containers per agent: an `agent` container, and a `sidecars` con
                                  ▼
   ┌─────────────────────────── bottle ──────────────────────────────────┐
   │                                                                     │
-   │   ┌──────────────────┐                   ┌──────────────────────┐   │
-   │   │ agent image      │   HTTP(S) proxy   │ egress image         │   │
-   │   │ (claude-code,    │ ─────────────────►│ (mitmproxy; TLS bump │   │  HTTPS to
-   │   │  codex, etc)     │                   │  DLP scan, path      │───┼──►  allowlisted
-   │   │                  │                   │  matching, auth      │   │     hosts
-   │   │ environ: proxy   │                   │  injection)          │   │
-   │   │ URLs only, no    │                   └──────────────────────┘   │
-   │   │ real tokens      │                                              │
+   │   ┌──────────────────┐                   ┌──────────────┐           │
+   │   │ agent image      │   HTTP(S) proxy   │ cred-proxy   │           │
+   │   │ (claude-code,    │ ─────────────────►│ (strips/inj  │           │
+   │   │  codex, etc)     │                   │  Authoriz.)  │           │
+   │   │                  │                   └──────┬───────┘           │
+   │   │ environ: URLs    │                          │                   │
+   │   │ only, no real    │                          ▼                   │
+   │   │ tokens           │                  ┌────────────────┐          │  HTTPS to
+   │   │                  │                  │ pipelock image │──────────┼──►  allowlisted
+   │   │                  │                  │ (TLS bump, DLP │          │     hosts (incl.
+   │   │                  │                  │  body scan,    │          │      cred-proxy
+   │   │                  │                  │  allowlist)    │          │      upstreams)
+   │   │                  │                  └────────────────┘          │
+   │   │                  │                                              │
   │   │                  │    git proxy     ┌────────────────┐          │  SSH push/fetch
   │   │                  │ ────────────────►│ git-gate image │──────────┼──►  to bottle.git
   │   │                  │                  │ (gitleaks +    │          │      upstreams
   │   └──────────────────┘                  │  git daemon)   │          │     (direct — not
-   │                                         └────────────────┘          │      via egress)
+   │                                         └────────────────┘          │      via pipelock)
   │                                                                     │
-   │   agent on internal network (no default route); egress and          │
-   │   git-gate straddle internal + egress networks.                     │
-   │   egress is the single HTTP/HTTPS chokepoint — all agent HTTP/HTTPS │
-   │   traffic flows through it. git-gate's SSH egress is direct         │
-   │   because egress is HTTP-only.                                      │
+   │   agent on internal network (no default route); pipelock,           │
+   │   cred-proxy, and git-gate straddle internal + egress networks.     │
+   │   pipelock is the single HTTP/HTTPS chokepoint — cred-proxy's       │
+   │   outbound traverses it too. git-gate's SSH egress is direct        │
+   │   because pipelock is HTTP-only.                                    │
   └─────────────────────────────────────────────────────────────────────┘
 ```

@@ -98,6 +104,8 @@ egress:
      auth:
        scheme: token
        token_ref: BOT_BOTTLE_GITEA_TOKEN
+      pipelock:
+        ssrf_ip_allowlist: [100.78.141.42/32]
 ---

 The `gitea-dev` bottle. Provider auth via the inherited Claude route;
@@ -14,7 +14,8 @@ import os

 # Bundle image. Defaults to a built-locally tag (built from the
 # repo's Dockerfile.sidecars via compose `build:`). Operators
-# pinning to a published digest can override via env.
+# pinning to a published digest can override via env, matching
+# the existing `BOT_BOTTLE_PIPELOCK_IMAGE` shape.
 SIDECAR_BUNDLE_IMAGE = os.environ.get(
    "BOT_BOTTLE_SIDECAR_IMAGE",
    "bot-bottle-sidecars:latest",
@@ -22,9 +22,7 @@ mounted in. That topology breaks two assumptions those tests make:
  `http://127.0.0.1:<host_port>` from inside the job time out.

 The affected tests (`test_orphan_cleanup.test_create_and_remove`,
-`test_sidecar_bundle_image.TestSidecarBundleImage`,
-`test_sidecar_bundle_compose.TestSidecarBundleCompose`) still run
-locally where the test process and Docker daemon share a host.
-Making them work in CI is a follow-up: either re-write them to
-discover container IPs via `docker inspect`, or reconfigure the
-runner with host networking.
+`test_pipelock_sidecar_smoke.test_smoke`) still run locally where the
+test process and Docker daemon share a host. Making them work in CI
+is a follow-up: either re-write them to discover container IPs via
+`docker inspect`, or reconfigure the runner with host networking.
@@ -9,6 +9,8 @@ egress:
      auth:
        scheme: Bearer
        token_ref: BOT_BOTTLE_CLAUDE_OAUTH_TOKEN
+      pipelock:
+        tls_passthrough: true
 ---

 Common Claude provider boundary. Drop this file into
@@ -11,19 +11,16 @@ tests/
  fixtures.py                       # JSON manifest builders (shared)
  _docker.py                        # docker-availability skip helper (shared)
  unit/
-    test_egress.py
-    test_egress_addon_core.py
-    test_manifest_egress.py
-    test_dlp_detectors.py
+    test_pipelock_classify.py
+    test_pipelock_allowlist.py
+    test_pipelock_yaml.py
    test_manifest_runtime.py
-    ...                             # many others; see unit/ directory
  integration/
-    test_sidecar_bundle_image.py
-    test_sidecar_bundle_compose.py
+    test_pipelock_sidecar_smoke.py
    test_dry_run_plan.py
    test_orphan_cleanup.py
-    ...
-  canaries/                         # opt-in; see below (currently empty)
+  canaries/
+    test_pipelock_image.py          # opt-in; see below
 ```

 Classification falls out of the directory — no hand-maintained list to
@@ -35,7 +32,7 @@ keep in sync.
 python -m unittest discover -t . -s tests/unit -v         # unit only
 python -m unittest discover -t . -s tests/integration -v  # integration only
 python -m unittest discover -t . -s tests -v              # both (recursive)
-python -m unittest tests.unit.test_manifest_egress        # one file
+python -m unittest tests.unit.test_pipelock_yaml          # one file
 ```

 Discovery is invoked with `-t .` (top-level dir = repo root) so the
@@ -49,18 +46,18 @@ Discovery is invoked with `-t .` (top-level dir = repo root) so the
 - `test_orphan_cleanup.py` — `network_remove` is idempotent against
  missing resources, so the EXIT trap can call it unconditionally.
 - `test_sidecar_bundle_image.py` — builds Dockerfile.sidecars and
-  probes that gitleaks / mitmdump / supervise are all reachable
-  inside the bundle.
+  probes that pipelock / gitleaks / mitmdump / supervise are all
+  reachable inside the bundle.
 - `test_sidecar_bundle_compose.py` — end-to-end compose-up of an
  agent + bundle pair; verifies the agent reaches the bundle via
  the legacy network aliases.

 ## Canaries

-`tests/canaries/` holds upstream-regression checks gated on
+`tests/canaries/` holds upstream-regression checks (e.g. the pinned
+pipelock digest's binary still runs). These are gated on
 `BOT_BOTTLE_RUN_CANARIES=1` and not part of the per-push suite.
-They're invoked by the scheduled `canaries` workflow. Currently
-no canaries are defined.
+They're invoked by the scheduled `canaries` workflow.

 ```bash
 BOT_BOTTLE_RUN_CANARIES=1 python -m unittest discover -t . -s tests/canaries -v
@@ -70,7 +67,7 @@ BOT_BOTTLE_RUN_CANARIES=1 python -m unittest discover -t . -s tests/canaries -v

 - `bot_bottle/ssh.py` end-to-end (would need a fake SSH host inside
  the container).
- A live SSH-through-git-gate tunnel against a real Tailscale-style IP.
+- A live SSH-through-pipelock tunnel against a real Tailscale-style IP.
 - DLP false-positive measurements.
 - TLS handling / cert pinning behavior.