didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

Compare commits

base: didericis/bot-bottle:33fcecf91b5ffae2cf04d4082d2b921da038045e
Branches Tags
didericis/bot-bottle:main didericis/bot-bottle:core-coverage-badge didericis/bot-bottle:ratchet-supervise-90 didericis/bot-bottle:ratchet-manifest-90 didericis/bot-bottle:ratchet-git-gate-90 didericis/bot-bottle:ratchet-egress-core-90 didericis/bot-bottle:ratchet-yaml-subset-90 didericis/bot-bottle:ratchet-egress-addon-90 didericis/bot-bottle:cover-global-90 didericis/bot-bottle:table-drive-dlp-tests didericis/bot-bottle:flatten-deep-nesting didericis/bot-bottle:decompose-egress-dlp-config didericis/bot-bottle:cover-egress-addon-adapter didericis/bot-bottle:prd-egress-control-plane didericis/bot-bottle:prd-smolmachines-linux didericis/bot-bottle:fix-integration-test-failures didericis/bot-bottle:fix/macos-container-relative-dockerfile didericis/bot-bottle:prd-0054-install-script didericis/bot-bottle:commit-bottle-state didericis/bot-bottle:pr-211 didericis/bot-bottle:move-codex-auth-to-contrib didericis/bot-bottle:feat/pipelock-skip-scan-extensions didericis/bot-bottle:prd-0049-named-labelled-agents didericis/bot-bottle:harden-git-gate-shell-rendering
..
compare: didericis/bot-bottle:783e68cb741fb7947e09c36bedbed7752abcd603
Branches Tags
didericis/bot-bottle:core-coverage-badge didericis/bot-bottle:ratchet-supervise-90 didericis/bot-bottle:ratchet-manifest-90 didericis/bot-bottle:ratchet-git-gate-90 didericis/bot-bottle:ratchet-egress-core-90 didericis/bot-bottle:ratchet-yaml-subset-90 didericis/bot-bottle:ratchet-egress-addon-90 didericis/bot-bottle:cover-global-90 didericis/bot-bottle:table-drive-dlp-tests didericis/bot-bottle:flatten-deep-nesting didericis/bot-bottle:decompose-egress-dlp-config didericis/bot-bottle:cover-egress-addon-adapter didericis/bot-bottle:prd-egress-control-plane didericis/bot-bottle:prd-smolmachines-linux didericis/bot-bottle:main didericis/bot-bottle:fix-integration-test-failures didericis/bot-bottle:fix/macos-container-relative-dockerfile didericis/bot-bottle:prd-0054-install-script didericis/bot-bottle:commit-bottle-state didericis/bot-bottle:pr-211 didericis/bot-bottle:move-codex-auth-to-contrib didericis/bot-bottle:feat/pipelock-skip-scan-extensions didericis/bot-bottle:prd-0049-named-labelled-agents didericis/bot-bottle:harden-git-gate-shell-rendering

3 Commits
33fcecf91b .. 783e68cb74

Author SHA1 Message Date
didericis-claude 783e68cb74 build: drop unused agent-image apt deps
lint / lint (push) Successful in 1m25s
Details 
Removes socat, openssh-client, and dnsutils from Dockerfile.claude
and Dockerfile.codex.

- socat was the privileged forwarder for the in-container ssh-agent
  that PRD 0009 removed; nothing in bot_bottle references it.
- openssh-client was needed back when the agent talked ssh:// to
  upstreams; git-gate's insteadOf rewrites now route every upstream
  through HTTP/git-protocol, and ssh-keygen runs host-side from the
  deploy-key provisioner.
- dnsutils was only used by tests/integration/test_sandbox_escape.py
  (attack 4b runs dig from inside the agent container).

Splits python3/python3-pip/python3-venv onto a separate layer with
a comment noting they're app-specific and a candidate to move to a
downstream image.
 2026-06-06 12:44:08 -04:00
didericis ac9b6d593f fix(tests): fix integration test failures from deprecated git key, missing wget, and wrong prompt path
test / integration (pull_request) Successful in 41s
Details
test / unit (pull_request) Successful in 31s
Details
test / unit (push) Successful in 30s
Details
Update Quality Badges / update-badges (push) Successful in 1m3s
Details
lint / lint (push) Successful in 1m23s
Details
test / integration (push) Successful in 42s
Details 
- test_sandbox_escape: migrate manifest fixture from deprecated `git`
  key to `git-gate` (PRD 0047) — `remotes` → `repos`, field names
  `Name`/`Upstream`/`IdentityFile` → `url`/`identity`
- test_smolmachines_launch probes: replace `wget` (not in node:22-slim)
  with `curl -s --show-error --max-time 3` (installed in Dockerfile.claude)
- test_smolmachines_launch prompt test: correct path /root/ → /home/node/
  to match guest_home in smolmachines/prepare.py

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-06-06 12:29:36 -04:00
didericis-claude 8c0a9c5bc6 docs: rename PRD 0053 to PRD 0052 
Renames docs/prds/0053-egress-dlp-addon.md to 0052-egress-dlp-addon.md
and updates all references in the documentation.
 2026-06-06 16:27:04 +00:00
4 changed files with 13 additions and 14 deletions
Expand all files Collapse all files
docs/prds/0053-egress-dlp-addon.md → docs/prds/0052-egress-dlp-addon.md
+2 -2
View File
@@ -1,4 +1,4 @@
# PRD 0053: Egress DLP addon
# PRD 0052: Egress DLP addon
- **Status:** Active
- **Author:** claude
@@ -397,7 +397,7 @@ afterward, preserving the existing credential-injection security model.
4. **Naive prompt injection detector (Phase 2).**
Add `NaiveInjectionDetector` to `dlp_detectors.py`. Wire
`scan_inbound` into the new `response` hook in `egress_addon.py`.
Extend unit tests. Activate PRD 0053 (`Status: Draft → Active`) in
Extend unit tests. Activate PRD 0052 (`Status: Draft → Active`) in
this commit.
## Open questions
docs/research/yaml-route-matching-formats.md
+1 -1
View File
@@ -3,7 +3,7 @@
## Question
Bot-bottle's egress manifest currently supports exact-host matching and
a flat list of path prefixes (`path_allowlist`). As the DLP work (PRD 0053)
a flat list of path prefixes (`path_allowlist`). As the DLP work (PRD 0052)
and future route hardening evolve, we may want more expressive matching:
glob-style path patterns (`/api/*/data`), header predicates (Content-Type,
Accept), and per-method rules (GET allowed, POST blocked). What established
tests/integration/test_sandbox_escape.py
+4 -5
View File
@@ -120,11 +120,10 @@ class TestSandboxEscape(unittest.TestCase):
# is intentionally unreachable — the pre-receive
# gitleaks hook must reject BEFORE git-gate
# attempts the upstream push.
"git": {"remotes": {
"unreachable.invalid": {
"Name": "throwaway",
"Upstream": "ssh://git@unreachable.invalid:22/throwaway.git",
"IdentityFile": str(cls._key_path),
"git-gate": {"repos": {
"throwaway": {
"url": "ssh://git@unreachable.invalid:22/throwaway.git",
"identity": str(cls._key_path),
},
}},
},
tests/integration/test_smolmachines_launch.py
+6 -6
View File
@@ -110,10 +110,10 @@ class TestSmolmachinesLaunch(unittest.TestCase):
# (high-numbered) so we're confirming TSI refusal, not
# just "no service listening."
r = self.bottle.exec(
"wget -T 3 -t 1 -O - http://127.0.0.1:9 2>&1 || true"
"curl -s --show-error --max-time 3 http://127.0.0.1:9 2>&1 || true"
)
# `wget` to a denied destination produces a connect error.
# The exact phrasing varies (busybox vs gnu); we assert
# `curl` to a denied destination produces a connect error.
# The exact phrasing varies by curl version; we assert
# the response is NOT the body of any real service.
self.assertNotIn("hello-from-vm", r.stdout)
self.assertTrue(
@@ -126,10 +126,10 @@ class TestSmolmachinesLaunch(unittest.TestCase):
def test_prompt_file_lands_in_guest(self):
# provision_prompt copies the host-side prompt.txt into the
# guest at /root/.bot-bottle-prompt.txt. The content
# guest at /home/node/.bot-bottle-prompt.txt. The content
# must match what the manifest declared so claude-code's
# --append-system-prompt-file reads the right text.
r = self.bottle.exec("cat /root/.bot-bottle-prompt.txt")
r = self.bottle.exec("cat /home/node/.bot-bottle-prompt.txt")
self.assertEqual(0, r.returncode, msg=r.stderr)
self.assertEqual(_AGENT_PROMPT, r.stdout.rstrip("\n"))
@@ -143,7 +143,7 @@ class TestSmolmachinesLaunch(unittest.TestCase):
# connect fails, which is the property chunk 3 will
# preserve once egress is actually running.
r = self.bottle.exec(
f"wget -T 3 -t 1 -O - http://{self.plan.bundle_ip}:9099 "
f"curl -s --show-error --max-time 3 http://{self.plan.bundle_ip}:9099 "
"2>&1 || true"
)
self.assertTrue(