test(egress): cover egress_addon adapter; drop coverage omit

The mitmproxy adapter `egress_addon.py` was omitted from coverage
because it can't import on the host (mitmproxy is sidecar-only) and
only its log-redaction helpers were exercised. Add a request/response
flow suite that stubs mitmproxy and drives the adapter glue:
introspection, allowlist enforcement, auth strip+inject, git
push/fetch blocking, the outbound-DLP block/redact/supervise policy
branches (including the operator approval round-trip), inbound
response scanning, and WebSocket frame scanning.

Removes the `bot_bottle/egress_addon.py` omit from `.coveragerc`;
the adapter now reports ~76% covered.

Closes #286

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01NkwFXLFff9PYPy4wgVBJp9

.coveragerc

@@ -0,0 +1,8 @@
+[run]
+branch = True
+source = .
+
+[report]
+omit =
+    bot_bottle/cli/tui.py
+    tests/*

.gitea/workflows/test.yml

@@ -39,8 +39,14 @@ jobs:
         with:
           python-version: "3.12"
 
+      - name: Install dev requirements
+        run: python3 -m pip install -r requirements-dev.txt
+
       - name: Run unit tests
-        run: python3 -m unittest discover -t . -s tests/unit -v
+        run: python3 -m coverage run -m unittest discover -t . -s tests/unit -v
+
+      - name: Report unit coverage
+        run: python3 -m coverage report -m
 
   integration:
     runs-on: ubuntu-latest

.gitea/workflows/update-badges.yml

@@ -8,6 +8,7 @@ on:
       - '**.py'
       - '.pylintrc'
       - 'pyrightconfig.json'
+      - '.coveragerc'
   workflow_dispatch:
 
 jobs:
@@ -45,10 +46,19 @@ jobs:
           echo "errors=$ERRORS" >> $GITHUB_OUTPUT
           echo "Pyright errors: $ERRORS"
 
+      - name: Run coverage and extract percentage
+        id: coverage
+        run: |
+          python -m coverage run -m unittest discover -t . -s tests/unit > /dev/null 2>&1 || true
+          PERCENT=$(python -m coverage report 2>/dev/null | grep '^TOTAL' | grep -oP '\d+(?=%)' | tail -1)
+          echo "percent=$PERCENT" >> $GITHUB_OUTPUT
+          echo "Coverage: $PERCENT%"
+
       - name: Update badges in README
         run: |
           PYLINT_SCORE="${{ steps.pylint.outputs.score }}"
           PYRIGHT_ERRORS="${{ steps.pyright.outputs.errors }}"
+          COVERAGE_PERCENT="${{ steps.coverage.outputs.percent }}"
 
           PYLINT_SCORE_ENCODED=$(echo "$PYLINT_SCORE" | sed 's|/|%2F|g')
 
@@ -58,9 +68,12 @@ jobs:
           if [ -n "$PYRIGHT_ERRORS" ]; then
             sed -i "s|/badge/pyright-[^)]*|/badge/pyright-${PYRIGHT_ERRORS}%20errors-brightgreen|" README.md
           fi
+          if [ -n "$COVERAGE_PERCENT" ]; then
+            sed -i "s|/badge/coverage-[^)]*|/badge/coverage-${COVERAGE_PERCENT}%25-brightgreen|" README.md
+          fi
 
           echo "Updated badges:"
-          grep -E "pylint|pyright" README.md | head -2
+          grep -E "pylint|pyright|coverage" README.md | head -3
 
       - name: Commit and push badge updates
         run: |
@@ -73,7 +86,7 @@ jobs:
           else
             echo "Badge changes detected, committing..."
             git add README.md
-            MSG="chore: update quality badges"$'\n\n'"- Pylint: ${{ steps.pylint.outputs.score }}"$'\n'"- Pyright: ${{ steps.pyright.outputs.errors }} errors"$'\n\n'"[skip ci]"
+            MSG="chore: update quality badges"$'\n\n'"- Pylint: ${{ steps.pylint.outputs.score }}"$'\n'"- Pyright: ${{ steps.pyright.outputs.errors }} errors"$'\n'"- Coverage: ${{ steps.coverage.outputs.percent }}%"$'\n\n'"[skip ci]"
             git commit -m "$MSG"
             git push
           fi

.gitignore

@@ -22,3 +22,4 @@ venv/
 .pytest_cache/
 .mypy_cache/
 .ruff_cache/
+.coverage

README.md

@@ -6,7 +6,8 @@
 
 [![test](https://gitea.dideric.is/didericis/bot-bottle/actions/workflows/test.yml/badge.svg?branch=main)](https://gitea.dideric.is/didericis/bot-bottle/actions?workflow=test.yml)
 [![pylint](https://img.shields.io/badge/pylint-9.93%2F10-brightgreen)](https://github.com/PyCQA/pylint)
-[![pyright](https://img.shields.io/badge/pyright-1%20errors-brightgreen)](https://github.com/microsoft/pyright)
+[![pyright](https://img.shields.io/badge/pyright-0%20errors-brightgreen)](https://github.com/microsoft/pyright)
+[![coverage](https://img.shields.io/badge/coverage-79%25-brightgreen)](https://coverage.readthedocs.io/)
 
 **Problem:** Developer wants to run a coding agent without supervision, but they don't want a prompt injected or misbehaving agent wrecking their environment or exfiltrating sensitive data.
 

bot_bottle/cli/supervise.py

@@ -319,7 +319,7 @@ def _list_once() -> int:
     return 0
 
 
-def _try_init_green() -> int:
+def _try_init_green() -> int:  # pragma: no cover
     """Initialise a green color pair and return its attr, or 0."""
     try:
         curses.start_color()
@@ -330,7 +330,7 @@ def _try_init_green() -> int:
         return 0
 
 
-def _main_loop(stdscr: "curses._CursesWindow") -> None:  # type: ignore
+def _main_loop(stdscr: "curses._CursesWindow") -> None:  # type: ignore  # pragma: no cover
     curses.curs_set(0)
     stdscr.timeout(_REFRESH_INTERVAL_MS)
     green_attr = _try_init_green()
@@ -420,7 +420,7 @@ def _render(
     status_line: str,
     *,
     green_attr: int = 0,  # noqa: F841 — unused, but required by interface
-) -> None:
+) -> None:  # pragma: no cover
     stdscr.erase()
     h, w = stdscr.getmaxyx()
     header = f"bot-bottle supervise  ({len(pending)} pending)"
@@ -471,7 +471,7 @@ def _detail_view(
     qp: QueuedProposal,
     *,
     green_attr: int = 0,
-) -> None:
+) -> None:  # pragma: no cover
     """Render the full proposal. Scrollable. Press q to return."""
     lines = _detail_lines(qp, green_attr=green_attr)
     offset = 0
@@ -523,7 +523,7 @@ def _detail_view(
             return
 
 
-def _modify(stdscr: "curses._CursesWindow", qp: QueuedProposal) -> str | None:  # type: ignore
+def _modify(stdscr: "curses._CursesWindow", qp: QueuedProposal) -> str | None:  # type: ignore  # pragma: no cover
     """Suspend curses, open $EDITOR on the proposed file, return edited content."""
     suffix = _suffix_for_tool(qp.proposal.tool)
     curses.endwin()
@@ -534,7 +534,7 @@ def _modify(stdscr: "curses._CursesWindow", qp: QueuedProposal) -> str | None:
     return edited
 
 
-def _prompt(stdscr: "curses._CursesWindow", label: str) -> str:  # type: ignore
+def _prompt(stdscr: "curses._CursesWindow", label: str) -> str:  # type: ignore  # pragma: no cover
     """One-line input at the bottom of the screen."""
     curses.curs_set(1)
     h, _ = stdscr.getmaxyx()

docs/prds/0066-separate-agent-bottle-selection.md

@@ -1,4 +1,4 @@
-# PRD prd-new: Separate agent and bottle selection
+# PRD 0066: Separate agent and bottle selection
 
 - **Status:** Active
 - **Author:** claude

requirements-dev.txt

@@ -4,3 +4,4 @@
 
 pylint>=3.0.0
 pyright>=1.1.300
+coverage>=7.0.0

tests/integration/test_sandbox_escape.py

@@ -92,9 +92,9 @@ class TestSandboxEscape(unittest.TestCase):
                     "on PATH: curl -sSL https://smolmachines.com/install.sh | sh"
                 )
 
-        # Throwaway "identity file" for the git-gate's `identity` field.
-        # It need not be a real SSH key: test 5 reaches gitleaks before
-        # any SSH attempt anyway.
+        # Throwaway static key for the git-gate fixture. It need not
+        # be a real SSH key: test 5 reaches gitleaks before any SSH
+        # attempt anyway.
         fd, kp = tempfile.mkstemp(prefix="sandbox-test-key.")
         os.close(fd)
         cls._key_path = Path(kp)
@@ -123,7 +123,10 @@ class TestSandboxEscape(unittest.TestCase):
                     "git-gate": {"repos": {
                         "throwaway": {
                             "url": "ssh://git@unreachable.invalid:22/throwaway.git",
-                            "identity": str(cls._key_path),
+                            "key": {
+                                "provider": "static",
+                                "path": str(cls._key_path),
+                            },
                         },
                     }},
                 },

tests/integration/test_smolmachines_launch.py

@@ -198,6 +198,7 @@ class TestSmolmachinesLaunch(unittest.TestCase):
         # connect fails, which is the property chunk 3 will
         # preserve once egress is actually running.
         r = self.bottle.exec(
+            "env -u HTTPS_PROXY -u HTTP_PROXY -u https_proxy -u http_proxy "
             f"curl -s --show-error --max-time 3 http://{self.plan.bundle_ip}:9099 "
             "2>&1 || true"
         )

tests/unit/test_egress_addon_request_flow.py

@@ -0,0 +1,525 @@
+"""Unit: EgressAddon request/response decision flow (issue #286).
+
+`egress_addon.py` is the sidecar-only mitmproxy adapter that wires the
+host-importable decision logic in `egress_addon_core` into mitmproxy's
+request/response hooks. The core logic is exercised directly by
+`test_egress_addon_core.py`; the redaction logging by
+`test_egress_addon_log_redaction.py`. This file covers the adapter glue
+itself — `request()`, `response()`, `websocket_message()`, introspection,
+auth injection, git push/fetch blocking and the outbound-DLP policy
+branches — so `bot_bottle/egress_addon.py` no longer has to be omitted
+from coverage.
+
+mitmproxy is not installed on the host, so we pre-populate `sys.modules`
+with the minimum stubs needed to import the adapter (a `mitmproxy.http`
+module exposing a `Response` with `.make`, plus the flat
+`egress_addon_core` name the sidecar uses)."""
+
+from __future__ import annotations
+
+import asyncio
+import json
+import sys
+import tempfile
+import types
+import unittest
+from io import StringIO
+from pathlib import Path
+from typing import Any
+from unittest.mock import patch
+
+
+# ---------------------------------------------------------------------------
+# Stub flow objects (mirror the slice of mitmproxy's API the adapter uses)
+# ---------------------------------------------------------------------------
+
+
+class _Headers:
+    """Case-insensitive header map covering the subset of mitmproxy's
+    Headers API the adapter touches: items/get/pop/__setitem__/dict()."""
+
+    def __init__(self, d: dict[str, str] | None = None) -> None:
+        self._d: dict[str, str] = dict(d or {})
+
+    def _find(self, key: str) -> str | None:
+        return next((k for k in self._d if k.lower() == key.lower()), None)
+
+    def items(self) -> list[tuple[str, str]]:
+        return list(self._d.items())
+
+    def keys(self) -> list[str]:
+        return list(self._d.keys())
+
+    def __iter__(self) -> Any:
+        return iter(self._d)
+
+    def __getitem__(self, key: str) -> str:
+        k = self._find(key)
+        if k is None:
+            raise KeyError(key)
+        return self._d[k]
+
+    def __setitem__(self, key: str, value: str) -> None:
+        self._d[self._find(key) or key] = value
+
+    def __contains__(self, key: str) -> bool:
+        return self._find(key) is not None
+
+    def get(self, key: str, default: str | None = None) -> str | None:
+        k = self._find(key)
+        return self._d[k] if k is not None else default
+
+    def pop(self, key: str, default: str | None = None) -> str | None:
+        k = self._find(key)
+        return self._d.pop(k) if k is not None else default
+
+
+class _Response:
+    def __init__(
+        self,
+        status_code: int = 200,
+        headers: dict[str, str] | None = None,
+        content: bytes | str = b"",
+    ) -> None:
+        self.status_code = status_code
+        self.headers = _Headers(headers)
+        self._body = (
+            content if isinstance(content, str)
+            else content.decode("utf-8", "replace")
+        )
+
+    def get_text(self, *, strict: bool = True) -> str:
+        del strict
+        return self._body
+
+    @classmethod
+    def make(
+        cls,
+        status_code: int = 200,
+        content: bytes | str = b"",
+        headers: dict[str, str] | None = None,
+    ) -> "_Response":
+        return cls(status_code, headers, content)
+
+
+class _Request:
+    def __init__(
+        self,
+        host: str = "api.example.com",
+        method: str = "GET",
+        path: str = "/v1/messages",
+        headers: dict[str, str] | None = None,
+        body: str = "",
+    ) -> None:
+        self.pretty_host = host
+        self.method = method
+        self.path = path
+        self.headers = _Headers(headers)
+        self._body = body
+
+    def get_text(self, *, strict: bool = True) -> str:
+        del strict
+        return self._body
+
+    @property
+    def text(self) -> str:
+        return self._body
+
+    @text.setter
+    def text(self, value: str) -> None:
+        self._body = value
+
+
+class _Flow:
+    def __init__(
+        self,
+        request: _Request | None = None,
+        response: _Response | None = None,
+    ) -> None:
+        self.request = request or _Request()
+        self.response = response
+        self.websocket: Any = None
+        self.killed = False
+
+    def kill(self) -> None:
+        self.killed = True
+
+
+class _Message:
+    def __init__(self, content: bytes, from_client: bool) -> None:
+        self.content = content
+        self.from_client = from_client
+
+
+class _WebSocketData:
+    def __init__(self, messages: list[_Message]) -> None:
+        self.messages = messages
+
+
+# ---------------------------------------------------------------------------
+# Sidecar-import shims — must run before importing egress_addon
+# ---------------------------------------------------------------------------
+
+
+def _ensure_shims() -> None:
+    mm = sys.modules.get("mitmproxy")
+    if mm is None:
+        mm = types.ModuleType("mitmproxy")
+        sys.modules["mitmproxy"] = mm
+    mh = sys.modules.get("mitmproxy.http")
+    if mh is None:
+        mh = types.ModuleType("mitmproxy.http")
+        sys.modules["mitmproxy.http"] = mh
+        setattr(mm, "http", mh)
+    # Other egress_addon tests may have registered an empty mitmproxy.http;
+    # make sure the Response/HTTPFlow attrs the request flow needs exist.
+    if not hasattr(mh, "Response"):
+        setattr(mh, "Response", _Response)
+    if not hasattr(mh, "HTTPFlow"):
+        setattr(mh, "HTTPFlow", object)
+    if "egress_addon_core" not in sys.modules:
+        import bot_bottle.egress_addon_core as _core
+        sys.modules["egress_addon_core"] = _core
+
+
+_ensure_shims()
+
+import bot_bottle.egress_addon as _ea_mod  # noqa: E402  (after shims)
+from bot_bottle.egress_addon import EgressAddon  # noqa: E402  (after shims)
+from bot_bottle.egress_addon_core import (  # noqa: E402
+    Config,
+    LOG_BLOCKS,
+    Route,
+)
+
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+
+_OPENAI_KEY = "sk-" + "A" * 48
+
+
+def _addon(config: Config) -> EgressAddon:
+    """Bare EgressAddon with a supplied config and no supervise wiring."""
+    a: EgressAddon = EgressAddon.__new__(EgressAddon)
+    a.config = config
+    a.safe_tokens = set()
+    a._supervise_queue_dir = ""
+    a._supervise_slug = ""
+    a._token_allow_timeout = 300.0
+    a.routes_path = "/nonexistent/routes.yaml"
+    return a
+
+
+def _run_request(addon: EgressAddon, flow: _Flow) -> None:
+    asyncio.run(addon.request(flow))  # type: ignore[arg-type]
+
+
+# ---------------------------------------------------------------------------
+# Introspection endpoint
+# ---------------------------------------------------------------------------
+
+
+class TestIntrospection(unittest.TestCase):
+    def test_allowlist_endpoint_lists_routes(self) -> None:
+        addon = _addon(Config(routes=(Route(host="api.example.com"),)))
+        flow = _Flow(_Request(host="_egress.local", path="/allowlist"))
+        _run_request(addon, flow)
+        assert flow.response is not None
+        self.assertEqual(200, flow.response.status_code)
+        payload = json.loads(flow.response.get_text())
+        self.assertEqual(["api.example.com"], [r["host"] for r in payload["routes"]])
+
+    def test_unknown_endpoint_404(self) -> None:
+        addon = _addon(Config(routes=()))
+        flow = _Flow(_Request(host="_egress.local", path="/nope"))
+        _run_request(addon, flow)
+        assert flow.response is not None
+        self.assertEqual(404, flow.response.status_code)
+
+
+# ---------------------------------------------------------------------------
+# Allowlist enforcement
+# ---------------------------------------------------------------------------
+
+
+class TestAllowlist(unittest.TestCase):
+    def test_unlisted_host_blocked_403(self) -> None:
+        addon = _addon(Config(routes=(Route(host="allowed.example.com"),)))
+        flow = _Flow(_Request(host="evil.example.com"))
+        _run_request(addon, flow)
+        assert flow.response is not None
+        self.assertEqual(403, flow.response.status_code)
+        self.assertIn("allowlist", flow.response.get_text())
+
+    def test_listed_host_forwarded_no_response_written(self) -> None:
+        addon = _addon(Config(routes=(Route(host="api.example.com"),)))
+        flow = _Flow(_Request(host="api.example.com"))
+        _run_request(addon, flow)
+        # forward == adapter leaves flow.response untouched for the upstream
+        self.assertIsNone(flow.response)
+
+
+# ---------------------------------------------------------------------------
+# Authorization stripping + injection
+# ---------------------------------------------------------------------------
+
+
+class TestAuthInjection(unittest.TestCase):
+    def test_agent_authorization_stripped_and_real_token_injected(self) -> None:
+        route = Route(host="api.example.com", auth_scheme="Bearer", token_env="EGRESS_TOKEN_0")
+        addon = _addon(Config(routes=(route,)))
+        flow = _Flow(_Request(host="api.example.com", headers={"authorization": "Bearer agent-faked"}))
+        with patch.dict("os.environ", {"EGRESS_TOKEN_0": "real-sidecar-token"}):
+            _run_request(addon, flow)
+        self.assertEqual("Bearer real-sidecar-token", flow.request.headers.get("authorization"))
+        self.assertIsNone(flow.response)
+
+    def test_auth_route_with_unset_env_blocks(self) -> None:
+        route = Route(
+            host="api.example.com", auth_scheme="Bearer", token_env="EGRESS_TOKEN_MISSING",
+        )
+        addon = _addon(Config(routes=(route,)))
+        flow = _Flow(_Request(host="api.example.com"))
+        with patch.dict("os.environ", {}, clear=False):
+            import os
+            os.environ.pop("EGRESS_TOKEN_MISSING", None)
+            _run_request(addon, flow)
+        assert flow.response is not None
+        self.assertEqual(403, flow.response.status_code)
+
+
+# ---------------------------------------------------------------------------
+# git push / fetch over HTTPS
+# ---------------------------------------------------------------------------
+
+
+class TestGitOverHttps(unittest.TestCase):
+    def test_git_push_blocked(self) -> None:
+        addon = _addon(Config(routes=(Route(host="git.example.com"),)))
+        flow = _Flow(_Request(
+            host="git.example.com",
+            method="POST",
+            path="/repo.git/git-receive-pack",
+        ))
+        _run_request(addon, flow)
+        assert flow.response is not None
+        self.assertEqual(403, flow.response.status_code)
+        self.assertIn("git push over HTTPS", flow.response.get_text())
+
+    def test_git_fetch_blocked_on_non_fetch_route(self) -> None:
+        addon = _addon(Config(routes=(Route(host="git.example.com"),)))
+        flow = _Flow(_Request(
+            host="git.example.com",
+            path="/repo.git/info/refs",
+        ))
+        flow.request.path = "/repo.git/info/refs?service=git-upload-pack"
+        _run_request(addon, flow)
+        assert flow.response is not None
+        self.assertEqual(403, flow.response.status_code)
+
+    def test_git_fetch_allowed_on_fetch_route(self) -> None:
+        addon = _addon(Config(routes=(Route(host="git.example.com", git_fetch=True),)))
+        flow = _Flow(_Request(
+            host="git.example.com",
+            path="/repo.git/info/refs?service=git-upload-pack",
+        ))
+        _run_request(addon, flow)
+        self.assertIsNone(flow.response)
+
+
+# ---------------------------------------------------------------------------
+# Outbound DLP policy branches
+# ---------------------------------------------------------------------------
+
+
+class TestOutboundDlpPolicy(unittest.TestCase):
+    def test_block_policy_hard_403(self) -> None:
+        route = Route(host="api.example.com", outbound_on_match="block")
+        addon = _addon(Config(routes=(route,)))
+        flow = _Flow(_Request(host="api.example.com", method="POST", body=f"key={_OPENAI_KEY}"))
+        _run_request(addon, flow)
+        assert flow.response is not None
+        self.assertEqual(403, flow.response.status_code)
+        self.assertIn("DLP", flow.response.get_text())
+
+    def test_redact_policy_scrubs_and_forwards(self) -> None:
+        route = Route(host="api.example.com", outbound_on_match="redact")
+        addon = _addon(Config(routes=(route,)))
+        flow = _Flow(_Request(host="api.example.com", method="POST", body=f"key={_OPENAI_KEY}"))
+        _run_request(addon, flow)
+        self.assertIsNone(flow.response)  # forwarded
+        self.assertNotIn(_OPENAI_KEY, flow.request.get_text())
+
+    def test_supervise_default_without_wiring_blocks(self) -> None:
+        # outbound_on_match unset -> supervise default; no supervise queue wired
+        # -> fail closed with a hard 403.
+        route = Route(host="api.example.com")
+        addon = _addon(Config(routes=(route,)))
+        flow = _Flow(_Request(host="api.example.com", method="POST", body=f"key={_OPENAI_KEY}"))
+        _run_request(addon, flow)
+        assert flow.response is not None
+        self.assertEqual(403, flow.response.status_code)
+
+
+# ---------------------------------------------------------------------------
+# Outbound DLP supervise branch (operator approval round-trip)
+# ---------------------------------------------------------------------------
+
+
+def _fake_sv(response_status: str | None) -> types.SimpleNamespace:
+    """Stand-in for the `supervise` module the adapter queues proposals to.
+
+    `response_status` of None models a timeout (read_response never returns a
+    decision); a status string models the operator's eventual answer."""
+    def _new_proposal(**_kw: Any) -> Any:
+        return types.SimpleNamespace(id="prop-1")
+
+    def _sha256_hex(_payload: Any) -> str:
+        return "hash"
+
+    def _noop(_a: Any, _b: Any) -> None:
+        return None
+
+    def _read_response(_qd: Any, _pid: Any) -> Any:
+        if response_status is None:
+            raise OSError("not written yet")  # forces poll -> timeout
+        return types.SimpleNamespace(status=response_status)
+
+    ns = types.SimpleNamespace()
+    ns.STATUS_APPROVED = "approved"
+    ns.STATUS_MODIFIED = "modified"
+    ns.TOOL_EGRESS_TOKEN_ALLOW = "egress_token_allow"
+    ns.Proposal = types.SimpleNamespace(new=_new_proposal)
+    ns.sha256_hex = _sha256_hex
+    ns.write_proposal = _noop
+    ns.archive_proposal = _noop
+    ns.read_response = _read_response
+    return ns
+
+
+class TestSuperviseBranch(unittest.TestCase):
+    def _supervised_addon(self) -> EgressAddon:
+        addon = _addon(Config(routes=(Route(host="api.example.com"),)))
+        addon._supervise_queue_dir = "/tmp/egress-queue"
+        addon._supervise_slug = "test-bottle"
+        addon._token_allow_timeout = 0.05
+        return addon
+
+    def test_operator_approval_allows_token_and_forwards(self) -> None:
+        addon = self._supervised_addon()
+        flow = _Flow(_Request(host="api.example.com", method="POST", body=f"k={_OPENAI_KEY}"))
+        with patch.object(_ea_mod, "_sv", _fake_sv("approved")):
+            _run_request(addon, flow)
+        self.assertIsNone(flow.response)  # forwarded after approval
+        self.assertIn(_OPENAI_KEY, addon.safe_tokens)
+
+    def test_operator_rejection_blocks(self) -> None:
+        addon = self._supervised_addon()
+        flow = _Flow(_Request(host="api.example.com", method="POST", body=f"k={_OPENAI_KEY}"))
+        with patch.object(_ea_mod, "_sv", _fake_sv("rejected")):
+            _run_request(addon, flow)
+        assert flow.response is not None
+        self.assertEqual(403, flow.response.status_code)
+        self.assertIn("rejected", flow.response.get_text())
+
+    def test_supervise_timeout_blocks(self) -> None:
+        addon = self._supervised_addon()
+        flow = _Flow(_Request(host="api.example.com", method="POST", body=f"k={_OPENAI_KEY}"))
+        with patch.object(_ea_mod, "_sv", _fake_sv(None)):
+            _run_request(addon, flow)
+        assert flow.response is not None
+        self.assertEqual(403, flow.response.status_code)
+        self.assertIn("timed out", flow.response.get_text())
+
+
+# ---------------------------------------------------------------------------
+# Inbound DLP on responses
+# ---------------------------------------------------------------------------
+
+
+class TestInboundResponseScan(unittest.TestCase):
+    def test_clean_response_untouched(self) -> None:
+        route = Route(host="api.example.com")
+        addon = _addon(Config(routes=(route,)))
+        flow = _Flow(
+            _Request(host="api.example.com"),
+            _Response(200, content='{"ok": true}'),
+        )
+        addon.response(flow)  # type: ignore[arg-type]
+        assert flow.response is not None
+        self.assertEqual(200, flow.response.status_code)
+
+    def test_response_for_unlisted_host_is_noop(self) -> None:
+        addon = _addon(Config(routes=()))
+        flow = _Flow(_Request(host="api.example.com"), _Response(200, content="x"))
+        addon.response(flow)  # type: ignore[arg-type]
+        assert flow.response is not None
+        self.assertEqual(200, flow.response.status_code)
+
+
+# ---------------------------------------------------------------------------
+# WebSocket frame scanning
+# ---------------------------------------------------------------------------
+
+
+class TestWebSocket(unittest.TestCase):
+    def test_outbound_frame_with_token_kills_connection(self) -> None:
+        route = Route(host="api.example.com")
+        addon = _addon(Config(routes=(route,)))
+        flow = _Flow(_Request(host="api.example.com"))
+        flow.websocket = _WebSocketData([_Message(f"k={_OPENAI_KEY}".encode(), from_client=True)])
+        addon.websocket_message(flow)  # type: ignore[arg-type]
+        self.assertTrue(flow.killed)
+
+    def test_clean_outbound_frame_passes(self) -> None:
+        route = Route(host="api.example.com")
+        addon = _addon(Config(routes=(route,)))
+        flow = _Flow(_Request(host="api.example.com"))
+        flow.websocket = _WebSocketData([_Message(b"hello world", from_client=True)])
+        addon.websocket_message(flow)  # type: ignore[arg-type]
+        self.assertFalse(flow.killed)
+
+    def test_unlisted_host_websocket_is_noop(self) -> None:
+        addon = _addon(Config(routes=()))
+        flow = _Flow(_Request(host="api.example.com"))
+        flow.websocket = _WebSocketData([_Message(f"k={_OPENAI_KEY}".encode(), from_client=True)])
+        addon.websocket_message(flow)  # type: ignore[arg-type]
+        self.assertFalse(flow.killed)
+
+
+# ---------------------------------------------------------------------------
+# _block logging + config reload via the real file path
+# ---------------------------------------------------------------------------
+
+
+class TestBlockLoggingAndReload(unittest.TestCase):
+    def test_block_emits_json_log_when_enabled(self) -> None:
+        addon = _addon(Config(routes=(Route(host="allowed.example.com"),), log=LOG_BLOCKS))
+        flow = _Flow(_Request(host="evil.example.com"))
+        buf = StringIO()
+        with patch("sys.stderr", buf):
+            _run_request(addon, flow)
+        logged = [json.loads(line) for line in buf.getvalue().splitlines() if line.strip()]
+        self.assertTrue(any(e.get("event") == "egress_block" for e in logged))
+
+    def test_init_loads_routes_from_file(self) -> None:
+        with tempfile.TemporaryDirectory() as d:
+            routes = Path(d) / "routes.yaml"
+            routes.write_text("routes:\n  - host: api.example.com\n", encoding="utf-8")
+            with patch.dict("os.environ", {"EGRESS_ROUTES": str(routes)}):
+                addon = EgressAddon()
+            self.assertEqual(("api.example.com",), tuple(r.host for r in addon.config.routes))
+
+    def test_init_missing_routes_file_is_empty_config(self) -> None:
+        with patch.dict("os.environ", {"EGRESS_ROUTES": "/no/such/routes.yaml"}):
+            buf = StringIO()
+            with patch("sys.stderr", buf):
+                addon = EgressAddon()
+        self.assertEqual((), addon.config.routes)
+
+
+if __name__ == "__main__":
+    unittest.main()

tests/unit/test_git_gate.py

@@ -4,6 +4,7 @@ import os
 import tempfile
 import unittest
 from pathlib import Path
+from unittest.mock import patch
 
 from bot_bottle.git_gate import (
     GitGate,
@@ -13,6 +14,8 @@ from bot_bottle.git_gate import (
     git_gate_render_access_hook,
     git_gate_render_entrypoint,
     git_gate_render_hook,
+    revoke_git_gate_provisioned_keys,
+    _resolve_identity_file,
     git_gate_upstreams_for_bottle,
 )
 from bot_bottle.manifest import ManifestIndex
@@ -328,6 +331,68 @@ class TestPrepare(unittest.TestCase):
         self.assertIn("exec git daemon", content)
 
 
+class TestDynamicKeyProvisioning(unittest.TestCase):
+    def setUp(self):
+        self.stage = Path(tempfile.mkdtemp())
+
+    def tearDown(self):
+        import shutil
+
+        shutil.rmtree(self.stage, ignore_errors=True)
+
+    def _gitea_manifest(self):
+        return ManifestIndex.from_json_obj({
+            "bottles": {
+                "dev": {
+                    "git-gate": {
+                        "repos": {
+                            "repo": {
+                                "url": "ssh://git@gitea.example.com/org/repo.git",
+                                "key": {
+                                    "provider": "gitea",
+                                    "forge_token_env": "GITEA_TOKEN",
+                                },
+                                "host_key": "ssh-ed25519 AAAA...",
+                            },
+                        },
+                    }
+                }
+            },
+            "agents": {"demo": {"skills": [], "prompt": "", "bottle": "dev"}},
+        })
+
+    def test_resolve_identity_file_static_uses_entry_path(self):
+        entry = fixture_with_git().bottles["dev"].git[0]
+        self.assertEqual(entry.IdentityFile, _resolve_identity_file(entry, "demo", self.stage))
+
+    def test_resolve_identity_file_gitea_provisions_key(self):
+        entry = self._gitea_manifest().bottles["dev"].git[0]
+        with patch("bot_bottle.git_gate._provision_dynamic_key", return_value="/tmp/provisioned-key") as mock_provision:
+            self.assertEqual("/tmp/provisioned-key", _resolve_identity_file(entry, "demo", self.stage))
+        mock_provision.assert_called_once()
+
+    def test_revoke_skips_non_gitea_and_missing_id_file(self):
+        revoke_git_gate_provisioned_keys(fixture_with_git().bottles["dev"], self.stage)
+
+    def test_revoke_calls_delete_for_gitea_entry(self):
+        bottle = self._gitea_manifest().bottles["dev"]
+        (self.stage / "repo-deploy-key-id").write_text("123\n")
+        with patch.dict("os.environ", {"GITEA_TOKEN": "token"}), patch(
+            "bot_bottle.deploy_key_provisioner.get_provisioner"
+        ) as mock_get_provisioner:
+            provisioner = mock_get_provisioner.return_value
+            revoke_git_gate_provisioned_keys(bottle, self.stage)
+        mock_get_provisioner.assert_called_once()
+        provisioner.delete.assert_called_once_with("org/repo", "123")
+
+    def test_revoke_missing_token_raises(self):
+        bottle = self._gitea_manifest().bottles["dev"]
+        (self.stage / "repo-deploy-key-id").write_text("123\n")
+        with patch.dict("os.environ", {}, clear=True), self.assertRaises(RuntimeError) as cm:
+            revoke_git_gate_provisioned_keys(bottle, self.stage)
+        self.assertIn("env var is not set", str(cm.exception))
+
+
 class TestShellEscaping(unittest.TestCase):
     """Regression tests: all three render functions must produce syntactically
     valid sh code even when names and upstream URLs contain shell-special

tests/unit/test_supervise_server.py

@@ -364,6 +364,23 @@ class TestHandleToolsCall(unittest.TestCase):
                 self.config,
             )
 
+    def test_missing_name_raises(self):
+        with self.assertRaises(_RpcError) as cm:
+            handle_tools_call({"arguments": {}}, self.config)
+        self.assertEqual(ERR_INVALID_PARAMS, cm.exception.code)
+
+    def test_arguments_must_be_object(self):
+        with self.assertRaises(_RpcError) as cm:
+            handle_tools_call(
+                {
+                    "name": _sv.TOOL_EGRESS_ALLOW,
+                    "arguments": [],
+                },
+                self.config,
+            )
+        self.assertEqual(ERR_INVALID_PARAMS, cm.exception.code)
+        self.assertIn("must be an object", cm.exception.message)
+
     def test_capability_block_call_raises_unknown_tool(self):
         with self.assertRaises(_RpcError) as cm:
             handle_tools_call(
@@ -426,6 +443,31 @@ class TestHandleToolsCall(unittest.TestCase):
 
 
 class TestHandleListEgressRoutes(unittest.TestCase):
+    def test_success_returns_body_text(self):
+        class _Resp:
+            def __enter__(self):
+                return self
+
+            def __exit__(self, exc_type: type[BaseException] | None, exc: BaseException | None, tb: object) -> bool:
+                return False
+
+            def read(self):
+                return b"[{\"host\": \"example.com\"}]"
+
+        class _Opener:
+            def open(self, *args, **kwargs):  # noqa: ANN001, ANN002, ANN003  # type: ignore
+                return _Resp()
+
+        with patch.object(supervise_server.urllib.request, "build_opener", return_value=_Opener()):
+            result = handle_list_egress_routes(
+                {},
+                ServerConfig(bottle_slug="dev", queue_dir=Path("/unused")),
+            )
+
+        self.assertFalse(result["isError"])  # type: ignore[index]
+        text = result["content"][0]["text"]  # type: ignore[index]
+        self.assertIn("example.com", text)
+
     def test_url_error_returns_tool_error(self):
         class _Opener:
             def open(self, *args, **kwargs):  # noqa: ANN001, ANN002, ANN003  # type: ignore
@@ -485,6 +527,13 @@ class TestFormatResponseText(unittest.TestCase):
         self.assertIn("the operator modified", text.lower())
 
 
+class TestFormatPendingResponseText(unittest.TestCase):
+    def test_formats_timeout_message(self):
+        text = supervise_server.format_pending_response_text(12.5)
+        self.assertIn("status: pending", text)
+        self.assertIn("12.5s", text)
+
+
 # --- End-to-end HTTP sanity ------------------------------------------------