merge: update tests/unit/test_supervise_server.py from issue-277-coverage-ci

merge: update bot_bottle/cli/supervise.py from issue-277-coverage-ci
merge: update .gitignore from issue-277-coverage-ci
2026-06-25 14:31:36 -04:00 · 2026-06-25 14:31:32 -04:00 · 2026-06-25 14:31:29 -04:00 · 2026-06-25 14:31:27 -04:00 · 2026-06-25 04:39:43 -04:00 · 2026-06-25 04:08:21 -04:00
41 changed files with 574 additions and 1563 deletions
@@ -8,7 +8,6 @@ on:
      - '**.py'
      - '.pylintrc'
      - 'pyrightconfig.json'
      - '.coveragerc'
  workflow_dispatch:
 jobs:
@@ -46,19 +45,10 @@ jobs:
          echo "errors=$ERRORS" >> $GITHUB_OUTPUT
          echo "Pyright errors: $ERRORS"
      - name: Run coverage and extract percentage
        id: coverage
        run: |
          python -m coverage run -m unittest discover -t . -s tests/unit > /dev/null 2>&1 || true
          PERCENT=$(python -m coverage report 2>/dev/null | grep '^TOTAL' | grep -oP '\d+(?=%)' | tail -1)
          echo "percent=$PERCENT" >> $GITHUB_OUTPUT
          echo "Coverage: $PERCENT%"
      - name: Update badges in README
        run: |
          PYLINT_SCORE="${{ steps.pylint.outputs.score }}"
          PYRIGHT_ERRORS="${{ steps.pyright.outputs.errors }}"
          COVERAGE_PERCENT="${{ steps.coverage.outputs.percent }}"
          PYLINT_SCORE_ENCODED=$(echo "$PYLINT_SCORE" | sed 's|/|%2F|g')
@@ -68,12 +58,9 @@ jobs:
          if [ -n "$PYRIGHT_ERRORS" ]; then
            sed -i "s|/badge/pyright-[^)]*|/badge/pyright-${PYRIGHT_ERRORS}%20errors-brightgreen|" README.md
          fi
          if [ -n "$COVERAGE_PERCENT" ]; then
            sed -i "s|/badge/coverage-[^)]*|/badge/coverage-${COVERAGE_PERCENT}%25-brightgreen|" README.md
          fi
          echo "Updated badges:"
-          grep -E "pylint|pyright|coverage" README.md | head -3
+          grep -E "pylint|pyright" README.md | head -2
      - name: Commit and push badge updates
        run: |
@@ -86,7 +73,7 @@ jobs:
          else
            echo "Badge changes detected, committing..."
            git add README.md
-            MSG="chore: update quality badges"$'\n\n'"- Pylint: ${{ steps.pylint.outputs.score }}"$'\n'"- Pyright: ${{ steps.pyright.outputs.errors }} errors"$'\n'"- Coverage: ${{ steps.coverage.outputs.percent }}%"$'\n\n'"[skip ci]"
+            MSG="chore: update quality badges"$'\n\n'"- Pylint: ${{ steps.pylint.outputs.score }}"$'\n'"- Pyright: ${{ steps.pyright.outputs.errors }} errors"$'\n\n'"[skip ci]"
            git commit -m "$MSG"
            git push
          fi
@@ -7,7 +7,6 @@
 [![test](https://gitea.dideric.is/didericis/bot-bottle/actions/workflows/test.yml/badge.svg?branch=main)](https://gitea.dideric.is/didericis/bot-bottle/actions?workflow=test.yml)
 [![pylint](https://img.shields.io/badge/pylint-9.93%2F10-brightgreen)](https://github.com/PyCQA/pylint)
 [![pyright](https://img.shields.io/badge/pyright-0%20errors-brightgreen)](https://github.com/microsoft/pyright)
 [![coverage](https://img.shields.io/badge/coverage-79%25-brightgreen)](https://coverage.readthedocs.io/)
 **Problem:** Developer wants to run a coding agent without supervision, but they don't want a prompt injected or misbehaving agent wrecking their environment or exfiltrating sensitive data.
@@ -26,7 +25,7 @@
 - **Provider templates (Claude, Codex)** — `Dockerfile.claude` / `Dockerfile.codex`, or a bottle-supplied Dockerfile. Claude auth via long-lived OAuth token; Codex via opt-in host device-auth forwarding.
 - **gVisor auto-detect** — on Linux hosts where `runsc` is registered with Docker, every bottle launches under it for a userspace syscall barrier; no manifest config required.
 - **Apple Container backend (macOS default when available)** — runs the agent and sidecar bundle with Apple's `container` CLI, using a host-only agent network plus a separate sidecar egress network.
- **Smolmachines backend** — runs the agent in a libkrun micro-VM while the sidecar bundle stays in Docker. TSI and smolmachines DNS filtering close the raw DNS exfiltration gap that exists in the legacy Docker backend. Runs on macOS (Hypervisor.framework) and Linux (KVM, `/dev/kvm`).
+- **Smolmachines backend** — runs the agent in a libkrun micro-VM while the sidecar bundle stays in Docker. TSI and smolmachines DNS filtering close the raw DNS exfiltration gap that exists in the legacy Docker backend.
 - **Legacy Docker backend** — still available for examples, CI, and hosts without Apple Container via `BOT_BOTTLE_BACKEND=docker` or `--backend=docker`.
 ## Architecture
@@ -72,26 +71,10 @@ When the agent exits, `cli.py` tears down every sidecar and both networks; nothi
 ## Quickstart
-On compatible macOS hosts, the default backend requires Apple's `container` CLI and does not require Docker. The smolmachines backend requires Docker on the host for the sidecar bundle plus `smolvm` (macOS or Linux). The legacy Docker backend requires Docker. Claude bottles also need a long-lived Claude Code OAuth token (`claude setup-token`) exported as `BOT_BOTTLE_CLAUDE_OAUTH_TOKEN`.
+On compatible macOS hosts, the default backend requires Apple's `container` CLI and does not require Docker. The smolmachines backend requires Docker on the host for the sidecar bundle plus smolvm. The legacy Docker backend requires Docker. Claude bottles also need a long-lived Claude Code OAuth token (`claude setup-token`) exported as `BOT_BOTTLE_CLAUDE_OAUTH_TOKEN`.
 Use `BOT_BOTTLE_BACKEND=docker ./cli.py start <agent>` on hosts where Apple Container is not installed and Docker is the desired backend.
 ### smolmachines on Linux
 The smolmachines backend runs on Linux as well as macOS. On Linux, `smolvm`/libkrun use KVM, so the host needs:
 - **`/dev/kvm`** present and accessible. Load `kvm-intel` or `kvm-amd` (and enable virtualization in BIOS/firmware). The invoking user must be in the `kvm` group: `sudo usermod -aG kvm "$USER"` then re-login. bot-bottle preflights this and reports exactly what's missing.
 - **`smolvm`** on `PATH`: `curl -sSL https://smolmachines.com/install.sh | sh`.
 - **Docker** for the sidecar bundle and image build, same as macOS.
 Per-bottle isolation works the same as macOS without any `ifconfig`/sudo step — all of `127.0.0.0/8` is already loopback on Linux, so each bottle's sidecar bundle is published on its own `127.0.0.<N>` and TSI's allowlist is scoped to that `/32`.
 ```sh
 BOT_BOTTLE_BACKEND=smolmachines ./cli.py start <agent>
 ```
 > **NixOS:** enable `virtualisation.docker`, ensure the KVM module is loaded (`boot.kernelModules = [ "kvm-intel" ];` or `kvm-amd`), and add your user to the `kvm` and `docker` groups. If you run bottles from a Gitea Actions runner, use a `host`-label runner so Docker, `smolvm`, and `/dev/kvm` are all reachable from the job. `smolvm` isn't in nixpkgs — install the release binary (pin the version) and put it on the runner's `PATH`.
 ```sh
 ./cli.py start <agent>   # builds the image on first run, drops you into claude
 ```
@@ -0,0 +1,211 @@
 """capability_apply — host-side orchestrator for capability-block
 remediation (PRD 0016).
 On approval of a capability-block proposal, the dashboard calls
 apply_capability_change(slug, new_dockerfile) which:
  1. Snapshots the agent's transcript dir to
     ~/.bot-bottle/state/<slug>/transcript/ (best-effort).
  2. Pushes the agent's working tree via `git push` (best-effort —
     no upstream / no commits / no git repo all skip with a log).
  3. Writes the new Dockerfile to
     ~/.bot-bottle/state/<slug>/Dockerfile (PRD 0016 Phase 1
     state). The next `cli.py start <agent>` picks it up.
  4. Force-removes the agent container + all sidecars + the
     per-bottle networks. Idempotent — missing resources are not
     errors.
 Returns (before, after) Dockerfile contents so the dashboard can
 record / render the diff. (capability-block has no audit log per
 PRD 0013 — the per-bottle Dockerfile state is its own record.)
 This is "fire-and-forget" from the agent's perspective: by the time
 the dashboard writes the response file the supervise sidecar is
 gone, so the agent's tool call connection drops without ever
 receiving the response. The replacement agent (next manual
 `cli.py start`) sees the new Dockerfile and starts from there.
 v1 does not auto-relaunch — see PRD 0016's capability-block return
 semantics open question.
 """
 from __future__ import annotations
 import shutil
 import subprocess
 from ...agent_provider import get_provider
 from ...log import info, warn
 from ...bottle_state import (
    mark_preserved,
    per_bottle_dockerfile,
    transcript_snapshot_dir,
    write_per_bottle_dockerfile,
 )
 from .sidecar_bundle import sidecar_bundle_container_name
 # Agent home inside the container (per the repo Dockerfile's
 # `USER node` + `WORKDIR /home/node`). Used to locate the transcript
 # dir + the workspace dir for git push.
 _AGENT_HOME_IN_CONTAINER = "/home/node"
 _AGENT_TRANSCRIPT_IN_CONTAINER = f"{_AGENT_HOME_IN_CONTAINER}/.claude"
 _AGENT_WORKSPACE_IN_CONTAINER = f"{_AGENT_HOME_IN_CONTAINER}/workspace"
 # Per-bottle resource name patterns (mirroring prepare.py).
 def _agent_container_name(slug: str) -> str:
    return f"bot-bottle-{slug}"
 def _per_bottle_container_names(slug: str) -> list[str]:
    """All container names that belong to this bottle. Missing
    containers are silently skipped by the teardown helper, so it's
    fine to include names that don't exist for a given bottle."""
    return [
        _agent_container_name(slug),
        sidecar_bundle_container_name(slug),
    ]
 def _per_bottle_network_names(slug: str) -> list[str]:
    return [
        f"bot-bottle-net-{slug}",
        f"bot-bottle-egress-{slug}",
    ]
 class CapabilityApplyError(RuntimeError):
    """Raised when the apply fails in a way that should keep the
    proposal pending (so the operator can retry). Best-effort
    failures (transcript snapshot, git push) do not raise — they
    just log and proceed."""
 # --- Public helpers --------------------------------------------------------
 def fetch_current_dockerfile(slug: str) -> str:
    """Return the Dockerfile content the next `cli.py start <agent>`
    would use for this bottle. If a per-bottle override exists, that
    one; otherwise the repo's Dockerfile.
    Used by the operator-edit verb to show the current source of
    truth, and by apply_capability_change for the before-diff."""
    override = per_bottle_dockerfile(slug)
    if override is not None:
        return override
    repo_dockerfile = get_provider("claude").dockerfile
    if repo_dockerfile.is_file():
        return repo_dockerfile.read_text()
    raise CapabilityApplyError(
        f"no per-bottle Dockerfile for {slug} and no provider Dockerfile at "
        f"{repo_dockerfile}"
    )
 def apply_capability_change(slug: str, new_dockerfile: str) -> tuple[str, str]:
    """End-to-end capability-block remediation. See module docstring
    for the sequence. Returns (before, after) Dockerfile content."""
    if not new_dockerfile.strip():
        raise CapabilityApplyError("proposed Dockerfile is empty")
    before = fetch_current_dockerfile(slug)
    snapshot_transcript(slug)
    _push_working_tree(slug)
    write_per_bottle_dockerfile(slug, new_dockerfile)
    # Set the preserve marker BEFORE teardown so cli.py's session-end
    # cleanup sees it and keeps the state dir intact for the
    # operator's `cli.py resume <identity>`. Without the marker the
    # state dir would be deleted as part of normal session end.
    mark_preserved(slug)
    _teardown_bottle(slug)
    return before, new_dockerfile
 # --- Internals -------------------------------------------------------------
 def snapshot_transcript(slug: str) -> None:
    """`docker cp` /home/node/.claude out of the agent container into
    ~/.bot-bottle/state/<slug>/transcript/. Best-effort: missing
    container, missing dir, or cp error all log a warning and return.
    The transcript is what `claude --resume` reads to pick up where
    the agent left off.
    Called from two places:
      - capability-apply, before tearing the bottle down.
      - cli.py's session-end path, before the launch context closes,
        so a crash or normal exit also leaves a transcript on disk
        (deleted along with the state dir on clean exit, kept on
        crash or capability-block per the preserve marker)."""
    container = _agent_container_name(slug)
    dest = transcript_snapshot_dir(slug)
    if dest.exists():
        # Remove any prior snapshot so the new one is a clean copy.
        shutil.rmtree(dest, ignore_errors=True)
    dest.parent.mkdir(parents=True, exist_ok=True)
    r = subprocess.run(
        ["docker", "cp", f"{container}:{_AGENT_TRANSCRIPT_IN_CONTAINER}", str(dest)],
        capture_output=True, text=True, check=False,
    )
    if r.returncode != 0:
        warn(
            f"transcript snapshot skipped "
            f"({(r.stderr or '').strip() or 'no transcript dir in container?'})"
        )
        return
    info(f"transcript snapshotted to {dest}")
 def _push_working_tree(slug: str) -> None:
    """`docker exec <agent> git push` from /home/node/workspace.
    Best-effort: not-a-git-repo, no upstream, nothing-to-push, no
    network all log a warning and return. The replacement bottle
    will pick up whatever's actually upstream."""
    container = _agent_container_name(slug)
    r = subprocess.run(
        [
            "docker", "exec", container, "sh", "-c",
            f"cd {_AGENT_WORKSPACE_IN_CONTAINER} && "
            f"git rev-parse --is-inside-work-tree >/dev/null 2>&1 && "
            f"git push origin HEAD 2>&1 || true",
        ],
        capture_output=True, text=True, check=False,
    )
    if r.returncode != 0:
        warn(
            f"capability-apply: git push skipped "
            f"({(r.stderr or '').strip() or 'docker exec failed'})"
        )
        return
    output = (r.stdout or "").strip()
    if output:
        info(f"capability-apply: git push: {output}")
    else:
        info("capability-apply: git push ran (no output — likely not a git workspace)")
 def _teardown_bottle(slug: str) -> None:
    """Force-remove all per-bottle docker resources. Idempotent —
    `docker rm -f` / `docker network rm` silently ignore missing
    names, so this can be called even mid-rebuild."""
    info(f"capability-apply: tearing down bottle {slug}")
    for name in _per_bottle_container_names(slug):
        subprocess.run(
            ["docker", "rm", "-f", name],
            stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, check=False,
        )
    for net in _per_bottle_network_names(slug):
        subprocess.run(
            ["docker", "network", "rm", net],
            stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, check=False,
        )
 __all__ = [
    "CapabilityApplyError",
    "apply_capability_change",
    "fetch_current_dockerfile",
    "snapshot_transcript",
 ]
@@ -34,6 +34,7 @@ from ...egress import (
 from ...git_gate import GIT_GATE_HOSTNAME
 from ...log import die, warn
 from ...supervise import (
    CURRENT_CONFIG_DIR_IN_AGENT,
    QUEUE_DIR_IN_CONTAINER,
    SUPERVISE_HOSTNAME,
    SUPERVISE_PORT,
@@ -232,6 +233,15 @@ def _agent_service(plan: DockerBottlePlan) -> dict[str, Any]:
    if plan.use_runsc:
        service["runtime"] = "runsc"
    volumes: list[dict[str, Any]] = []
    if plan.supervise_plan is not None:
        volumes.append(_bind(
            plan.supervise_plan.current_config_dir,
            CURRENT_CONFIG_DIR_IN_AGENT,
        ))
    if volumes:
        service["volumes"] = volumes
    # The init supervisor inside the bundle owns intra-bundle
    # daemon ordering, so the agent only waits for the bundle
    # container itself.
@@ -141,12 +141,10 @@ def _allocate_resources(
 ) -> tuple[str, str]:
    """Reserve a loopback alias and create the per-bottle docker bridge.
-    The per-bottle alias scopes TSI's allowlist to this bottle's
+    macOS only routes 127.0.0.1 by default; the per-bottle alias
-    published ports so the agent can't reach other bottles' or host
+    scopes TSI's allowlist to this bottle's published ports so the
-    services' ports on loopback. On macOS `ensure_pool` first
+    agent can't reach other bottles' or host services' ports on
-    sudo-aliases the pool on `lo0`; on Linux that's a no-op since
+    loopback. No-op on Linux."""
    all of 127.0.0.0/8 is already loopback, but the per-bottle
    allocation runs on both."""
    _loopback.ensure_pool()
    loopback_ip = _loopback.allocate(plan.slug)
    network = _bundle.bundle_network_name(plan.slug)
@@ -192,11 +190,9 @@ def _discover_urls(
    return the plan with URLs + guest_env stamped in.
    Docker container IPs (192.168.x.x in the daemon's bridge)
-    aren't reachable from the smolvm guest — TSI proxies the
+    aren't reachable from the smolvm guest on macOS — TSI uses
-    guest's connects through the host, and the host reaches the
+    macOS networking, and macOS sees the daemon's bridge via the
-    bundle only via its published-port loopback forward (the
+    published-port loopback forward only.
    daemon's bridge isn't on the TSI allowlist). The agent dials
    the published port on the per-bottle loopback alias.
    NO_PROXY includes the per-bottle loopback alias so the
    supervise + git-gate URLs bypass HTTPS_PROXY."""
@@ -256,11 +252,10 @@ def _launch_vm(
    """Create, patch, and start the smolvm VM; register teardown.
    --allow-cidr is the per-bottle loopback alias so the guest can
-    only reach this bottle's bundle ports. force_allowlist then
+    only reach this bottle's bundle ports. force_allowlist patches
-    confirms the allowlist persisted (patching smolvm 0.8.0's
+    smolvm 0.8.0's silent-drop of --allow-cidr when combined with
-    silent-drop of --allow-cidr when combined with --from) and
+    --from. Smolfile isn't usable here — smolvm 0.8.0 makes --from
-    fails closed if it can't. Smolfile isn't usable here — smolvm
+    and --smolfile mutually exclusive."""
    0.8.0 makes --from and --smolfile mutually exclusive."""
    _smolvm.machine_create(
        plan.machine_name,
        from_path=agent_from_path,
@@ -268,10 +263,9 @@ def _launch_vm(
        env=plan.guest_env,
    )
    stack.callback(_smolvm.machine_delete, plan.machine_name)
-    # Confirm the booted VM's TSI allowlist will actually enforce the
+    # Workaround smolvm 0.8.0: `--allow-cidr` is silently dropped
-    # /32 before start (smolvm 0.8.0 silently drops `--allow-cidr`
+    # when combined with `--from`. Patch the persisted state DB
-    # with `--from`, so the persisted state DB is patched if needed).
+    # before start so the booted VM's TSI actually enforces.
    # Fails closed if enforcement can't be confirmed.
    _loopback.force_allowlist(plan.machine_name, [f"{loopback_ip}/32"])
    _smolvm.machine_start(plan.machine_name)
    stack.callback(_smolvm.machine_stop, plan.machine_name)
@@ -281,9 +275,7 @@ def _init_vm(plan: SmolmachinesBottlePlan) -> None:
    """Repair filesystem ownership and wait for exec channel readiness.
    Ownership repair: smolvm's pack process remaps files to the host
-    invoker's uid (e.g. 501 on macOS, 1000 on Linux). The chowns use
+    invoker's uid (501 on macOS). /home/node must be node:node so
    names not numbers so they're correct on either. /home/node must
    be node:node so
    Claude Code can write ~/.claude.json; /tmp + /var/tmp need root
    mode 1777 so non-root processes can create per-uid scratch dirs.
    All folded into one sh -c to avoid back-to-back exec calls
@@ -33,13 +33,10 @@ sudo-add the missing pool on first use per boot — the aliases
 persist on `lo0` until reboot, so subsequent launches don't
 prompt.
-On Linux the whole `127.0.0.0/8` is already routed to `lo`, so
+Linux native daemons share the host's network namespace; the
-docker can publish a bundle's ports directly on `127.0.0.<N>`
+whole `127.0.0.0/8` is reachable by default and aliases are
-with no `ifconfig`/sudo step. `ensure_pool` is therefore a no-op
+unnecessary. The pool logic detects native-Linux and skips sudo
-on Linux, but per-bottle alias *allocation* and the TSI allowlist
+entirely; the DB patch is also gated on macOS.
 DB patch run on both platforms — the isolation property is
 identical, it's just cheaper to set up on Linux. The state-DB
 path differs per platform (see `_smolvm_db_path`).
 Allocation is coordinated by inspecting running bundle
 containers' published host IPs — each bottle's bundle owns the
@@ -50,7 +47,6 @@ from __future__ import annotations
 import fcntl
 import json
 import os
 import platform
 import re
 import sqlite3
@@ -61,34 +57,20 @@ from typing import Iterable
 from ...log import die, info
-def _smolvm_db_path() -> Path:
+# smolvm's persistent VM state on macOS — a SQLite DB whose `vms`
-    """smolvm's persistent VM state — a SQLite DB whose `vms` table
+# table holds one JSON BLOB per machine. The Linux path is
-    holds one JSON BLOB per machine. macOS stores it under
+# different, but smolmachines is macOS-only in v1 (PRD 0023) so
-    `Application Support`; Linux follows the XDG base-dir spec
+# we hard-code this. If the file moves under us we'll see a
-    (`$XDG_DATA_HOME`, default `~/.local/share`).
+# clear FileNotFoundError; not worth defensive cross-platform
-
+# detection until the backend actually needs Linux.
-    NOTE: the Linux location is inferred from smolvm's documented
+_SMOLVM_DB_PATH = (
    `~/.local/share` install layout and must be confirmed against a
    real Linux smolvm install. If it's wrong, `force_allowlist`'s
    fail-closed check turns it into a clear launch-time error rather
    than a silent escape."""
    if platform.system() == "Darwin":
        return (
    Path.home()
    / "Library"
    / "Application Support"
    / "smolvm"
    / "server"
    / "smolvm.db"
-        )
+)
    xdg_data = os.environ.get("XDG_DATA_HOME")
    base = Path(xdg_data) if xdg_data else Path.home() / ".local" / "share"
    return base / "smolvm" / "server" / "smolvm.db"
 # Resolved once at import: the host platform doesn't change within a
 # process. Tests patch this attribute directly.
 _SMOLVM_DB_PATH = _smolvm_db_path()
 # Sixteen aliases by default. Tunable for hosts that want more
@@ -149,64 +131,30 @@ def ensure_pool() -> None:
 def force_allowlist(machine_name: str, allowed_cidrs: list[str]) -> None:
-    """Ensure the machine's persisted TSI allowlist equals
+    """Patch smolvm's persistent VM-state DB to set the machine's
-    `allowed_cidrs`, failing **closed** if that can't be confirmed.
+    `allowed_cidrs` to the given list. Workaround for smolvm
    0.8.0's silent-drop of `--allow-cidr` when used with `--from`.
-    Runs on both macOS and Linux. It exists because smolvm 0.8.0
+    Must run AFTER `smolvm machine create` (the row has to
-    silently drops `--allow-cidr` when combined with `--from`, so
+    exist) and BEFORE `smolvm machine start` (smolvm reads the
-    the allowlist has to be written into smolvm's persistent state
+    row on start; in-flight VMs don't pick up changes). Once
-    DB before `machine start`. Rather than assume the flag was
+    smolvm honors the CLI flag upstream this whole function is
-    dropped, we read the persisted row and only patch when it
+    redundant — flag-respecting create + remove this call from
-    doesn't already match — so a newer smolvm that honors the flag
+    launch.
    is left untouched.
-    Must run AFTER `smolvm machine create` (the row has to exist)
+    No-op on non-macOS — the DB path differs and the Linux
-    and BEFORE `smolvm machine start` (smolvm reads the row on
+    smolmachines code path isn't exercised in v1."""
-    start; in-flight VMs don't pick up changes).
+    if not _is_macos():
-
+        return
    Fail-closed: if the state DB is missing, the row is missing, or
    the allowlist still doesn't match after patching, we `die()`
    rather than boot a VM whose egress confinement we can't verify
    — an unconfirmed allowlist is a sandbox-escape risk (the agent
    VM could reach all of host loopback)."""
    want = list(allowed_cidrs)
    if not _SMOLVM_DB_PATH.is_file():
        die(
-            f"smolvm state DB not found at {_SMOLVM_DB_PATH}; cannot "
+            f"smolvm state DB not found at {_SMOLVM_DB_PATH}. "
-            f"confirm the TSI allowlist is enforced. Refusing to launch "
+            f"smolvm 0.8.0 expected? `smolvm --version` to check."
            f"(fail-closed). Check `smolvm --version` and the DB "
            f"location for your platform."
        )
    con = sqlite3.connect(str(_SMOLVM_DB_PATH))
    try:
-        cfg = _read_machine_cfg(con, machine_name)
+        cur = con.cursor()
-        if cfg.get("allowed_cidrs") != want:
+        row = cur.execute(
            cfg["allowed_cidrs"] = want
            # Write as BLOB (the column type smolvm uses) — passing a
            # plain str makes sqlite store it as Text and smolvm then
            # fails to read it.
            con.execute(
                "UPDATE vms SET data = ? WHERE name = ?",
                (sqlite3.Binary(json.dumps(cfg).encode()), machine_name),
            )
            con.commit()
            cfg = _read_machine_cfg(con, machine_name)
        if cfg.get("allowed_cidrs") != want:
            die(
                f"could not enforce TSI allowlist {want!r} for machine "
                f"{machine_name!r} (persisted value is "
                f"{cfg.get('allowed_cidrs')!r}). Refusing to launch "
                f"(fail-closed)."
            )
    finally:
        con.close()
 def _read_machine_cfg(con: sqlite3.Connection, machine_name: str) -> dict[str, object]:
    """Read + JSON-decode a machine's `data` BLOB from the smolvm
    state DB. Dies (fail-closed) if the row is missing — the caller
    can't confirm enforcement without it."""
    row = con.execute(
            "SELECT data FROM vms WHERE name = ?", (machine_name,),
        ).fetchone()
        if row is None:
@@ -214,7 +162,18 @@ def _read_machine_cfg(con: sqlite3.Connection, machine_name: str) -> dict[str, o
                f"smolvm DB has no row for machine {machine_name!r} — "
                f"machine_create must run before force_allowlist."
            )
-    return json.loads(row[0])
+        cfg = json.loads(row[0])
        cfg["allowed_cidrs"] = list(allowed_cidrs)
        # Write as BLOB (the column type smolvm uses) — passing a
        # plain str makes sqlite store it as Text and smolvm then
        # fails to read it.
        cur.execute(
            "UPDATE vms SET data = ? WHERE name = ?",
            (sqlite3.Binary(json.dumps(cfg).encode()), machine_name),
        )
        con.commit()
    finally:
        con.close()
 def allocate(_slug: str) -> str:
@@ -225,17 +184,16 @@ def allocate(_slug: str) -> str:
    used (no on-disk reservation, allocation is purely
    docker-state-driven).
-    Runs on both platforms: the allocation logic (docker-state
+    On non-macOS the whole `127.0.0.0/8` is loopback by default;
-    inspection + the file lock) is platform-independent. macOS
+    `127.0.0.1` is fine to share and we skip the alias dance.
-    needs `ensure_pool` to have aliased the addresses on `lo0`
+    This still returns a deterministic address so launch.py's
-    first; on Linux all of `127.0.0.0/8` is already loopback, so
+    callers don't have to branch on platform.
    docker can publish on the chosen `127.0.0.<N>` with no setup.
    Per-bottle scoping (so the agent can't reach other bottles' or
    host services' loopback ports) therefore holds on both.
    An exclusive file lock serialises concurrent calls so two
    simultaneous launches don't read the same docker state and
    claim the same alias."""
    if not _is_macos():
        return "127.0.0.1"
    _ALLOC_LOCK_PATH.parent.mkdir(parents=True, exist_ok=True)
    with open(_ALLOC_LOCK_PATH, "w", encoding="utf-8") as lf:
        fcntl.flock(lf, fcntl.LOCK_EX)
@@ -5,28 +5,19 @@ unit-tested without importing the docker subprocess paths."""
 from __future__ import annotations
 import hashlib
 import os
 import platform
 import shutil
 from ...log import die
 # libkrun's Linux backend drives the guest through KVM, so the host
 # must expose `/dev/kvm` and the invoking user must be able to open
 # it. macOS uses Hypervisor.framework and needs no device node.
 _KVM_DEVICE = "/dev/kvm"
 def smolmachines_preflight() -> None:
-    """Ensure the host can run the smolmachines backend before the
+    """Ensure `smolvm` is on PATH before the launch flow runs.
-    launch flow starts. Called from `_resolve_plan`; surfaces a
+    Called from `_resolve_plan`; gives the operator a clear
-    clear, actionable error instead of a cryptic `smolvm` failure
+    install pointer rather than a cryptic FileNotFoundError
-    deep in launch.
+    later. `gvproxy` is no longer required — see the PRD's design
-
+    pivot section."""
-    Checks `smolvm` is on PATH (both platforms) and, on Linux,
+    if shutil.which("smolvm") is not None:
-    that `/dev/kvm` exists and is accessible. `gvproxy` is no
+        return
    longer required — see the PRD's design pivot section."""
    if shutil.which("smolvm") is None:
    die(
        "BOT_BOTTLE_BACKEND=smolmachines requires `smolvm` on "
        "PATH. Install with: "
@@ -34,29 +25,6 @@ def smolmachines_preflight() -> None:
        "To use the legacy Docker backend instead, set "
        "BOT_BOTTLE_BACKEND=docker or pass --backend=docker."
    )
    if platform.system() == "Linux":
        _preflight_kvm()
 def _preflight_kvm() -> None:
    """Linux-only: libkrun needs `/dev/kvm`. Distinguish 'KVM not
    enabled' from 'no permission' so the operator knows which to
    fix."""
    if not os.path.exists(_KVM_DEVICE):
        die(
            f"BOT_BOTTLE_BACKEND=smolmachines needs {_KVM_DEVICE} on "
            "Linux but it is missing. Enable KVM: load the kvm-intel "
            "or kvm-amd kernel module (and confirm virtualization is "
            "enabled in BIOS/firmware). To use the legacy Docker "
            "backend instead, set BOT_BOTTLE_BACKEND=docker."
        )
    if not os.access(_KVM_DEVICE, os.R_OK | os.W_OK):
        die(
            f"{_KVM_DEVICE} exists but is not readable/writable by the "
            "current user. Add your user to the `kvm` group "
            "(`sudo usermod -aG kvm \"$USER\"`) and re-login, or run "
            "with access to the device."
        )
 def smolmachines_bundle_subnet(slug: str) -> tuple[str, str, str]:
@@ -1,7 +1,8 @@
-"""Per-bottle persistent state.
+"""Per-bottle persistent state (PRD 0016).
-Holds optional per-bottle Dockerfile overrides, the transcript snapshot
+Holds the per-bottle Dockerfile override that capability-block
-the state-preservation helper saves before teardown, and the launch metadata that lets
+remediation writes, the transcript snapshot the state-preservation
 helper saves before teardown, and the launch metadata that lets
 `cli.py resume <identity>` reconstruct a bottle's spec. State
 lives at:
@@ -60,7 +61,7 @@ _METADATA_NAME = "metadata.json"
 _LIVE_CONFIG_SUBDIR = "live-config"
 LIVE_CONFIG_ROUTES_NAME = "routes.yaml"
 LIVE_CONFIG_ALLOWLIST_NAME = "allowlist"
-# Empty marker file. Session preservation writes it before teardown so
+# Empty marker file. capability_apply writes it before teardown so
 # cli.py's session-end cleanup knows to preserve the state dir for
 # `cli.py resume <identity>`. Absent = clean up.
 _PRESERVE_MARKER = ".preserve"
@@ -163,7 +164,8 @@ def per_bottle_dockerfile_path(identity: str) -> Path:
 def per_bottle_dockerfile(identity: str) -> str | None:
    """Return the per-bottle Dockerfile content if present, else
-    None. None means: use the provider or manifest Dockerfile."""
+    None. None means: use the repo's Dockerfile (the original
    pre-capability-block behavior)."""
    p = per_bottle_dockerfile_path(identity)
    if p.is_file():
        return p.read_text()
@@ -247,7 +249,9 @@ def write_live_config(
 def transcript_snapshot_dir(identity: str) -> Path:
-    """Where agent session snapshots are kept for resume flows."""
+    """Where capability_apply stashes the agent's transcript before
    teardown, so the next `cli.py start <agent>` can offer to
    resume from it."""
    return bottle_state_dir(identity) / _TRANSCRIPT_SUBDIR
@@ -274,7 +278,8 @@ def git_gate_state_dir(identity: str) -> Path:
 def supervise_state_dir(identity: str) -> Path:
-    """State subdir reserved for supervise sidecar bind-mount sources.
+    """State subdir for the supervise sidecar's current-config dir
    (bind-mounted into the agent at /etc/bot-bottle/current-config).
    The queue dir is intentionally NOT under here — it lives at
    ~/.bot-bottle/queue/<slug>/ alongside the audit logs, so it
    survives state-dir cleanup."""
@@ -296,8 +301,9 @@ def preserve_marker_path(identity: str) -> Path:
 def mark_preserved(identity: str) -> Path:
    """Mark this bottle's state for preservation across session
-    teardown so cli.py's session-end cleanup leaves the state dir
+    teardown. Written by capability_apply.apply_capability_change so
-    intact for a subsequent `cli.py resume`."""
+    cli.py's session-end cleanup leaves the state dir intact for a
    subsequent `cli.py resume`."""
    path = preserve_marker_path(identity)
    path.parent.mkdir(parents=True, exist_ok=True)
    path.touch()
@@ -310,7 +316,7 @@ def is_preserved(identity: str) -> bool:
 def clear_preserve_marker(identity: str) -> None:
    """Idempotent removal. Called at fresh launch (start or resume)
-    so a marker left from a prior preserved session doesn't keep
+    so a marker left from a prior capability-block doesn't keep
    state alive past the next normal session-end."""
    try:
        preserve_marker_path(identity).unlink()
@@ -13,8 +13,9 @@ dirs are shared layout, so docker is the single owner of that
 bucket.
 State dirs with `.preserve` are intentionally never touched — they
-hold preserved sessions the operator may want to `resume`. Manual
+hold capability-block rebuilds or crash snapshots the operator may
-`rm -rf ~/.bot-bottle/state/<identity>` is the path for those.
+want to `resume`. Manual `rm -rf ~/.bot-bottle/state/<identity>`
 is the path for those.
 """
 from __future__ import annotations
@@ -4,12 +4,13 @@ Reads ~/.bot-bottle/state/<identity>/metadata.json to recover the
 (agent_name, cwd, copy_cwd) the bottle was originally started with,
 then runs the same launch core as `start` — but pinned to the
 recorded identity so the new bottle picks up any per-bottle Dockerfile
-override and transcript snapshot under the same state dir.
+(from capability-block apply) and transcript snapshot under the same
 state dir.
-Use case: an interrupted or preserved bottle needs to be relaunched;
+Use case: an agent calls capability-block, the dashboard approves
-the operator runs
+and tears down the bottle, the operator runs
    ./cli.py resume <identity>
-to bring up the replacement from the recorded state.
+to bring up the replacement with the new capabilities baked in.
 """
 from __future__ import annotations
@@ -31,6 +31,7 @@ from ..bottle_state import (
    is_preserved,
    mark_preserved,
 )
 # from ..backend.docker.capability_apply import snapshot_transcript
 from ..log import info
 from ..manifest import ManifestIndex
 from ._common import PROG, USER_CWD, read_tty_line
@@ -256,8 +257,12 @@ def _launch_bottle(
            )
            # While the container is still alive: always snapshot the
            # transcript and — if the agent exited non-zero — mark
-            # the state for preservation. This picks up crashes /
+            # the state for preservation. Capability-block already
-            # Ctrl-Cs / OOM kills before cleanup removes the state dir.
+            # did both before triggering teardown from the dashboard;
            # this picks up crashes / Ctrl-Cs / OOM kills the same
            # way. snapshot_transcript is best-effort so the
            # capability-block path's prior snapshot isn't clobbered
            # when the container is already gone.
            if agent_provider_template == "claude":
                capture_claude_session_state(identity, exit_code)
        return 0
@@ -21,7 +21,7 @@ FROM node:22-slim
 # to it) works against egress's bumped TLS without the agent needing
 # local DNS.
 RUN apt-get update \
-  && apt-get install -y --no-install-recommends git ca-certificates curl ripgrep \
+  && apt-get install -y --no-install-recommends git ca-certificates curl \
  && rm -rf /var/lib/apt/lists/*
 # App-specific deps. Python isn't required by claude-code itself
@@ -6,7 +6,7 @@
 FROM node:22-slim
 RUN apt-get update \
-  && apt-get install -y --no-install-recommends git ca-certificates curl procps ripgrep \
+  && apt-get install -y --no-install-recommends git ca-certificates curl procps \
  && rm -rf /var/lib/apt/lists/*
 # App-specific deps. Python isn't required by codex itself
@@ -21,11 +21,6 @@ from pathlib import Path
 from ...deploy_key_provisioner import DeployKeyCollisionError, DeployKeyProvisioner
 # Timeout for ssh-keygen and Gitea API HTTP calls. A hung Gitea instance at
 # prepare time would stall bottle launch indefinitely without this bound.
 _API_TIMEOUT_SECS = 30
 _KEYGEN_TIMEOUT_SECS = 10
 class GiteaDeployKeyProvisioner(DeployKeyProvisioner):
    """Manages deploy keys on a Gitea instance."""
@@ -51,7 +46,6 @@ class GiteaDeployKeyProvisioner(DeployKeyProvisioner):
                check=True,
                stdout=subprocess.DEVNULL,
                stderr=subprocess.DEVNULL,
                timeout=_KEYGEN_TIMEOUT_SECS,
            )
            private_key = key_path.read_bytes()
            public_key = key_path.with_suffix(".pub").read_text().strip()
@@ -73,7 +67,7 @@ class GiteaDeployKeyProvisioner(DeployKeyProvisioner):
            method="POST",
        )
        try:
-            with urllib.request.urlopen(req, timeout=_API_TIMEOUT_SECS) as resp:
+            with urllib.request.urlopen(req) as resp:
                body = json.loads(resp.read())
        except urllib.error.HTTPError as exc:
            _body = _read_error_body(exc)
@@ -104,7 +98,7 @@ class GiteaDeployKeyProvisioner(DeployKeyProvisioner):
            method="DELETE",
        )
        try:
-            with urllib.request.urlopen(req, timeout=_API_TIMEOUT_SECS):
+            with urllib.request.urlopen(req):
                pass
        except urllib.error.HTTPError as exc:
            if exc.code == 404:
@@ -210,17 +210,6 @@ def egress_token_env_map(
    return out
 def _yaml_str_escape(s: str) -> str:
    """Escape a string for use inside a YAML double-quoted scalar."""
    return (
        s.replace("\\", "\\\\")
         .replace('"', '\\"')
         .replace("\n", "\\n")
         .replace("\r", "\\r")
         .replace("\t", "\\t")
    )
 def _route_to_yaml_fields(r: Route) -> dict[str, object]:
    fields: dict[str, object] = {"host": r.host}
    if r.auth_scheme and r.token_env:
@@ -283,12 +272,12 @@ def _render_match_entry(entry: dict[str, object]) -> list[str]:
        for pd in entry["paths"]:  # type: ignore[union-attr]
            pd_dict: dict[str, str] = pd  # type: ignore[assignment]
            if "type" in pd_dict:
-                lines.append(f'          - type: "{_yaml_str_escape(pd_dict["type"])}"')
+                lines.append(f'          - type: "{pd_dict["type"]}"')
-                lines.append(f'            value: "{_yaml_str_escape(pd_dict["value"])}"')
+                lines.append(f'            value: "{pd_dict["value"]}"')
            else:
-                lines.append(f'          - value: "{_yaml_str_escape(pd_dict["value"])}"')
+                lines.append(f'          - value: "{pd_dict["value"]}"')
    if "methods" in entry:
-        methods_str = ", ".join(f'"{_yaml_str_escape(m)}"' for m in entry["methods"])  # type: ignore[union-attr]
+        methods_str = ", ".join(f'"{m}"' for m in entry["methods"])  # type: ignore[union-attr]
        prefix = "      - " if first_key else "        "
        lines.append(f'{prefix}methods: [{methods_str}]')
        first_key = False
@@ -298,8 +287,8 @@ def _render_match_entry(entry: dict[str, object]) -> list[str]:
        first_key = False
        for hd in entry["headers"]:  # type: ignore[union-attr]
            hd_dict: dict[str, str] = hd  # type: ignore[assignment]
-            lines.append(f'          - name: "{_yaml_str_escape(hd_dict["name"])}"')
+            lines.append(f'          - name: "{hd_dict["name"]}"')
-            lines.append(f'            value: "{_yaml_str_escape(hd_dict["value"])}"')
+            lines.append(f'            value: "{hd_dict["value"]}"')
    if first_key:
        lines.append("      - {}")
    return lines
@@ -319,10 +308,10 @@ def egress_render_routes(
        return "\n".join(lines) + "\n"
    for r in routes:
        f = _route_to_yaml_fields(r)
-        lines.append(f'  - host: "{_yaml_str_escape(str(f["host"]))}"')
+        lines.append(f'  - host: "{f["host"]}"')
        if "auth_scheme" in f:
-            lines.append(f'    auth_scheme: "{_yaml_str_escape(str(f["auth_scheme"]))}"')
+            lines.append(f'    auth_scheme: "{f["auth_scheme"]}"')
-            lines.append(f'    token_env: "{_yaml_str_escape(str(f["token_env"]))}"')
+            lines.append(f'    token_env: "{f["token_env"]}"')
        if "matches" in f:
            lines.append("    matches:")
            for entry in f["matches"]:  # type: ignore[union-attr]
@@ -342,7 +331,7 @@ def egress_render_routes(
                    items_str = ", ".join(f'"{x}"' for x in dv)
                    lines.append(f"      {dk}: [{items_str}]")
                elif isinstance(dv, str):
-                    lines.append(f'      {dk}: "{_yaml_str_escape(dv)}"')
+                    lines.append(f'      {dk}: "{dv}"')
    return "\n".join(lines) + "\n"
@@ -43,10 +43,10 @@ from .manifest import ManifestBottle, ManifestGitEntry
 # Short network alias for git-gate inside the sidecar bundle. The
 # agent's `.gitconfig` insteadOf rewrites resolve through this name.
 GIT_GATE_HOSTNAME = "git-gate"
-# Shared timeout (seconds) for all git-gate subprocess and CGI calls:
+# Bound half-open git client sessions. If an agent/tool runner is
-# git daemon (--timeout/--init-timeout), the access-hook subprocess in
+# interrupted during push, git daemon should reap the receive-pack
-# git_http_backend, and the git http-backend CGI subprocess.
+# child instead of keeping the gate wedged indefinitely.
-GIT_GATE_TIMEOUT_SECS = 15
+GIT_GATE_DAEMON_TIMEOUT_SECS = 15
@dataclass(frozen=True)
@@ -112,15 +112,6 @@ def git_gate_upstreams_for_bottle(bottle: ManifestBottle) -> tuple[GitGateUpstre
    )
 def _gitconfig_validate_value(field: str, value: str) -> None:
    """Raise ValueError if value contains characters that break gitconfig line syntax."""
    if "\n" in value or "\r" in value:
        raise ValueError(
            f"git-gate: {field} contains a newline, which would inject "
            f"arbitrary gitconfig keys; rejecting manifest entry"
        )
 def git_gate_render_gitconfig(
    entries: tuple[ManifestGitEntry, ...], gate_host: str, *, scheme: str = "git",
 ) -> str:
@@ -145,7 +136,6 @@ def git_gate_render_gitconfig(
        "# fetch-from-upstream-before-every-upload-pack via access-hook).\n",
    ]
    for entry in entries:
        _gitconfig_validate_value(f"repos[{entry.Name!r}].url", entry.Upstream)
        out.append(f'[url "{scheme}://{gate_host}/{entry.Name}.git"]\n')
        out.append(f"\tinsteadOf = {entry.Upstream}\n")
        if entry.RemoteKey and entry.RemoteKey != entry.UpstreamHost:
@@ -158,7 +148,6 @@ def git_gate_render_gitconfig(
                f"ssh://{entry.UpstreamUser}@{entry.RemoteKey}{port}/"
                f"{entry.UpstreamPath}"
            )
            _gitconfig_validate_value(f"repos[{entry.Name!r}].url (resolved alias)", alias)
            out.append(f"\tinsteadOf = {alias}\n")
    return "".join(out)
@@ -228,8 +217,8 @@ def git_gate_render_entrypoint(upstreams: tuple[GitGateUpstream, ...]) -> str:
        "",
        "exec git daemon \\",
        "  --reuseaddr \\",
-        f"  --timeout={GIT_GATE_TIMEOUT_SECS} \\",
+        f"  --timeout={GIT_GATE_DAEMON_TIMEOUT_SECS} \\",
-        f"  --init-timeout={GIT_GATE_TIMEOUT_SECS} \\",
+        f"  --init-timeout={GIT_GATE_DAEMON_TIMEOUT_SECS} \\",
        "  --base-path=/git \\",
        "  --export-all \\",
        "  --enable=receive-pack \\",
@@ -16,8 +16,6 @@ from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
 from pathlib import Path
 from urllib.parse import urlsplit
 from .git_gate import GIT_GATE_TIMEOUT_SECS
 DEFAULT_PORT = 9420
@@ -49,7 +47,6 @@ class GitHttpHandler(BaseHTTPRequestHandler):
                [hook_path, "upload-pack", str(repo_dir), peer, peer],
                capture_output=True,
                check=False,
                timeout=GIT_GATE_TIMEOUT_SECS,
            )
            if hook.returncode != 0:
                detail = (hook.stderr or hook.stdout).decode(
@@ -113,7 +110,6 @@ class GitHttpHandler(BaseHTTPRequestHandler):
            env=env,
            capture_output=True,
            check=False,
            timeout=GIT_GATE_TIMEOUT_SECS,
        )
        self._write_cgi_response(proc.stdout)
@@ -152,13 +148,7 @@ class GitHttpHandler(BaseHTTPRequestHandler):
            key, _, value = line.decode("latin1").partition(":")
            value = value.strip()
            if key.lower() == "status":
                try:
                status = int(value.split()[0])
                except (ValueError, IndexError):
                    self.log_message(
                        "malformed CGI Status header %r; using 500", value,
                    )
                    status = 500
            else:
                headers.append((key, value))
        self.send_response(status)
@@ -113,8 +113,10 @@ class ManifestBottle:
    egress: ManifestEgressConfig = field(default_factory=ManifestEgressConfig)
    # Per-bottle stuck-recovery sidecar (PRD 0013). When true (the
    # default, issue #249), the launch step brings up a supervise
-    # sidecar that exposes egress MCP tools to the agent. Set
+    # sidecar that exposes MCP tools to the agent (egress-block,
-    # `supervise: false` to skip the sidecar.
+    # capability-block) plus mounts the current-config dir read-only
    # into the agent at /etc/bot-bottle/current-config. Set
    # `supervise: false` to skip the sidecar and mount.
    supervise: bool = True
    @classmethod
@@ -49,125 +49,33 @@ def _resolve_one_bottle(
        repos_cache[name] = _resolve_repos_raw({}, child_raw)
        return bottle
-    # Normalize to list, accepting both str and list[str].
+    if not isinstance(parent_name_raw, str):
    raw_list: list[object]
    if isinstance(parent_name_raw, str):
        raw_list = [parent_name_raw]
    elif isinstance(parent_name_raw, list):
        raw_list = parent_name_raw
    else:
        raise ManifestError(
-            f"bottle '{name}' extends must be a string or list of strings "
+            f"bottle '{name}' extends must be a string "
            f"(was {type(parent_name_raw).__name__})"
        )
-
+    parent_name: str = parent_name_raw
-    # Validate each entry before resolving any of them.
+    if parent_name == name:
    parent_names: list[str] = []
    for i, pname in enumerate(raw_list):
        if not isinstance(pname, str):
        raise ManifestError(
-                f"bottle '{name}' extends[{i}] must be a string "
+            f"bottle '{name}' extends itself; remove the "
-                f"(was {type(pname).__name__})"
+            f"self-reference"
        )
-        parent_names.append(pname)
+    if parent_name not in raws:
        if pname == name:
            raise ManifestError(
                f"bottle '{name}' extends itself; remove the self-reference"
            )
        if pname not in raws:
        avail = ", ".join(sorted(raws.keys())) or "(none)"
        raise ManifestError(
-                f"bottle '{name}' extends '{pname}' which is not "
+            f"bottle '{name}' extends '{parent_name}' which is not "
            f"defined. Available bottles: {avail}"
        )
-
+    parent = _resolve_one_bottle(
-    combined_parent, combined_repos_raw = _fold_parents(
+        parent_name, raws, cache, repos_cache, seen + (name,)
        parent_names, raws, cache, repos_cache, seen + (name,)
    )
-    merged_repos_raw = _resolve_repos_raw(combined_repos_raw, child_raw)
+    merged_repos_raw = _resolve_repos_raw(repos_cache[parent_name], child_raw)
-    bottle = _merge_bottles(combined_parent, child_raw, merged_repos_raw, name)
+    bottle = _merge_bottles(parent, child_raw, merged_repos_raw, name)
    cache[name] = bottle
    repos_cache[name] = merged_repos_raw
    return bottle
 def _fold_parents(
    parent_names: list[str],
    raws: dict[str, dict[str, object]],
    cache: dict[str, ManifestBottle],
    repos_cache: dict[str, dict[str, object]],
    seen: tuple[str, ...],
 ) -> tuple[ManifestBottle, dict[str, object]]:
    """Resolve each parent and fold them left-to-right.
    Later parents win over earlier ones on conflict.  The `seen` tuple
    carries the current bottle's name so cycle detection works across
    every parent edge in the multi-parent graph."""
    first = parent_names[0]
    effective = _resolve_one_bottle(first, raws, cache, repos_cache, seen)
    effective_repos_raw = repos_cache[first]
    for pname in parent_names[1:]:
        later = _resolve_one_bottle(pname, raws, cache, repos_cache, seen)
        later_repos_raw = repos_cache[pname]
        effective, effective_repos_raw = _fold_two_bottles(
            effective, effective_repos_raw, later, later_repos_raw
        )
    return effective, effective_repos_raw
 def _fold_two_bottles(
    earlier: ManifestBottle,
    earlier_repos_raw: dict[str, object],
    later: ManifestBottle,
    later_repos_raw: dict[str, object],
 ) -> tuple[ManifestBottle, dict[str, object]]:
    """Combine two resolved parent bottles; later wins over earlier."""
    from .manifest import ManifestBottle, ManifestGitUser
    from .manifest_egress import ManifestEgressConfig
    from .manifest_git import parse_git_gate_config
    from .manifest_util import as_json_object
    merged_env = {**earlier.env, **later.env}
    merged_git_user = ManifestGitUser(
        name=later.git_user.name or earlier.git_user.name,
        email=later.git_user.email or earlier.git_user.email,
    )
    # Repos: union by name; for same-name entries, later wins per-field.
    # Unlike _resolve_repos_raw, an empty later_repos_raw means "no repos
    # declared" — it does NOT clear the earlier parent's repos.
    names = list(earlier_repos_raw) + [
        n for n in later_repos_raw if n not in earlier_repos_raw
    ]
    merged_repos_raw: dict[str, object] = {
        n: {
            **as_json_object(earlier_repos_raw.get(n, {}), "earlier parent repo"),
            **as_json_object(later_repos_raw.get(n, {}), "later parent repo"),
        }
        for n in names
    }
    if merged_repos_raw:
        merged_git, _ = parse_git_gate_config("_fold", {"repos": merged_repos_raw})
    else:
        merged_git = ()
    # Egress: routes concatenate; scalar fields use last-wins.
    merged_egress = ManifestEgressConfig(
        routes=earlier.egress.routes + later.egress.routes,
        Log=later.egress.Log,
    )
    return ManifestBottle(
        env=merged_env,
        agent_provider=later.agent_provider,
        git=merged_git,
        git_user=merged_git_user,
        egress=merged_egress,
        supervise=later.supervise,
    ), merged_repos_raw
 def _merge_bottles(
    parent: ManifestBottle,
    child_raw: dict[str, object],
@@ -87,7 +87,5 @@ def load_bottle_chain_from_dir(
        parent = fm.get("extends")
        if isinstance(parent, str):
            to_load.append(parent)
        elif isinstance(parent, list):
            to_load.extend(p for p in parent if isinstance(p, str))
    return resolve_bottles(raws)[bottle_name]
@@ -2,10 +2,11 @@
 The supervise plane is the per-bottle MCP sidecar plus its host-side
 queue/audit support. The sidecar (bot_bottle.supervise_server)
-sits on the bottle's internal network and exposes MCP tools the agent
+sits on the bottle's internal network and exposes three MCP tools the
-calls when it needs an operator-reviewed egress change:
+agent calls when it hits a stuck-recovery category:
  * egress-block / allow — agent proposes a new routes.yaml
  * capability-block — agent proposes a new agent Dockerfile
 Each tool call: the agent passes the full proposed file plus a
 justification text. The sidecar validates the proposal syntactically,
@@ -47,6 +48,7 @@ from pathlib import Path
 SUPERVISE_HOSTNAME = "supervise"
 SUPERVISE_PORT = 9100
 TOOL_CAPABILITY_BLOCK = "capability-block"
 TOOL_EGRESS_BLOCK = "egress-block"
 TOOL_EGRESS_ALLOW = "egress-allow"
 TOOL_GITLEAKS_ALLOW = "gitleaks-allow"
@@ -56,6 +58,7 @@ TOOL_EGRESS_TOKEN_ALLOW = "egress-token-allow"
 TOOL_LIST_EGRESS_ROUTES = "list-egress-routes"
 TOOLS: tuple[str, ...] = (
    TOOL_EGRESS_ALLOW,
    TOOL_CAPABILITY_BLOCK,
    TOOL_EGRESS_BLOCK,
    TOOL_GITLEAKS_ALLOW,
    TOOL_EGRESS_TOKEN_ALLOW,
@@ -72,6 +75,10 @@ TOOLS: tuple[str, ...] = (
 EGRESS_FORWARD_PROXY = "http://127.0.0.1:9099"
 EGRESS_INTROSPECT_URL = "http://_egress.local/allowlist"
 # capability-block has no on-disk config the operator edits in place
 # (the Dockerfile is rebuilt, not patched), so it has no audit log
 # here — those changes are captured by git history + the rebuild record
 # laid down in PRD 0016.
 COMPONENT_FOR_TOOL: dict[str, str] = {
    TOOL_EGRESS_ALLOW: "egress",
    TOOL_EGRESS_BLOCK: "egress",
@@ -87,6 +94,8 @@ STATUSES: tuple[str, ...] = (STATUS_APPROVED, STATUS_MODIFIED, STATUS_REJECTED)
 ACTION_OPERATOR_EDIT = "operator-edit"
 QUEUE_DIR_IN_CONTAINER = "/run/supervise/queue"
 CURRENT_CONFIG_DIR_IN_AGENT = "/etc/bot-bottle/current-config"
 DEFAULT_POLL_INTERVAL_SEC = 0.5
@@ -429,39 +438,59 @@ def sha256_hex(content: str) -> str:
 # --- Sidecar plan + abstract lifecycle -------------------------------------
 # Filename of the staged Dockerfile inside the agent's read-only
 # current-config mount. The capability-block tool's description
 # points the agent at this exact path so it can read the current
 # Dockerfile and propose modifications.
 #
 # routes.yaml + allowlist used to live here too; PRD 0017 chunk 3
 # moved them behind the `list-egress-routes` MCP tool (live state
 # from egress's introspection endpoint) so the agent always sees
 # current data rather than a launch-time snapshot.
 CURRENT_CONFIG_DOCKERFILE = "Dockerfile"
@dataclass(frozen=True)
 class SupervisePlan:
    """Output of Supervise.prepare; consumed by .start.
    `queue_dir` is the host directory bind-mounted into the sidecar
-    at /run/supervise/queue. `internal_network` is empty at prepare
+    at /run/supervise/queue. `current_config_dir` is the host
-    time; the backend's launch step fills it via dataclasses.replace
+    directory bind-mounted (read-only) into the *agent* container
-    before calling .start."""
+    at /etc/bot-bottle/current-config — currently holds only the
    Dockerfile snapshot (routes.yaml + allowlist moved to the
    `list-egress-routes` MCP tool). `internal_network` is
    empty at prepare time; the backend's launch step fills it via
    dataclasses.replace before calling .start."""
    slug: str
    queue_dir: Path
    current_config_dir: Path
    internal_network: str = ""
 class Supervise(ABC):
    """Per-bottle supervise sidecar. Encapsulates the host-side
-    prepare (queue dir staging); the sidecar's start/stop lifecycle
+    prepare (queue dir + current-config staging); the sidecar's
-    is backend-specific."""
+    start/stop lifecycle is backend-specific."""
    def prepare(
        self,
        slug: str,
        stage_dir: Path,
    ) -> SupervisePlan:
-        """Stage the per-bottle queue dir on the host. Returns the
+        """Stage the per-bottle queue dir on the host and the
-        plan; `internal_network` must be set by the launch step before
+        current-config dir under `stage_dir`. Returns the plan;
        `internal_network` must be set by the launch step before
        .start runs."""
        del stage_dir
        queue_dir = queue_dir_for_slug(slug)
        queue_dir.mkdir(parents=True, exist_ok=True)
        current_config_dir = stage_dir / "current-config"
        current_config_dir.mkdir(parents=True, exist_ok=True)
        return SupervisePlan(
            slug=slug,
            queue_dir=queue_dir,
            current_config_dir=current_config_dir,
        )
 # --- Helpers ---------------------------------------------------------------
@@ -512,6 +541,8 @@ __all__ = [
    "ACTION_OPERATOR_EDIT",
    "AuditEntry",
    "COMPONENT_FOR_TOOL",
    "CURRENT_CONFIG_DIR_IN_AGENT",
    "CURRENT_CONFIG_DOCKERFILE",
    "DEFAULT_POLL_INTERVAL_SEC",
    "Proposal",
    "QUEUE_DIR_IN_CONTAINER",
@@ -527,6 +558,7 @@ __all__ = [
    "TOOLS",
    "EGRESS_FORWARD_PROXY",
    "EGRESS_INTROSPECT_URL",
    "TOOL_CAPABILITY_BLOCK",
    "TOOL_EGRESS_ALLOW",
    "TOOL_EGRESS_BLOCK",
    "TOOL_GITLEAKS_ALLOW",
@@ -1,8 +1,8 @@
 """Supervise sidecar HTTP server (PRD 0013).
-Per-bottle MCP server exposing tools the agent calls to propose egress
+Per-bottle MCP server exposing tools the agent calls to propose config
-config changes when stuck. The tools are `egress-allow`,
+changes when stuck. The tools are `allow`, `egress-block`,
-`egress-block`, and `list-egress-routes`.
+`capability-block`, and `list-egress-routes`.
 Each queued tool call:
@@ -90,19 +90,19 @@ def parse_jsonrpc(body: bytes) -> JsonRpcRequest:
    try:
        raw = json.loads(body)
    except json.JSONDecodeError as e:
-        raise _RpcClientError(ERR_PARSE, f"parse error: {e}") from e
+        raise _RpcError(ERR_PARSE, f"parse error: {e}") from e
    if not isinstance(raw, dict):
-        raise _RpcClientError(ERR_INVALID_REQUEST, "request must be a JSON object")
+        raise _RpcError(ERR_INVALID_REQUEST, "request must be a JSON object")
    if raw.get("jsonrpc") != JSONRPC_VERSION:
-        raise _RpcClientError(ERR_INVALID_REQUEST, "jsonrpc field must be '2.0'")
+        raise _RpcError(ERR_INVALID_REQUEST, "jsonrpc field must be '2.0'")
    method = raw.get("method")
    if not isinstance(method, str):
-        raise _RpcClientError(ERR_INVALID_REQUEST, "method must be a string")
+        raise _RpcError(ERR_INVALID_REQUEST, "method must be a string")
    params = raw.get("params", {})
    if params is None:
        params = {}
    if not isinstance(params, dict):
-        raise _RpcClientError(ERR_INVALID_PARAMS, "params must be an object")
+        raise _RpcError(ERR_INVALID_PARAMS, "params must be an object")
    rpc_id = raw.get("id", _NO_ID)
    is_notification = rpc_id is _NO_ID
    return JsonRpcRequest(
@@ -117,23 +117,12 @@ _NO_ID = object()
 class _RpcError(Exception):
    """Base class for all typed RPC errors that surface as JSON-RPC error responses."""
    def __init__(self, code: int, message: str):
        super().__init__(message)
        self.code = code
        self.message = message
 class _RpcClientError(_RpcError):
    """Caller sent a bad request; returned verbatim, no server-side logging."""
 class _RpcInternalError(_RpcError):
    """Server-side fault; logged at ERROR with cause, always returns ERR_INTERNAL."""
    def __init__(self, message: str) -> None:
        super().__init__(ERR_INTERNAL, message)
 def jsonrpc_result(request_id: object, result: object) -> bytes:
    payload = {"jsonrpc": JSONRPC_VERSION, "id": request_id, "result": result}
    return (json.dumps(payload) + "\n").encode("utf-8")
@@ -253,6 +242,34 @@ TOOL_DEFINITIONS: list[dict[str, object]] = [
            "required": ["routes_yaml", "justification"],
        },
    },
    {
        "name": _sv.TOOL_CAPABILITY_BLOCK,
        "description": (
            "Call when the bottle is missing a tool, skill, permission, "
            "or env var you need — something that lives in the agent "
            "Dockerfile rather than in the egress routes. "
            "Read the current Dockerfile from "
            "/etc/bot-bottle/current-config/Dockerfile, compose a "
            "modified version, and pass the full new file plus a "
            "justification. On approval the supervisor rebuilds the "
            "bottle from the new Dockerfile and starts a replacement on "
            "the same branch (wired in PRD 0016; v1 acknowledges only)."
        ),
        "inputSchema": {
            "type": "object",
            "properties": {
                "dockerfile": {
                    "type": "string",
                    "description": "Full proposed Dockerfile content.",
                },
                "justification": {
                    "type": "string",
                    "description": "Why this capability is needed.",
                },
            },
            "required": ["dockerfile", "justification"],
        },
    },
 ]
@@ -260,6 +277,7 @@ TOOL_DEFINITIONS: list[dict[str, object]] = [
 # payload (stored in Proposal.proposed_file).
 PROPOSED_FILE_FIELD: dict[str, str] = {
    _sv.TOOL_EGRESS_ALLOW: "routes_yaml",
    _sv.TOOL_CAPABILITY_BLOCK: "dockerfile",
    _sv.TOOL_EGRESS_BLOCK: "routes_yaml",
 }
@@ -272,22 +290,26 @@ def validate_proposed_file(tool: str, content: str) -> None:
    catches obvious paste-errors / wrong-tool selections before they
    enter the queue."""
    if not content.strip():
-        raise _RpcClientError(ERR_INVALID_PARAMS, f"{tool}: proposed file is empty")
+        raise _RpcError(ERR_INVALID_PARAMS, f"{tool}: proposed file is empty")
-    if tool in (_sv.TOOL_EGRESS_ALLOW, _sv.TOOL_EGRESS_BLOCK):
+    if tool == _sv.TOOL_CAPABILITY_BLOCK:
        # Dockerfiles are too varied to validate syntactically beyond
        # non-empty. The operator reads the diff in the TUI.
        pass
    elif tool in (_sv.TOOL_EGRESS_ALLOW, _sv.TOOL_EGRESS_BLOCK):
        try:
            config = load_config(content)
        except ValueError as e:
-            raise _RpcClientError(
+            raise _RpcError(
                ERR_INVALID_PARAMS,
                f"{tool}: proposed routes.yaml is not valid: {e}",
            ) from e
        if config.log != LOG_OFF:
-            raise _RpcClientError(
+            raise _RpcError(
                ERR_INVALID_PARAMS,
                f"{tool}: proposed routes.yaml must not change egress logging",
            )
    else:
-        raise _RpcClientError(ERR_INVALID_PARAMS, f"unknown tool {tool!r}")
+        raise _RpcError(ERR_INVALID_PARAMS, f"unknown tool {tool!r}")
 # --- MCP handlers ----------------------------------------------------------
@@ -360,17 +382,17 @@ def handle_tools_call(
    doesn't need operator approval."""
    name = params.get("name")
    if not isinstance(name, str):
-        raise _RpcClientError(ERR_INVALID_PARAMS, "tools/call missing 'name'")
+        raise _RpcError(ERR_INVALID_PARAMS, "tools/call missing 'name'")
    if name == _sv.TOOL_LIST_EGRESS_ROUTES:
        return handle_list_egress_routes(typing.cast(dict[str, object], params.get("arguments", {})), config)
    args_raw = params.get("arguments", {})
    if not isinstance(args_raw, dict):
-        raise _RpcClientError(ERR_INVALID_PARAMS, "tools/call 'arguments' must be an object")
+        raise _RpcError(ERR_INVALID_PARAMS, "tools/call 'arguments' must be an object")
    justification = args_raw.get("justification")
    if not isinstance(justification, str) or not justification.strip():
-        raise _RpcClientError(
+        raise _RpcError(
            ERR_INVALID_PARAMS,
            f"{name}: 'justification' is required and must be a non-empty string",
        )
@@ -379,13 +401,13 @@ def handle_tools_call(
        file_field = PROPOSED_FILE_FIELD[name]
        proposed_file = args_raw.get(file_field)
        if not isinstance(proposed_file, str):
-            raise _RpcClientError(
+            raise _RpcError(
                ERR_INVALID_PARAMS,
                f"{name}: '{file_field}' is required and must be a string",
            )
        validate_proposed_file(name, proposed_file)
    else:
-        raise _RpcClientError(ERR_INVALID_PARAMS, f"unknown tool {name!r}")
+        raise _RpcError(ERR_INVALID_PARAMS, f"unknown tool {name!r}")
    proposal = _sv.Proposal.new(
        bottle_slug=config.bottle_slug,
@@ -394,10 +416,7 @@ def handle_tools_call(
        justification=justification,
        current_file_hash=_sv.sha256_hex(proposed_file),
    )
    try:
    _sv.write_proposal(config.queue_dir, proposal)
    except OSError as e:
        raise _RpcInternalError(f"failed to write proposal to queue: {e}") from e
    sys.stderr.write(
        f"supervise: queued proposal {proposal.id} ({name}) "
        f"for bottle {config.bottle_slug}; waiting for operator...\n"
@@ -417,10 +436,7 @@ def handle_tools_call(
            "content": [{"type": "text", "text": text}],
            "isError": False,
        }
    try:
    _sv.archive_proposal(config.queue_dir, proposal.id)
    except OSError as e:
        raise _RpcInternalError(f"failed to archive proposal: {e}") from e
    text = format_response_text(response)
    return {
@@ -454,8 +470,9 @@ def format_pending_response_text(timeout_seconds: float) -> str:
 # --- HTTP transport --------------------------------------------------------
-# Max request body the server accepts. 1 MB is well above any realistic
+# Max request body the server accepts. Generous because Dockerfile
-# routes.yaml proposal.
+# proposals can be a few KB; routes.json is small. 1 MB is well above
 # any realistic config file.
 MAX_BODY_BYTES = 1 * 1024 * 1024
@@ -495,7 +512,7 @@ class MCPHandler(http.server.BaseHTTPRequestHandler):
        try:
            req = parse_jsonrpc(body)
-        except _RpcClientError as e:
+        except _RpcError as e:
            self._write_jsonrpc(jsonrpc_error(None, e.code, e.message))
            return
@@ -503,19 +520,11 @@ class MCPHandler(http.server.BaseHTTPRequestHandler):
        try:
            result = self._dispatch(req, config)
-        except _RpcClientError as e:
+        except _RpcError as e:
            self._write_jsonrpc(jsonrpc_error(req.id, e.code, e.message))
            return
-        except _RpcInternalError as e:
+        except Exception as e:  # noqa: W0718 — catch-all for RPC dispatch errors
-            cause = e.__cause__
+            sys.stderr.write(f"supervise: internal error: {e}\n")
            detail = f": {cause}" if cause else ""
            sys.stderr.write(f"supervise: internal error: {e.message}{detail}\n")
            sys.stderr.flush()
            self._write_jsonrpc(jsonrpc_error(req.id, ERR_INTERNAL, "internal error"))
            return
        except Exception as e:  # noqa: W0718 — unexpected errors
            sys.stderr.write(f"supervise: unexpected error: {type(e).__name__}: {e}\n")
            sys.stderr.flush()
            self._write_jsonrpc(jsonrpc_error(req.id, ERR_INTERNAL, "internal error"))
            return
@@ -534,7 +543,7 @@ class MCPHandler(http.server.BaseHTTPRequestHandler):
            return handle_tools_list(req.params)
        if method == "tools/call":
            return handle_tools_call(req.params, config)
-        raise _RpcClientError(ERR_METHOD_NOT_FOUND, f"method not found: {method}")
+        raise _RpcError(ERR_METHOD_NOT_FOUND, f"method not found: {method}")
    def _write_jsonrpc(self, body: bytes) -> None:
        self.send_response(200)
@@ -1,166 +0,0 @@
 # PRD 0065: Multi-parent `extends:` for bottles
 - **Status:** Active
 - **Author:** didericis
 - **Created:** 2026-06-25
 - **Issue:** #268
 - **Extends:** PRD 0025 (`0025-bottle-extends.md`)
 ## Summary
 Allow a bottle's `extends:` field to accept either a single bottle name (existing
 behavior) or a list of bottle names (new). Multiple parents are resolved
 independently and folded left-to-right into a single effective parent before the
 child is merged on top. This lets orthogonal concerns (base env, networking/egress,
 agent provider) live in separate bottles and be composed without forcing them into a
 linear chain.
 ## Problem
 PRD 0025 shipped single-parent `extends:` and listed "No multi-parent inheritance"
 as a non-goal. In practice, users want to compose multiple orthogonal bottles — a
 base environment, a networking profile, and an agent-provider override — without
 creating a three-level linear chain that couples unrelated parents to each other.
 The linear chain workaround has two problems:
 1. **Ordering constraint.** `networking extends base` works, but then
   `agent extends networking` can't also pick up `base` without going through
   `networking`, coupling two unrelated concerns.
 2. **Quadratic duplication.** N orthogonal bottles require O(N²) chain variants
   (one chain per permutation of applied concerns).
 Multi-parent `extends:` removes both constraints: each orthogonal concern stays in
 its own bottle, and the child bottle is the only place that names the combination.
 ## Goals / Success Criteria
 - `extends:` accepts a list of strings in addition to a plain string.
 - Backward compat: existing single-string `extends:` is unchanged.
 - Parents are resolved left-to-right; later entries win on conflict.
 - Child wins over all parents (unchanged from PRD 0025).
 - Cycle detection covers multi-parent graphs, not just linear chains.
 - Diamond inheritance: a shared ancestor is resolved once (via the existing cache).
 - Invalid list entries (non-string, undefined bottle, self-reference) die at parse
  with clear messages.
 - `manifest_loader.py`'s `load_bottle_chain_from_dir` enqueues all parents from a
  list `extends:` so the resolver sees every bottle in the graph.
 ## Non-goals
 - No change to the agent-vs-bottle trust boundary (PRD 0025 "Alternatives
  considered" option 2 stays rejected).
 - No MRO / C3 linearization. Left-to-right fold is sufficient for the expected use
  cases.
 - No preflight display of per-field provenance across multiple parents (same open
  question as PRD 0025; remains a follow-up).
 ## Design
 ### Schema
 `extends:` now accepts either form:
 ```yaml
 # single parent (unchanged)
 extends: base
 # multiple parents (new)
 extends: [base, networking]
 ```
 Both forms are normalized to a list internally. A list with one element behaves
 identically to the string form.
 ### Merge rules for multi-parent fold
 Parents are folded pairwise left-to-right before the child merge. For each step in
 the fold, the "earlier" bottle is the running accumulator and the "later" bottle is
 the next parent. Rules per field:
 | Field              | Fold rule                                                    |
 |--------------------|--------------------------------------------------------------|
 | `env`              | dict merge; later wins on key collision                      |
 | `git-gate.user`    | per-field overlay; later's non-empty fields win              |
 | `git-gate.repos`   | union by name; for same-name entries, later wins per-field   |
 | `egress.routes`    | concatenate (earlier first, later appended)                  |
 | `egress.log`       | later wins (last-wins)                                       |
 | `agent_provider`   | later wins (last-wins)                                       |
 | `supervise`        | later wins (last-wins)                                       |
 After the fold, the combined parent is merged against the child using the existing
 PRD 0025 rules (child always wins). The child's `egress.routes` appends to the
 combined parent's concatenated routes; `validate_egress_routes` runs once on the
 final merged set and catches duplicate hosts.
 ### Algorithm
 ```
 extends: [p1, p2, p3]
 fold:
  combined = resolve(p1)
  combined = fold_two(combined, resolve(p2))
  combined = fold_two(combined, resolve(p3))
 merge:
  result = _merge_bottles(combined, child_raw, name)
 ```
 `fold_two(earlier, later)` applies the rules in the table above. Cycle detection
 (the `seen` tuple) is passed to each parent resolution call unchanged — if any
 parent's chain circles back to the current bottle, it is caught. The `cache` dict
 ensures a shared ancestor is only resolved once across all parents.
 ### Error cases
 | Condition                              | Error message shape                                              |
 |----------------------------------------|------------------------------------------------------------------|
 | `extends` is not a string or list      | `extends must be a string or list of strings (was <type>)`       |
 | A list entry is not a string           | `extends[<i>] must be a string (was <type>)`                     |
 | A list entry names an undefined bottle | `extends '<name>' which is not defined. Available bottles: ...`  |
 | A list entry is the bottle itself      | `extends itself; remove the self-reference`                      |
 | Cycle through any parent edge          | `is in an extends cycle: <chain>`                                |
 ## Implementation
 ### `bot_bottle/manifest_extends.py`
 - `_resolve_one_bottle`: accept `str | list[str]` for `extends`; normalize to list;
  validate each entry; for a single-entry list fall through to the existing
  single-parent path; for multiple entries call `_fold_parents` then
  `_merge_bottles`.
 - `_fold_parents(parent_names, raws, cache, repos_cache, seen)`: resolve each
  parent and fold pairwise left-to-right; return `(effective_bottle,
  effective_repos_raw)`.
 - `_fold_two_bottles(earlier, earlier_repos_raw, later, later_repos_raw)`: apply
  the fold rules above; return `(folded_bottle, folded_repos_raw)`.
 ### `bot_bottle/manifest_loader.py`
 - `load_bottle_chain_from_dir`: when `extends` is a list, enqueue all parent names
  for loading (previously only `isinstance(parent, str)` was handled).
 ### `tests/unit/test_manifest_extends.py`
 - `TestExtendsErrors.test_non_string_extends_dies`: update to use an integer
  `extends` value (a list is now valid).
 - New class `TestExtendsMultiParent` covering all cases listed in the issue.
 ## Testing strategy
 Unit tests via `ManifestIndex.from_json_obj` (same resolver surface used by all
 paths). No integration test changes needed — downstream code consumes the already-
 merged bottle and is unchanged.
 Test cases:
 - Two-parent list: env union, egress routes concat, git repos union
 - Last-parent-wins on scalar (supervise, agent_provider)
 - Child wins over all parents on conflict
 - Diamond: two parents share an ancestor; ancestor resolved once
 - Single-element list: identical to string form
 - Non-string extends value → ManifestError
 - Non-string list entry → ManifestError
 - Undefined bottle in list → ManifestError
 - Self-reference in list → ManifestError
 - Cycle through multi-parent edge → ManifestError
@@ -1,227 +0,0 @@
 # PRD prd-new: smolmachines backend on Linux
 - **Status:** Draft
 - **Author:** Claude
 - **Created:** 2026-06-25
 - **Issue:** #283
 ## Summary
 Make the `smolmachines` backend (PRD 0023) runnable on Linux, not
 just macOS. `smolvm` already supports Linux via KVM (`/dev/kvm`);
 the gap is entirely in bot-bottle's host-side glue, which hard-codes
 macOS assumptions in three places:
 1. **Preflight** only checks that `smolvm` is on `PATH` — it never
   checks the Linux KVM prerequisite, so a misconfigured host fails
   deep in the launch flow with an opaque `smolvm` error.
 2. **The TSI allowlist enforcement** (`force_allowlist`) — the
   security property that confines the agent VM to its sidecar
   bundle's `/32` — **no-ops on Linux today, failing _open_**. The
   smolvm state-DB path it patches is hard-coded to macOS's
   `~/Library/Application Support/...`.
 3. **Per-bottle loopback scoping** (`allocate`) returns the shared
   `127.0.0.1` on Linux, which would let the agent VM reach every
   service on host loopback — a downgrade from the per-bottle alias
   isolation macOS gets.
 This PRD closes all three so a bottle launched with
 `BOT_BOTTLE_BACKEND=smolmachines` on Linux gets the same isolation
 guarantee it gets on macOS, and documents the Linux/NixOS host
 setup. The primary validation target is NixOS, but the changes are
 distro-agnostic.
 ## Problem
 The smolmachines backend runs each bottle's agent inside a libkrun
 microVM via `smolvm`, with egress confined by TSI's `--allow-cidr`
 allowlist set to a single `/32` — the sidecar bundle's loopback
 address. Everything else (host loopback, LAN, internet) is denied at
 the VMM layer. That security property is the entire reason the
 backend exists.
 libkrun runs on Hypervisor.framework (macOS) **and** KVM (Linux), and
 `smolvm` ships Linux x86_64 / aarch64 builds that require `/dev/kvm`.
 So the microVM layer already works on Linux. What does not work is
 bot-bottle's host integration, which PRD 0023 explicitly scoped to
 macOS-only for v1. Three concrete blockers:
 - **No KVM preflight.** On a Linux host without `/dev/kvm` (kernel
  module not loaded) or without access to it (user not in the `kvm`
  group), the failure surfaces as a cryptic `smolvm` non-zero exit
  mid-launch instead of an actionable message.
 - **TSI enforcement fails open on Linux.** `force_allowlist`
  early-returns on non-macOS. It exists because `smolvm` 0.8.0
  silently drops `--allow-cidr` when combined with `--from`, so the
  allowlist has to be patched into smolvm's persisted state DB before
  `machine start`. On Linux that patch never runs **and** the DB path
  is the macOS path, so the booted VM's TSI allowlist is whatever
  smolvm defaulted to — potentially all of `127.0.0.0/8`. That is the
  exact sandbox-escape the backend is supposed to prevent.
 - **No per-bottle loopback isolation on Linux.** `allocate` returns
  `127.0.0.1` on Linux. Even with a correct allowlist, `127.0.0.1/32`
  is shared by every service on host loopback, so the agent could
  reach other bottles' published ports and host services. On macOS
  this is solved with per-bottle `127.0.0.16..31` aliases added via
  `sudo ifconfig lo0 alias`. On Linux the whole `127.0.0.0/8` is
  already routed to `lo`, so docker can publish to `127.0.0.<N>`
  with **no `ifconfig`/sudo step at all** — the isolation is actually
  cheaper to achieve than on macOS.
 ## Goals / Success Criteria
 - `BOT_BOTTLE_BACKEND=smolmachines ./cli.py start <agent>` launches,
  runs, and tears down a bottle on a Linux host with `/dev/kvm`.
 - The TSI allowlist is enforced on Linux: PRD 0022's
  `tests/integration/test_sandbox_escape.py` passes against
  `BOT_BOTTLE_BACKEND=smolmachines` on Linux (the acceptance gate).
 - Each Linux bottle is scoped to its own `127.0.0.<N>/32`, matching
  the macOS per-bottle isolation property.
 - A clear, actionable preflight error when `/dev/kvm` is missing or
  inaccessible, with remediation (load `kvm-intel`/`kvm-amd`, join the
  `kvm` group).
 - **Fail-closed:** if bot-bottle cannot positively confirm the TSI
  allowlist was persisted for a machine (DB missing, row missing,
  patch didn't take), it `die()`s before `machine start` rather than
  booting a VM with an unverified allowlist.
 - macOS behavior is unchanged.
 - README documents Linux + NixOS host setup.
 ## Non-goals
 - Rootless / non-KVM fallbacks (e.g. software emulation). Linux
  smolmachines requires `/dev/kvm`, full stop.
 - Removing Docker as a host dependency — the sidecar bundle and
  image-build pipeline still use Docker on Linux, same as macOS.
 - Auto-installing `smolvm` or configuring KVM on the operator's
  behalf. Preflight reports; the operator remediates.
 - Nested-virtualization tuning for running the runner itself inside a
  VM (documented as a caveat, not solved here).
 ## Design
 ### Platform detection
 Reuse the existing `platform.system()` check already in
 `loopback_alias.py` (`_is_macos()`). "Linux" is "not macOS" for every
 branch below; no new third-platform path.
 ### Preflight: KVM gate (`util.smolmachines_preflight`)
 After the existing `smolvm`-on-`PATH` check, add a Linux-only gate:
 - `/dev/kvm` must exist → else `die()` with "enable KVM
  (`kvm-intel`/`kvm-amd` kernel module)".
 - `/dev/kvm` must be readable + writable by the current user
  (`os.access(..., R_OK | W_OK)`) → else `die()` with "add your user
  to the `kvm` group (and re-login)".
 macOS is unaffected (Hypervisor.framework needs no device node).
 ### smolvm state-DB path (platform-aware)
 `loopback_alias._SMOLVM_DB_PATH` becomes platform-derived:
 - macOS: `~/Library/Application Support/smolvm/server/smolvm.db`
  (unchanged).
 - Linux: `$XDG_DATA_HOME/smolvm/server/smolvm.db`, defaulting to
  `~/.local/share/smolvm/server/smolvm.db`.
 > **Verification note:** the Linux DB location is inferred from
 > smolvm's documented `~/.local/share` install layout and the XDG
 > base-dir spec. It must be confirmed on a real Linux smolvm install;
 > if smolvm uses a different path or schema, the fail-closed check
 > below turns that into a clear `die()` at launch rather than a silent
 > escape.
 ### TSI enforcement: cross-platform + fail-closed (`force_allowlist`)
 Rework `force_allowlist(machine_name, allowed_cidrs)` to run on
 **both** platforms and to fail closed:
 1. Resolve the state DB; if the file is missing, `die()` (cannot
   confirm enforcement → refuse to launch).
 2. Read the machine's persisted row; if the row is missing, `die()`.
 3. If the row's `allowed_cidrs` already equals the requested list
   (e.g. a newer `smolvm` that honors `--allow-cidr` at create), do
   nothing — no write.
 4. Otherwise patch `allowed_cidrs` (the existing BLOB-encoded write)
   and re-read.
 5. If, after the patch, `allowed_cidrs` still does not equal the
   requested list, `die()`.
 This is robust across smolvm versions: it works whether `--allow-cidr`
 is silently dropped (0.8.0) or honored (newer), and it never boots a
 VM whose persisted allowlist it could not confirm. It is a strict
 improvement on macOS too (today's code writes unconditionally and
 never verifies).
 > The persisted-row check confirms our write took, not that smolvm's
 > runtime TSI enforces it. The runtime guarantee is covered by the
 > sandbox-escape acceptance test; the persisted check is the cheap
 > fail-closed guard at launch.
 ### Per-bottle loopback scoping on Linux (`allocate`)
 `allocate` runs the same docker-state-driven allocation on Linux as on
 macOS (`_allocate_locked`, the file lock, and `_aliases_in_use` via
 `docker inspect` are all already cross-platform). The only macOS-only
 step, `ensure_pool` (the `sudo ifconfig lo0 alias` dance), stays
 macOS-only: on Linux `127.0.0.0/8` is already loopback, so docker can
 publish bundle ports directly on `127.0.0.<N>` with no setup.
 Net effect: Linux bottles get per-bottle `127.0.0.16..31/32` scoping
 identical to macOS, without sudo.
 ### Launch flow
 `launch.py` needs no structural change — `_allocate_resources` already
 calls `ensure_pool()` (now a Linux no-op) then `allocate()` (now
 per-bottle on Linux), and `_launch_vm` already calls
 `force_allowlist()` (now active on Linux). Only the macOS-specific
 docstrings are updated to describe the cross-platform behavior.
 ## Implementation chunks
 1. **Preflight KVM gate** — `util.smolmachines_preflight` +
   unit tests for the missing-device and no-access branches.
 2. **Platform-aware DB path + fail-closed `force_allowlist`** —
   `loopback_alias.py`; update/extend `TestForceAllowlist`.
 3. **Cross-platform `allocate`** — drop the Linux early-return; update
   `TestAllocate` / `TestAllocateLock` for the new Linux behavior.
 4. **Docstring + comment cleanup** in `launch.py` and module headers.
 5. **Docs** — README requirements + a Linux/NixOS host-setup section.
 ## Testing Strategy
 - **Unit (CI, any OS):** the suite mocks `platform.system()` /
  `subprocess` and patches `_SMOLVM_DB_PATH`, so the new Linux
  branches are testable on the macOS/Linux CI runner without `smolvm`
  or KVM. Covers: KVM preflight branches, fail-closed `force_allowlist`
  (DB missing, row missing, patch-doesn't-take), per-bottle Linux
  allocation + locking, platform-derived DB path.
 - **Integration (Linux host with KVM — the acceptance gate):**
  `tests/integration/test_sandbox_escape.py` against
  `BOT_BOTTLE_BACKEND=smolmachines`. This cannot run on the macOS dev
  box and must be executed on NixOS before merge.
 ## Open questions / verification pending
 - **Confirm the Linux smolvm state-DB path and schema** on a real
  install (the `~/.local/share/...` inference above).
 - **Confirm whether the current smolvm Linux build still drops
  `--allow-cidr` with `--from`** (the 0.8.0 bug). The fail-closed
  design handles either answer, but knowing lets us drop the DB patch
  if upstream fixed it.
 - **Confirm docker publishing to `127.0.0.<N>` on Linux** behaves as
  expected end-to-end with TSI (high confidence; standard loopback
  behavior, but unverified on the target host).
 ## References
 - PRD 0023 — smolmachines bottle backend (macOS v1).
 - PRD 0022 — `test_sandbox_escape.py` acceptance gate.
 - PRD 0024 — sidecar bundle image.
 - smolvm: https://github.com/smol-machines/smolvm
@@ -115,8 +115,8 @@ class TestBottleIdentity(unittest.TestCase):
 class TestPreserveMarker(_FakeHomeMixin, unittest.TestCase):
-    """The .preserve marker tells cli.py's session-end cleanup to keep
+    """The .preserve marker is how capability_apply tells cli.py's
-    the state dir instead of removing it."""
+    session-end cleanup to keep the state dir instead of removing it."""
    def setUp(self):
        self._setup_fake_home()
@@ -29,8 +29,8 @@ class _FakeHomeMixin:
 class TestCaptureSessionState(_FakeHomeMixin, unittest.TestCase):
-    # capture_claude_session_state handles the preserve marker for
+    # snapshot_transcript is commented out (capability_apply is disabled);
-    # non-zero agent exits.
+    # capture_claude_session_state now only handles the preserve marker.
    def setUp(self):
        self._setup_fake_home()
@@ -108,6 +108,7 @@ def _supervise_plan() -> SupervisePlan:
    return SupervisePlan(
        slug=SLUG,
        queue_dir=STATE / "supervise" / "queue",
        current_config_dir=STATE / "supervise" / "current-config",
        internal_network=f"bot-bottle-net-{SLUG}",
    )
@@ -270,11 +271,18 @@ class TestAgentAlwaysPresent(unittest.TestCase):
                s = bottle_plan_to_compose(_plan(**kwargs))["services"]["agent"]
                self.assertEqual(["sidecars"], s["depends_on"])
-    def test_agent_has_no_current_config_mount_with_supervise(self):
+    def test_agent_current_config_mount_only_with_supervise(self):
        with_sv = bottle_plan_to_compose(_plan(supervise=True))["services"]["agent"]
-        self.assertNotIn("volumes", with_sv)
+        self.assertTrue(any(
            v["target"] == "/etc/bot-bottle/current-config"
            for v in with_sv.get("volumes", [])
        ))
        without_sv = bottle_plan_to_compose(_plan(supervise=False))["services"]["agent"]
-        self.assertNotIn("volumes", without_sv)
+        # Either no volumes key at all, or no current-config target.
        self.assertFalse(any(
            v["target"] == "/etc/bot-bottle/current-config"
            for v in without_sv.get("volumes", [])
        ))
 class TestSidecarBundleShape(unittest.TestCase):
@@ -75,6 +75,7 @@ def _plan(
        supervise_plan = SupervisePlan(
            slug="demo-abc12",
            queue_dir=Path("/tmp/queue"),
            current_config_dir=Path("/tmp/current-config"),
        )
    return DockerBottlePlan(
        spec=spec,
@@ -78,6 +78,7 @@ def _plan(
        supervise_plan = SupervisePlan(
            slug="demo-abc12",
            queue_dir=Path("/tmp/queue"),
            current_config_dir=Path("/tmp/current-config"),
        )
    return DockerBottlePlan(
        spec=spec,
@@ -10,8 +10,6 @@ from unittest.mock import MagicMock, patch
 from bot_bottle.contrib.gitea.deploy_key_provisioner import (
    GiteaDeployKeyProvisioner,
    _API_TIMEOUT_SECS,
    _KEYGEN_TIMEOUT_SECS,
    _split_owner_repo,
 )
 from bot_bottle.deploy_key_provisioner import DeployKeyCollisionError
@@ -85,25 +83,6 @@ class TestCreate(unittest.TestCase):
        self.assertEqual(str(fake_key_id), key_id)
        self.assertEqual(fake_private, private_bytes)
    def test_create_passes_timeout_to_ssh_keygen_and_urlopen(self):
        provisioner = _provisioner()
        with patch(
            "bot_bottle.contrib.gitea.deploy_key_provisioner.subprocess.run"
        ) as mock_run, patch(
            "bot_bottle.contrib.gitea.deploy_key_provisioner.urllib.request.urlopen"
        ) as mock_urlopen, patch(
            "bot_bottle.contrib.gitea.deploy_key_provisioner.Path.read_bytes",
            return_value=b"PRIVATE",
        ), patch(
            "bot_bottle.contrib.gitea.deploy_key_provisioner.Path.read_text",
            return_value="ssh-ed25519 AAAA\n",
        ):
            mock_urlopen.return_value = _urlopen_response({"id": 1})
            provisioner.create("owner/repo", "title")
        self.assertEqual(_KEYGEN_TIMEOUT_SECS, mock_run.call_args.kwargs.get("timeout"))
        self.assertEqual(_API_TIMEOUT_SECS, mock_urlopen.call_args.kwargs.get("timeout"))
    def test_create_raises_on_http_error(self):
        provisioner = _provisioner()
        with patch(
@@ -160,16 +139,6 @@ class TestDelete(unittest.TestCase):
        self.assertIn("/api/v1/repos/didericis/bot-bottle/keys/99", req.full_url)
        self.assertEqual("DELETE", req.get_method())
    def test_delete_passes_timeout_to_urlopen(self):
        provisioner = _provisioner()
        with patch(
            "bot_bottle.contrib.gitea.deploy_key_provisioner.urllib.request.urlopen"
        ) as mock_urlopen:
            mock_urlopen.return_value = _urlopen_response({})
            provisioner.delete("owner/repo", "7")
        self.assertEqual(_API_TIMEOUT_SECS, mock_urlopen.call_args.kwargs.get("timeout"))
    def test_delete_tolerates_404(self):
        provisioner = _provisioner()
        with patch(
@@ -65,8 +65,8 @@ class TestOrphanStateDirs(_FakeHomeMixin, unittest.TestCase):
        )
    def test_preserve_marker_skips_dir(self):
-        # Preserve marker means the user explicitly wanted this dir
+        # Preserve marker = capability-block or crash auto-preserve;
-        # kept for `resume`.
+        # the user explicitly wanted this dir kept for `resume`.
        bottle_state.write_per_bottle_dockerfile("kept-ccc", "FROM x\n")
        bottle_state.mark_preserved("kept-ccc")
        self.assertEqual(
@@ -10,7 +10,6 @@ from bot_bottle.egress import (
    Egress,
    EgressPlan,
    EgressRoute,
    _yaml_str_escape,
    egress_agent_env_entries,
    egress_manifest_routes,
    egress_render_routes,
@@ -420,76 +419,6 @@ class TestRenderRoutes(unittest.TestCase):
        self.assertEqual(LOG_BLOCKS, cfg.log)
 class TestYamlStrEscape(unittest.TestCase):
    """_yaml_str_escape produces safe YAML double-quoted scalar content."""
    def test_plain_string_unchanged(self):
        self.assertEqual("api.example.com", _yaml_str_escape("api.example.com"))
    def test_double_quote_escaped(self):
        self.assertEqual('\\"', _yaml_str_escape('"'))
    def test_backslash_escaped(self):
        self.assertEqual("\\\\", _yaml_str_escape("\\"))
    def test_newline_escaped(self):
        self.assertEqual("\\n", _yaml_str_escape("\n"))
    def test_carriage_return_escaped(self):
        self.assertEqual("\\r", _yaml_str_escape("\r"))
    def test_tab_escaped(self):
        self.assertEqual("\\t", _yaml_str_escape("\t"))
    def test_combined(self):
        self.assertEqual('\\"\\n\\\\', _yaml_str_escape('"\n\\'))
 class TestRenderRoutesEscaping(unittest.TestCase):
    """Stray quotes/newlines in manifest strings do not corrupt routes.yaml."""
    @staticmethod
    def _parsed(routes) -> list[dict]:  # type: ignore
        return parse_yaml_subset(egress_render_routes(routes))["routes"]  # type: ignore
    def test_host_with_double_quote_round_trips(self):
        routes = (EgressRoute(host='bad"host.example'),)
        parsed = self._parsed(routes)
        self.assertEqual('bad"host.example', parsed[0]["host"])
    def test_host_with_newline_round_trips(self):
        routes = (EgressRoute(host="host\nextra.example"),)
        parsed = self._parsed(routes)
        self.assertEqual("host\nextra.example", parsed[0]["host"])
    def test_auth_scheme_with_double_quote_round_trips(self):
        routes = (EgressRoute(
            host="api.example",
            auth_scheme='Bear"er',
            token_env="EGRESS_TOKEN_0",
        ),)
        parsed = self._parsed(routes)
        self.assertEqual('Bear"er', parsed[0]["auth_scheme"])
    def test_path_value_with_double_quote_round_trips(self):
        from bot_bottle.egress_addon_core import PathMatch, MatchEntry
        routes = (EgressRoute(
            host="api.example",
            matches=(MatchEntry(paths=(PathMatch(type="prefix", value='/v1/"quoted"/'),)),),
        ),)
        parsed = self._parsed(routes)
        self.assertEqual('/v1/"quoted"/', parsed[0]["matches"][0]["paths"][0]["value"])
    def test_header_value_with_double_quote_round_trips(self):
        from bot_bottle.egress_addon_core import HeaderMatch, MatchEntry
        routes = (EgressRoute(
            host="api.example",
            matches=(MatchEntry(headers=(HeaderMatch(name="x-h", value='val"ue'),)),),
        ),)
        parsed = self._parsed(routes)
        self.assertEqual('val"ue', parsed[0]["matches"][0]["headers"][0]["value"])
 class TestResolveTokenValues(unittest.TestCase):
    def test_reads_host_env(self):
        out = egress_resolve_token_values(
@@ -4,7 +4,6 @@ import os
 import tempfile
 import unittest
 from pathlib import Path
 from unittest.mock import patch
 from bot_bottle.git_gate import (
    GitGate,
@@ -14,8 +13,6 @@ from bot_bottle.git_gate import (
    git_gate_render_access_hook,
    git_gate_render_entrypoint,
    git_gate_render_hook,
    revoke_git_gate_provisioned_keys,
    _resolve_identity_file,
    git_gate_upstreams_for_bottle,
 )
 from bot_bottle.manifest import ManifestIndex
@@ -331,68 +328,6 @@ class TestPrepare(unittest.TestCase):
        self.assertIn("exec git daemon", content)
 class TestDynamicKeyProvisioning(unittest.TestCase):
    def setUp(self):
        self.stage = Path(tempfile.mkdtemp())
    def tearDown(self):
        import shutil
        shutil.rmtree(self.stage, ignore_errors=True)
    def _gitea_manifest(self):
        return ManifestIndex.from_json_obj({
            "bottles": {
                "dev": {
                    "git-gate": {
                        "repos": {
                            "repo": {
                                "url": "ssh://git@gitea.example.com/org/repo.git",
                                "key": {
                                    "provider": "gitea",
                                    "forge_token_env": "GITEA_TOKEN",
                                },
                                "host_key": "ssh-ed25519 AAAA...",
                            },
                        },
                    }
                }
            },
            "agents": {"demo": {"skills": [], "prompt": "", "bottle": "dev"}},
        })
    def test_resolve_identity_file_static_uses_entry_path(self):
        entry = fixture_with_git().bottles["dev"].git[0]
        self.assertEqual(entry.IdentityFile, _resolve_identity_file(entry, "demo", self.stage))
    def test_resolve_identity_file_gitea_provisions_key(self):
        entry = self._gitea_manifest().bottles["dev"].git[0]
        with patch("bot_bottle.git_gate._provision_dynamic_key", return_value="/tmp/provisioned-key") as mock_provision:
            self.assertEqual("/tmp/provisioned-key", _resolve_identity_file(entry, "demo", self.stage))
        mock_provision.assert_called_once()
    def test_revoke_skips_non_gitea_and_missing_id_file(self):
        revoke_git_gate_provisioned_keys(fixture_with_git().bottles["dev"], self.stage)
    def test_revoke_calls_delete_for_gitea_entry(self):
        bottle = self._gitea_manifest().bottles["dev"]
        (self.stage / "repo-deploy-key-id").write_text("123\n")
        with patch.dict("os.environ", {"GITEA_TOKEN": "token"}), patch(
            "bot_bottle.deploy_key_provisioner.get_provisioner"
        ) as mock_get_provisioner:
            provisioner = mock_get_provisioner.return_value
            revoke_git_gate_provisioned_keys(bottle, self.stage)
        mock_get_provisioner.assert_called_once()
        provisioner.delete.assert_called_once_with("org/repo", "123")
    def test_revoke_missing_token_raises(self):
        bottle = self._gitea_manifest().bottles["dev"]
        (self.stage / "repo-deploy-key-id").write_text("123\n")
        with patch.dict("os.environ", {}, clear=True), self.assertRaises(RuntimeError) as cm:
            revoke_git_gate_provisioned_keys(bottle, self.stage)
        self.assertIn("env var is not set", str(cm.exception))
 class TestShellEscaping(unittest.TestCase):
    """Regression tests: all three render functions must produce syntactically
    valid sh code even when names and upstream URLs contain shell-special
@@ -9,7 +9,6 @@ import urllib.request
 from pathlib import Path
 from unittest import mock
 from bot_bottle.git_gate import GIT_GATE_TIMEOUT_SECS
 from bot_bottle.git_http_backend import GitHttpHandler, MAX_BODY_BYTES
@@ -151,61 +150,6 @@ class TestGitHttpBackend(unittest.TestCase):
            )
            self.assertEqual("git/test", env["HTTP_USER_AGENT"])
    def test_subprocess_calls_include_timeout(self):
        """Both subprocess.run calls (access-hook and git http-backend) must
        pass timeout= so a hung upstream cannot wedge the sidecar."""
        from http.server import ThreadingHTTPServer
        with tempfile.TemporaryDirectory() as tmp:
            root = Path(tmp)
            (root / "repo.git").mkdir()
            old_root = os.environ.get("GIT_PROJECT_ROOT")
            os.environ["GIT_PROJECT_ROOT"] = str(root)
            self.addCleanup(self._restore_env, old_root)
            old_hook = os.environ.get("GIT_GATE_ACCESS_HOOK")
            hook = root / "access-hook"
            hook.write_text("#!/bin/sh\nexit 0\n")
            hook.chmod(0o700)
            os.environ["GIT_GATE_ACCESS_HOOK"] = str(hook)
            self.addCleanup(self._restore_hook, old_hook)
            server = ThreadingHTTPServer(("127.0.0.1", 0), GitHttpHandler)
            thread = threading.Thread(target=server.serve_forever, daemon=True)
            thread.start()
            self.addCleanup(server.shutdown)
            self.addCleanup(server.server_close)
            backend_response = (
                b"Status: 200 OK\r\n"
                b"Content-Type: application/x-git-upload-pack-result\r\n"
                b"\r\n"
                b"0000"
            )
            calls = [
                subprocess.CompletedProcess(["hook"], 0, b"", b""),
                subprocess.CompletedProcess(["git"], 0, backend_response, b""),
            ]
            with mock.patch(
                "bot_bottle.git_http_backend.subprocess.run",
                side_effect=calls,
            ) as run:
                req = urllib.request.Request(
                    f"http://127.0.0.1:{server.server_port}"
                    "/repo.git/git-upload-pack",
                    data=b"",
                    method="POST",
                )
                with urllib.request.urlopen(req, timeout=5):
                    pass
            for call in run.call_args_list:
                self.assertEqual(
                    GIT_GATE_TIMEOUT_SECS,
                    call.kwargs.get("timeout"),
                    f"subprocess.run call missing timeout: {call}",
                )
    def test_access_hook_denial_is_logged_to_stdout(self):
        """When the access-hook exits non-zero we still return 403 to the
        client, but the hook's stderr must also appear on the handler's
@@ -312,57 +256,6 @@ class TestGitHttpBackend(unittest.TestCase):
            os.environ["GIT_GATE_ACCESS_HOOK"] = value
 class TestMalformedStatusHeader(unittest.TestCase):
    """Malformed CGI Status: headers must not propagate as unhandled exceptions;
    the handler should fall back to HTTP 500."""
    def setUp(self):
        from http.server import ThreadingHTTPServer
        import tempfile
        self._tmp = tempfile.mkdtemp()
        os.environ["GIT_PROJECT_ROOT"] = self._tmp
        self._server = ThreadingHTTPServer(("127.0.0.1", 0), GitHttpHandler)
        self._thread = threading.Thread(
            target=self._server.serve_forever, daemon=True,
        )
        self._thread.start()
        self._port = self._server.server_port
    def tearDown(self):
        self._server.shutdown()
        self._server.server_close()
        os.environ.pop("GIT_PROJECT_ROOT", None)
        import shutil
        shutil.rmtree(self._tmp, ignore_errors=True)
    def _get_with_backend_response(self, cgi_response: bytes) -> int:
        with mock.patch(
            "bot_bottle.git_http_backend.subprocess.run",
            return_value=mock.Mock(returncode=0, stdout=cgi_response),
        ):
            req = urllib.request.Request(
                f"http://127.0.0.1:{self._port}/repo.git/info/refs",
                method="GET",
            )
            try:
                with urllib.request.urlopen(req, timeout=3) as resp:
                    return resp.status
            except urllib.error.HTTPError as e:  # type: ignore
                return e.code
    def test_empty_status_value_returns_500(self):
        status = self._get_with_backend_response(
            b"Status: \r\nContent-Type: text/plain\r\n\r\n"
        )
        self.assertEqual(500, status)
    def test_non_numeric_status_returns_500(self):
        status = self._get_with_backend_response(
            b"Status: bad\r\nContent-Type: text/plain\r\n\r\n"
        )
        self.assertEqual(500, status)
 class TestContentLengthBounds(unittest.TestCase):
    """PRD 0041: malformed or oversized Content-Length is rejected before
    git http-backend is invoked."""
@@ -423,182 +423,9 @@ class TestExtendsErrors(unittest.TestCase):
        )
        self.assertIn("extends cycle", msg)
-    def test_non_string_non_list_extends_dies(self):
+    def test_non_string_extends_dies(self):
-        msg = _error_message(_build, child={"extends": 123})
+        msg = _error_message(_build, child={"extends": ["base"]})
-        self.assertIn("extends must be a string or list of strings", msg)
+        self.assertIn("extends must be a string", msg)
    def test_list_entry_non_string_dies(self):
        msg = _error_message(_build, child={"extends": [123]})
        self.assertIn("extends[0] must be a string", msg)
 class TestExtendsMultiParent(unittest.TestCase):
    """extends: [p1, p2, ...] — multi-parent composition (issue #268)."""
    _GIT_A = {"url": "ssh://git@host-a/a.git", "key": {"provider": "static", "path": "/k"}}
    _GIT_B = {"url": "ssh://git@host-b/b.git", "key": {"provider": "static", "path": "/k"}}
    def test_single_element_list_same_as_string(self):
        m = _build(
            base={"env": {"X": "1"}},
            child={"extends": ["base"]},
        )
        self.assertEqual({"X": "1"}, dict(m.bottles["child"].env))
    def test_two_parents_env_union(self):
        m = _build(
            p1={"env": {"A": "1"}},
            p2={"env": {"B": "2"}},
            child={"extends": ["p1", "p2"]},
        )
        self.assertEqual({"A": "1", "B": "2"}, dict(m.bottles["child"].env))
    def test_two_parents_env_last_wins_on_collision(self):
        m = _build(
            p1={"env": {"X": "from-p1"}},
            p2={"env": {"X": "from-p2"}},
            child={"extends": ["p1", "p2"]},
        )
        self.assertEqual("from-p2", m.bottles["child"].env["X"])
    def test_child_wins_over_all_parents(self):
        m = _build(
            p1={"env": {"X": "from-p1"}},
            p2={"env": {"X": "from-p2"}},
            child={"extends": ["p1", "p2"], "env": {"X": "from-child"}},
        )
        self.assertEqual("from-child", m.bottles["child"].env["X"])
    def test_two_parents_supervise_last_wins(self):
        m = _build(
            p1={"supervise": False},
            p2={"supervise": True},
            child={"extends": ["p1", "p2"]},
        )
        self.assertTrue(m.bottles["child"].supervise)
    def test_child_supervise_overrides_all_parents(self):
        m = _build(
            p1={"supervise": True},
            p2={"supervise": True},
            child={"extends": ["p1", "p2"], "supervise": False},
        )
        self.assertFalse(m.bottles["child"].supervise)
    def test_two_parents_egress_routes_concatenated(self):
        m = _build(
            p1={"egress": {"routes": [{"host": "a.example.com"}]}},
            p2={"egress": {"routes": [{"host": "b.example.com"}]}},
            child={"extends": ["p1", "p2"]},
        )
        hosts = [r.Host for r in m.bottles["child"].egress.routes]
        self.assertEqual(["a.example.com", "b.example.com"], hosts)
    def test_child_egress_appends_after_combined_parents(self):
        m = _build(
            p1={"egress": {"routes": [{"host": "a.example.com"}]}},
            p2={"egress": {"routes": [{"host": "b.example.com"}]}},
            child={
                "extends": ["p1", "p2"],
                "egress": {"routes": [{"host": "c.example.com"}]},
            },
        )
        hosts = [r.Host for r in m.bottles["child"].egress.routes]
        self.assertEqual(["a.example.com", "b.example.com", "c.example.com"], hosts)
    def test_two_parents_git_repos_union(self):
        m = _build(
            p1={"git-gate": {"repos": {"a": self._GIT_A}}},
            p2={"git-gate": {"repos": {"b": self._GIT_B}}},
            child={"extends": ["p1", "p2"]},
        )
        names = {e.Name for e in m.bottles["child"].git}
        self.assertEqual({"a", "b"}, names)
    def test_two_parents_git_same_name_later_wins_per_field(self):
        # Both parents declare the same repo name. p2's `key` wins; p1's
        # `host_key` is preserved because p2 doesn't override it.
        p1_entry = {
            "url": "ssh://git@host-a/repo.git",
            "host_key": "ecdsa AAAA",
            "key": {"provider": "static", "path": "/k1"},
        }
        p2_entry = {
            "url": "ssh://git@host-a/repo.git",  # required, same url
            "key": {"provider": "gitea", "forge_token_env": "TOK"},
        }
        m = _build(
            p1={"git-gate": {"repos": {"repo": p1_entry}}},
            p2={"git-gate": {"repos": {"repo": p2_entry}}},
            child={"extends": ["p1", "p2"]},
        )
        entries = m.bottles["child"].git
        self.assertEqual(1, len(entries))
        e = entries[0]
        self.assertEqual("ssh://git@host-a/repo.git", e.Upstream)
        self.assertEqual("ecdsa AAAA", e.KnownHostKey)
        self.assertEqual("gitea", e.Key.provider)
    def test_p1_repos_preserved_when_p2_has_none(self):
        m = _build(
            p1={"git-gate": {"repos": {"a": self._GIT_A}}},
            p2={"env": {"X": "1"}},
            child={"extends": ["p1", "p2"]},
        )
        names = [e.Name for e in m.bottles["child"].git]
        self.assertEqual(["a"], names)
    def test_diamond_shared_ancestor_resolved_once(self):
        # a <- b, a <- c; child extends [b, c]
        # `a` must be resolved once and cached.
        m = _build(
            a={"env": {"FROM_A": "1"}, "supervise": False},
            b={"extends": "a", "env": {"FROM_B": "1"}},
            c={"extends": "a", "env": {"FROM_C": "1"}},
            child={"extends": ["b", "c"]},
        )
        child = m.bottles["child"]
        self.assertEqual("1", child.env["FROM_A"])
        self.assertEqual("1", child.env["FROM_B"])
        self.assertEqual("1", child.env["FROM_C"])
        # supervise=False from `a` threads through both b and c; c is the
        # later parent so its effective supervise (False) wins.
        self.assertFalse(child.supervise)
    def test_three_parents_env_fold_order(self):
        m = _build(
            p1={"env": {"X": "1", "A": "a"}},
            p2={"env": {"X": "2", "B": "b"}},
            p3={"env": {"X": "3", "C": "c"}},
            child={"extends": ["p1", "p2", "p3"]},
        )
        env = dict(m.bottles["child"].env)
        self.assertEqual("3", env["X"])
        self.assertEqual("a", env["A"])
        self.assertEqual("b", env["B"])
        self.assertEqual("c", env["C"])
    def test_undefined_bottle_in_list_dies(self):
        msg = _error_message(
            _build,
            base={"env": {}},
            child={"extends": ["base", "ghost"]},
        )
        self.assertIn("extends 'ghost'", msg)
        self.assertIn("not defined", msg)
    def test_self_reference_in_list_dies(self):
        msg = _error_message(_build, child={"extends": ["child"]})
        self.assertIn("extends itself", msg)
    def test_cycle_through_multi_parent_edge_dies(self):
        msg = _error_message(
            _build,
            a={"extends": ["b", "c"]},
            b={},
            c={"extends": "a"},
        )
        self.assertIn("extends cycle", msg)
 class TestExtendsAvailableInBottleKeys(unittest.TestCase):
@@ -8,7 +8,6 @@ import unittest
 from bot_bottle.git_gate import (
    GIT_GATE_HOSTNAME,
    _gitconfig_validate_value,
    git_gate_render_gitconfig,
 )
 from bot_bottle.manifest import ManifestIndex
@@ -91,42 +90,5 @@ class TestGitGateGitconfigRender(unittest.TestCase):
        self.assertNotIn("gitea.dideric.is", out)
 class TestGitconfigValidateValue(unittest.TestCase):
    """_gitconfig_validate_value rejects values that would inject gitconfig keys."""
    def test_normal_url_passes(self):
        _gitconfig_validate_value("url", "ssh://git@github.com/owner/repo.git")
    def test_newline_in_url_raises(self):
        with self.assertRaises(ValueError):
            _gitconfig_validate_value("url", "ssh://git@github.com/owner/\nrepo.git")
    def test_carriage_return_in_url_raises(self):
        with self.assertRaises(ValueError):
            _gitconfig_validate_value("url", "ssh://git@github.com/\rrepo.git")
    def test_error_message_names_field(self):
        with self.assertRaises(ValueError, msg="error should name the field") as ctx:
            _gitconfig_validate_value("repos['bad'].url", "ssh://host/\npath")
        self.assertIn("repos['bad'].url", str(ctx.exception))
 class TestGitconfigRenderRejectsNewlineInUpstream(unittest.TestCase):
    """git_gate_render_gitconfig raises on Upstream values with newlines."""
    def test_newline_in_upstream_raises(self):
        m = ManifestIndex.from_json_obj({
            "bottles": {"dev": {"git-gate": {"repos": {
                "evil": {
                    "url": "ssh://git@github.com/owner/\nfake-key = injected\nrepo.git",
                    "key": {"provider": "static", "path": "/dev/null"},
                },
            }}}},
            "agents": {"demo": {"skills": [], "prompt": "", "bottle": "dev"}},
        })
        with self.assertRaises(ValueError):
            git_gate_render_gitconfig(m.bottles["dev"].git, GIT_GATE_HOSTNAME)
 if __name__ == "__main__":
    unittest.main()
@@ -8,7 +8,6 @@ inspecting running bundle containers' port bindings."""
 from __future__ import annotations
 import json
 import os
 import sqlite3
 import subprocess
 import tempfile
@@ -113,16 +112,9 @@ class TestEnsurePool(unittest.TestCase):
 class TestAllocate(unittest.TestCase):
-    def test_per_bottle_alias_on_linux(self):
+    def test_returns_loopback_on_linux(self):
-        # Linux gets the same per-bottle scoping as macOS (127/8 is
+        with patch.object(loopback_alias, "_is_macos", return_value=False):
-        # already loopback, so no ifconfig is needed). A fresh host
+            self.assertEqual("127.0.0.1", loopback_alias.allocate("demo"))
        # with no running bundles allocates the first pool entry.
        with tempfile.TemporaryDirectory() as tmp:
            lock_path = Path(tmp) / "smolmachines.lock"
            with patch.object(loopback_alias, "_is_macos", return_value=False), \
                 patch.object(loopback_alias, "_ALLOC_LOCK_PATH", lock_path), \
                 patch.object(loopback_alias, "_aliases_in_use", return_value=set()):
                self.assertEqual("127.0.0.16", loopback_alias.allocate("demo"))
    def test_picks_lowest_unused_on_macos(self):
        # No bundles running -> first pool entry.
@@ -174,25 +166,12 @@ class TestAllocateLock(unittest.TestCase):
        self.assertIn(fcntl_mod.LOCK_EX, flock_calls)
-    def test_acquires_exclusive_lock_on_linux(self):
+    def test_no_lock_on_linux(self):
-        # Linux allocates per-bottle too, so it must take the same
+        # Linux early-returns before touching the lock file.
        # lock to serialise concurrent launches.
        import fcntl as fcntl_mod
        flock_calls: list[int] = []
        def record_flock(fd, op):  # type: ignore
            flock_calls.append(op)
        with tempfile.TemporaryDirectory() as tmp:
            lock_path = Path(tmp) / "smolmachines.lock"
        with patch.object(loopback_alias, "_is_macos", return_value=False), \
-                 patch.object(loopback_alias, "_ALLOC_LOCK_PATH", lock_path), \
+             patch.object(loopback_alias.fcntl, "flock") as flock:
                 patch.object(loopback_alias, "_aliases_in_use", return_value=set()), \
                 patch.object(loopback_alias.fcntl, "flock",
                              side_effect=record_flock):
            loopback_alias.allocate("demo")
-
+        flock.assert_not_called()
        self.assertIn(fcntl_mod.LOCK_EX, flock_calls)
    def test_sequential_allocations_with_shared_lock_are_serialised(self):
        # Two sequential calls share the same lock file. The second
@@ -262,12 +241,10 @@ class TestAliasInUseDetection(unittest.TestCase):
 class TestForceAllowlist(unittest.TestCase):
-    """Smolvm 0.8.0 silently drops `--allow-cidr` with `--from`, so
+    """Smolvm 0.8.0 silently drops `--allow-cidr` with `--from`,
-    `force_allowlist` opens the state DB directly and sets the row's
+    so `force_allowlist` opens the state DB directly and sets
-    `allowed_cidrs` field — on both macOS and Linux. It is
+    the row's `allowed_cidrs` field. Round-trip tests against a
-    fail-closed: it dies rather than launching a VM whose allowlist
+    real SQLite DB to lock down the BLOB encoding."""
    it can't confirm. Round-trip tests against a real SQLite DB to
    lock down the BLOB encoding."""
    def setUp(self):
        self._tmp = tempfile.TemporaryDirectory(prefix="smolvm-db.")
@@ -313,67 +290,17 @@ class TestForceAllowlist(unittest.TestCase):
        self.assertEqual(4, cfg["cpus"])
        self.assertTrue(cfg["network"])
-    def test_patches_on_linux_too(self):
+    def test_noop_on_linux(self):
        # force_allowlist no longer no-ops on Linux — the TSI
        # allowlist must be enforced there as well.
        with patch.object(loopback_alias, "_is_macos", return_value=False), \
             patch.object(loopback_alias, "_SMOLVM_DB_PATH", self.db):
            loopback_alias.force_allowlist("demo-vm", ["127.0.0.16/32"])
        # DB row should be untouched.
        con = sqlite3.connect(str(self.db))
        cfg = json.loads(con.execute(
            "SELECT data FROM vms WHERE name='demo-vm'",
        ).fetchone()[0])
        con.close()
-        self.assertEqual(["127.0.0.16/32"], cfg["allowed_cidrs"])
+        self.assertIsNone(cfg["allowed_cidrs"])
    def test_skips_write_when_already_matching(self):
        # A newer smolvm that honors --allow-cidr at create leaves the
        # row already correct; force_allowlist must not rewrite it. We
        # detect a no-write by comparing the raw BLOB byte-for-byte
        # (a rewrite re-serialises the JSON, changing key order/bytes
        # is not guaranteed, but mtime/identity isn't observable — so
        # we assert the stored bytes are exactly what we pre-seeded).
        seeded = json.dumps({
            "name": "demo-vm", "cpus": 4, "mem": 8192,
            "network": True, "allowed_cidrs": ["127.0.0.16/32"],
        }).encode()
        con = sqlite3.connect(str(self.db))
        con.execute(
            "UPDATE vms SET data=? WHERE name='demo-vm'",
            (sqlite3.Binary(seeded),),
        )
        con.commit()
        con.close()
        with patch.object(loopback_alias, "_is_macos", return_value=True), \
             patch.object(loopback_alias, "_SMOLVM_DB_PATH", self.db):
            loopback_alias.force_allowlist("demo-vm", ["127.0.0.16/32"])
        con = sqlite3.connect(str(self.db))
        stored = con.execute(
            "SELECT data FROM vms WHERE name='demo-vm'").fetchone()[0]
        con.close()
        self.assertEqual(seeded, bytes(stored))
    def test_dies_when_patch_does_not_take(self):
        # If the persisted allowlist still doesn't match after the
        # patch (e.g. wrong schema / smolvm stores it elsewhere),
        # force_allowlist must fail closed rather than boot the VM.
        original = loopback_alias._read_machine_cfg
        def stale_cfg(con, name):
            # Always report the un-patched row so the post-write
            # verification never sees the requested cidrs.
            cfg = original(con, name)
            cfg["allowed_cidrs"] = None
            return cfg
        with patch.object(loopback_alias, "_is_macos", return_value=True), \
             patch.object(loopback_alias, "_SMOLVM_DB_PATH", self.db), \
             patch.object(loopback_alias, "_read_machine_cfg", side_effect=stale_cfg), \
             patch.object(loopback_alias, "die", side_effect=SystemExit("die")):
            with self.assertRaises(SystemExit):
                loopback_alias.force_allowlist("demo-vm", ["127.0.0.16/32"])
    def test_dies_on_missing_db(self):
        with patch.object(loopback_alias, "_is_macos", return_value=True), \
@@ -396,35 +323,5 @@ class TestForceAllowlist(unittest.TestCase):
                loopback_alias.force_allowlist("not-in-db", ["127.0.0.16/32"])
 class TestSmolvmDbPath(unittest.TestCase):
    """The smolvm state-DB path is platform-derived: Application
    Support on macOS, XDG data dir on Linux."""
    def test_macos_path(self):
        with patch.object(loopback_alias.platform, "system", return_value="Darwin"):
            p = loopback_alias._smolvm_db_path()
        self.assertEqual(
            ("Library", "Application Support", "smolvm", "server", "smolvm.db"),
            p.parts[-5:],
        )
    def test_linux_default_xdg_path(self):
        env = {k: v for k, v in os.environ.items() if k != "XDG_DATA_HOME"}
        with patch.object(loopback_alias.platform, "system", return_value="Linux"), \
             patch.dict(loopback_alias.os.environ, env, clear=True):
            p = loopback_alias._smolvm_db_path()
        self.assertEqual(
            (".local", "share", "smolvm", "server", "smolvm.db"),
            p.parts[-5:],
        )
    def test_linux_respects_xdg_data_home(self):
        with patch.object(loopback_alias.platform, "system", return_value="Linux"), \
             patch.dict(loopback_alias.os.environ,
                        {"XDG_DATA_HOME": "/custom/data"}, clear=False):
            p = loopback_alias._smolvm_db_path()
        self.assertEqual(Path("/custom/data/smolvm/server/smolvm.db"), p)
 if __name__ == "__main__":
    unittest.main()
@@ -130,6 +130,7 @@ def _plan(
        supervise_plan = SupervisePlan(
            slug="demo-abc12",
            queue_dir=Path("/tmp/queue"),
            current_config_dir=Path("/tmp/current-config"),
        )
    return SmolmachinesBottlePlan(
        spec=spec,
@@ -56,14 +56,9 @@ class TestBundleSubnet(unittest.TestCase):
 class TestPreflight(unittest.TestCase):
    def test_smolvm_present_returns_none(self):
        # Pin macOS so the Linux KVM gate doesn't fire on a CI runner
        # (ubuntu, no /dev/kvm) — this test isolates the PATH check.
        with patch(
            "bot_bottle.backend.smolmachines.util.shutil.which",
            return_value="/usr/local/bin/smolvm",
        ), patch(
            "bot_bottle.backend.smolmachines.util.platform.system",
            return_value="Darwin",
        ):
            self.assertIsNone(smolmachines_preflight())
@@ -93,63 +88,5 @@ class TestPreflight(unittest.TestCase):
            self.assertIn("BOT_BOTTLE_BACKEND=docker", msg)
 class TestKvmPreflight(unittest.TestCase):
    """Linux-only KVM gate: smolvm needs /dev/kvm present and
    accessible. macOS skips this entirely (Hypervisor.framework)."""
    def _run(self, *, system, exists, access):
        with patch(
            "bot_bottle.backend.smolmachines.util.shutil.which",
            return_value="/usr/bin/smolvm",
        ), patch(
            "bot_bottle.backend.smolmachines.util.platform.system",
            return_value=system,
        ), patch(
            "bot_bottle.backend.smolmachines.util.os.path.exists",
            return_value=exists,
        ), patch(
            "bot_bottle.backend.smolmachines.util.os.access",
            return_value=access,
        ):
            return smolmachines_preflight()
    def test_macos_skips_kvm_check(self):
        # Even with /dev/kvm absent, macOS must not run the gate.
        self.assertIsNone(self._run(system="Darwin", exists=False, access=False))
    def test_linux_ok_returns_none(self):
        self.assertIsNone(self._run(system="Linux", exists=True, access=True))
    def test_linux_missing_device_dies(self):
        with self.assertRaises(SystemExit):
            self._run(system="Linux", exists=False, access=False)
    def test_linux_no_access_dies(self):
        with self.assertRaises(SystemExit):
            self._run(system="Linux", exists=True, access=False)
    def test_linux_missing_device_message(self):
        import io
        import sys
        captured = io.StringIO()
        with patch.object(sys, "stderr", captured):
            with self.assertRaises(SystemExit):
                self._run(system="Linux", exists=False, access=False)
        msg = captured.getvalue()
        self.assertIn("/dev/kvm", msg)
        self.assertIn("kvm-intel", msg)
    def test_linux_no_access_message(self):
        import io
        import sys
        captured = io.StringIO()
        with patch.object(sys, "stderr", captured):
            with self.assertRaises(SystemExit):
                self._run(system="Linux", exists=True, access=False)
        msg = captured.getvalue()
        self.assertIn("kvm", msg)
        self.assertIn("group", msg)
 if __name__ == "__main__":
    unittest.main()
@@ -16,7 +16,7 @@ from bot_bottle.supervise import (
    STATUS_APPROVED,
    STATUS_MODIFIED,
    STATUS_REJECTED,
-    TOOL_EGRESS_ALLOW,
+    TOOL_CAPABILITY_BLOCK,
    TOOL_GITLEAKS_ALLOW,
    archive_proposal,
    audit_log_path,
@@ -37,9 +37,9 @@ FIXED_TS = datetime(2026, 5, 25, 12, 0, 0, tzinfo=timezone.utc)
 def _proposal(
-    tool: str = TOOL_EGRESS_ALLOW,
+    tool: str = TOOL_CAPABILITY_BLOCK,
-    proposed: str = "routes:\n  - host: example.com\n",
+    proposed: str = "FROM python:3.13\n",
-    justification: str = "need egress",
+    justification: str = "need a capability",
 ) -> Proposal:
    return Proposal.new(
        bottle_slug="dev",
@@ -57,7 +57,7 @@ class TestProposalRoundtrip(unittest.TestCase):
        self.assertTrue(p.id)
        self.assertEqual("2026-05-25T12:00:00+00:00", p.arrival_timestamp)
        self.assertEqual("dev", p.bottle_slug)
-        self.assertEqual(TOOL_EGRESS_ALLOW, p.tool)
+        self.assertEqual(TOOL_CAPABILITY_BLOCK, p.tool)
    def test_to_from_dict_roundtrip(self):
        p = _proposal()
@@ -142,14 +142,14 @@ class TestQueueIO(unittest.TestCase):
    def test_list_pending_sorted_by_arrival(self):
        # Fabricate two with explicit timestamps.
        a = Proposal.new(
-            bottle_slug="dev", tool=TOOL_EGRESS_ALLOW,
+            bottle_slug="dev", tool=TOOL_CAPABILITY_BLOCK,
-            proposed_file="routes:\n  - host: early.example.com\n", justification="early",
+            proposed_file="FROM python:3.13\n", justification="early",
            current_file_hash="x",
            now=datetime(2026, 5, 25, 10, 0, 0, tzinfo=timezone.utc),
        )
        b = Proposal.new(
-            bottle_slug="dev", tool=TOOL_EGRESS_ALLOW,
+            bottle_slug="dev", tool=TOOL_CAPABILITY_BLOCK,
-            proposed_file="routes:\n  - host: late.example.com\n", justification="late",
+            proposed_file="FROM python:3.13\n", justification="late",
            current_file_hash="x",
            now=datetime(2026, 5, 25, 14, 0, 0, tzinfo=timezone.utc),
        )
@@ -319,6 +319,7 @@ class TestToolConstants(unittest.TestCase):
        self.assertEqual(
            (
                supervise.TOOL_EGRESS_ALLOW,
                TOOL_CAPABILITY_BLOCK,
                supervise.TOOL_EGRESS_BLOCK,
                TOOL_GITLEAKS_ALLOW,
                supervise.TOOL_EGRESS_TOKEN_ALLOW,
@@ -377,16 +378,20 @@ class TestSupervisePrepare(unittest.TestCase):
        supervise.bot_bottle_root = fake_root  # type: ignore[assignment]
        return lambda: setattr(supervise, "bot_bottle_root", original)
-    def test_prepare_creates_queue(self):
+    def test_prepare_creates_queue_and_current_config(self):
        plan = _StubSupervise().prepare("dev", self.stage_dir)
        self.assertTrue(plan.queue_dir.is_dir())
        self.assertTrue(plan.current_config_dir.is_dir())
        self.assertEqual("dev", plan.slug)
        self.assertEqual("", plan.internal_network)
-    def test_prepare_does_not_create_current_config_dir(self):
+    def test_prepare_writes_no_files_to_current_config(self):
        # dockerfile_content is no longer accepted by prepare.
        # routes.yaml + allowlist live behind the
        # `list-egress-routes` MCP tool (PRD 0017 chunk 3).
        plan = _StubSupervise().prepare("dev", self.stage_dir)
-        self.assertFalse((self.stage_dir / "current-config").exists())
+        files = sorted(p.name for p in plan.current_config_dir.iterdir())
-        self.assertFalse(hasattr(plan, "current_config_dir"))
+        self.assertEqual([], files)
 if __name__ == "__main__":
@@ -18,7 +18,7 @@ from bot_bottle.supervise import (
    STATUS_APPROVED,
    STATUS_MODIFIED,
    STATUS_REJECTED,
-    TOOL_EGRESS_ALLOW,
+    TOOL_CAPABILITY_BLOCK,
    TOOL_GITLEAKS_ALLOW,
    TOOL_EGRESS_TOKEN_ALLOW,
    read_audit_entries,
@@ -30,8 +30,9 @@ from bot_bottle.supervise import (
 FIXED = datetime(2026, 5, 25, 12, 0, 0, tzinfo=timezone.utc)
-def _proposal(slug: str = "dev", tool: str = TOOL_EGRESS_ALLOW) -> Proposal:
+def _proposal(slug: str = "dev", tool: str = TOOL_CAPABILITY_BLOCK) -> Proposal:
    payloads = {
        TOOL_CAPABILITY_BLOCK: "FROM python:3.13\n",
        supervise.TOOL_EGRESS_ALLOW: "routes:\n  - host: example.com\n",
        supervise.TOOL_EGRESS_BLOCK: "routes:\n  - host: example.com\n",
        TOOL_GITLEAKS_ALLOW: "file: tests/test_fixture.py\nline: 3\n",
@@ -85,14 +86,14 @@ class TestDiscoverPending(_FakeHomeMixin, unittest.TestCase):
    def test_sorted_by_arrival_across_bottles(self):
        early = Proposal.new(
-            bottle_slug="api", tool=TOOL_EGRESS_ALLOW,
+            bottle_slug="api", tool=TOOL_CAPABILITY_BLOCK,
-            proposed_file="routes:\n  - host: early.example.com\n", justification="early",
+            proposed_file="FROM python:3.13\n", justification="early",
            current_file_hash="h",
            now=datetime(2026, 5, 25, 10, 0, 0, tzinfo=timezone.utc),
        )
        late = Proposal.new(
-            bottle_slug="dev", tool=TOOL_EGRESS_ALLOW,
+            bottle_slug="dev", tool=TOOL_CAPABILITY_BLOCK,
-            proposed_file="routes:\n  - host: late.example.com\n", justification="late",
+            proposed_file="FROM python:3.13\n", justification="late",
            current_file_hash="h",
            now=datetime(2026, 5, 25, 14, 0, 0, tzinfo=timezone.utc),
        )
@@ -121,7 +122,7 @@ class TestApproveReject(_FakeHomeMixin, unittest.TestCase):
    def tearDown(self):
        self._teardown_fake_home()
-    def _enqueue(self, tool: str = TOOL_EGRESS_ALLOW):
+    def _enqueue(self, tool: str = TOOL_CAPABILITY_BLOCK):
        p = _proposal(tool=tool)
        qdir = supervise.queue_dir_for_slug("dev")
        qdir.mkdir(parents=True, exist_ok=True)
@@ -130,29 +131,19 @@ class TestApproveReject(_FakeHomeMixin, unittest.TestCase):
    def test_approve_writes_response(self):
        qp = self._enqueue()
        with patch(
            "bot_bottle.cli.supervise.apply_routes_change",
            return_value=("routes: []\n", "routes:\n  - host: example.com\n"),
        ):
        supervise_cli.approve(qp)
-        resp = read_response(qp.queue_dir, qp.proposal.id)
+        # capability-block is archived on approve, so the response file
        # moves to processed/ before the caller can read it.
        resp = read_response(qp.queue_dir / "processed", qp.proposal.id)
        self.assertEqual(STATUS_APPROVED, resp.status)
        self.assertIsNone(resp.final_file)
    def test_approve_with_final_file_marks_modified(self):
        qp = self._enqueue()
-        with patch(
+        supervise_cli.approve(qp, final_file="FROM bookworm\n", notes="tweaked")
-            "bot_bottle.cli.supervise.apply_routes_change",
+        resp = read_response(qp.queue_dir / "processed", qp.proposal.id)
            return_value=("routes: []\n", "routes:\n  - host: edited.example.com\n"),
        ):
            supervise_cli.approve(
                qp,
                final_file="routes:\n  - host: edited.example.com\n",
                notes="tweaked",
            )
        resp = read_response(qp.queue_dir, qp.proposal.id)
        self.assertEqual(STATUS_MODIFIED, resp.status)
-        self.assertEqual("routes:\n  - host: edited.example.com\n", resp.final_file)
+        self.assertEqual("FROM bookworm\n", resp.final_file)
        self.assertEqual("tweaked", resp.notes)
    def test_reject_writes_rejection(self):
@@ -162,6 +153,11 @@ class TestApproveReject(_FakeHomeMixin, unittest.TestCase):
        self.assertEqual(STATUS_REJECTED, resp.status)
        self.assertEqual("nope", resp.notes)
    def test_no_audit_log_for_capability_block(self):
        qp = self._enqueue(tool=TOOL_CAPABILITY_BLOCK)
        supervise_cli.approve(qp)
        self.assertEqual([], read_audit_entries("egress", "dev"))
    def test_approve_egress_block_writes_audit_log(self):
        qp = self._enqueue(tool=supervise.TOOL_EGRESS_BLOCK)
        with patch(
@@ -236,6 +232,11 @@ class TestApproveReject(_FakeHomeMixin, unittest.TestCase):
        self.assertEqual(".txt", supervise_cli._suffix_for_tool(TOOL_EGRESS_TOKEN_ALLOW))
 # class TestCapabilityApplyWiring(_FakeHomeMixin, unittest.TestCase):
 #     # DISABLED — capability_apply functionality is currently commented out.
 #     pass
 class TestEditInEditor(unittest.TestCase):
    def test_runs_editor_returns_edited_content(self):
        original_editor = os.environ.get("EDITOR")
@@ -280,5 +281,10 @@ class TestEditInEditor(unittest.TestCase):
                os.environ["EDITOR"] = original_editor
 # class TestCapabilityBlockSmolmachinesGuard(_FakeHomeMixin, unittest.TestCase):
 #     # DISABLED — capability_apply functionality is currently commented out.
 #     pass
 if __name__ == "__main__":
    unittest.main()
Author	SHA1	Message	Date
didericis-claude	88f58bf4c0	merge: update tests/unit/test_supervise_server.py from issue-277-coverage-ci lint / lint (push) Failing after 1m46s Details test / unit (pull_request) Failing after 36s Details test / integration (pull_request) Successful in 16s Details	2026-06-25 14:31:36 -04:00
didericis-claude	ca0dc72b89	merge: update bot_bottle/cli/supervise.py from issue-277-coverage-ci test / unit (pull_request) Successful in 41s Details test / integration (pull_request) Successful in 16s Details lint / lint (push) Successful in 1m46s Details	2026-06-25 14:31:32 -04:00
didericis-claude	2fc99ea098	merge: update .gitignore from issue-277-coverage-ci test / unit (pull_request) Successful in 40s Details test / integration (pull_request) Successful in 15s Details	2026-06-25 14:31:29 -04:00
didericis-claude	9a9235f2af	merge: update .coveragerc from issue-277-coverage-ci	2026-06-25 14:31:27 -04:00
didericis	42f79283f0	test: fix integration coverage failures lint / lint (push) Successful in 1m50s Details test / unit (pull_request) Successful in 40s Details test / integration (pull_request) Successful in 18s Details	2026-06-25 04:39:43 -04:00
didericis	d6b9d7af3e	ci: add coverage.py reporting	2026-06-25 04:08:21 -04:00