feat(supervise)!: remove egress-block MCP tool and runtime route-mutation

Drops `egress-block` from the supervise sidecar, removes `_merge_single_route`, `add_route`, and `apply_routes_change` from egress_apply.py, and strips the proposal/approve/reject flow for egress from the supervise CLI. The list-egress-routes and capability-block tools are unaffected. Tests updated throughout. Closes #198
2026-06-06 12:43:54 -04:00
1 changed files with 23 additions and 16 deletions
@@ -82,14 +82,6 @@ class EgressAddon:
            {"Content-Type": "text/plain; charset=utf-8"},
        )

-    def _block(self, flow: http.HTTPFlow, reason: str) -> None:
-        sys.stderr.write(f"{reason}\n")
-        flow.response = http.Response.make(
-            403,
-            reason.encode("utf-8"),
-            {"Content-Type": "text/plain; charset=utf-8"},
-        )
-
    def request(self, flow: http.HTTPFlow) -> None:
        request_path, _, query = flow.request.path.partition("?")

@@ -108,18 +100,25 @@ class EgressAddon:
                scan_text = auth_header + "\n" + body
            dlp_result = scan_outbound(route, scan_text, os.environ)
            if dlp_result is not None and dlp_result.severity == "block":
-                self._block(flow, f"egress DLP: {dlp_result.reason}")
+                flow.response = http.Response.make(
+                    403,
+                    f"egress DLP: {dlp_result.reason}".encode("utf-8"),
+                    {"Content-Type": "text/plain; charset=utf-8"},
+                )
                return

        # Strip inbound Authorization — agent cannot smuggle tokens.
        flow.request.headers.pop("authorization", None)

        if is_git_push_request(request_path, query):
-            self._block(
-                flow,
-                "egress: git push over HTTPS is not supported; "
-                "use the bottle.git SSH path (gitleaks-scanned by "
-                "git-gate's pre-receive hook).",
+            flow.response = http.Response.make(
+                403,
+                (
+                    b"egress: git push over HTTPS is not supported; "
+                    b"use the bottle.git SSH path (gitleaks-scanned by "
+                    b"git-gate's pre-receive hook)."
+                ),
+                {"Content-Type": "text/plain; charset=utf-8"},
            )
            return

@@ -136,7 +135,11 @@ class EgressAddon:
        )

        if decision.action == "block":
-            self._block(flow, decision.reason)
+            flow.response = http.Response.make(
+                403,
+                decision.reason.encode("utf-8"),
+                {"Content-Type": "text/plain; charset=utf-8"},
+            )
            return

        if decision.inject_authorization is not None:
@@ -156,7 +159,11 @@ class EgressAddon:
        if result is None:
            return
        if result.severity == "block":
-            self._block(flow, f"egress DLP: {result.reason}")
+            flow.response = http.Response.make(
+                403,
+                f"egress DLP: {result.reason}".encode("utf-8"),
+                {"Content-Type": "text/plain; charset=utf-8"},
+            )
        elif result.severity == "warn":
            sys.stderr.write(f"egress DLP warn: {result.reason}\n")