docs(prd): add gitleaks allow supervision

Supervise gitleaks inline allow exceptions
2026-06-19 21:58:29 -04:00 · 2026-06-19 21:58:29 -04:00
9 changed files with 354 additions and 39 deletions
@@ -14,7 +14,7 @@

 ## Features

- **Per-bottle egress allowlist** — TLS-bumped HTTP/HTTPS chokepoint with a per-manifest host allowlist; per-route path/method/header `matches` filtering; outbound DLP scanning for known tokens and secrets, inbound DLP scanning for prompt-injection attempts; DoH and arbitrary hosts blocked by default.
+- **Per-bottle egress allowlist** — TLS-bumped HTTP/HTTPS chokepoint with a per-manifest host allowlist and request-body DLP scanner; DoH and arbitrary hosts blocked by default.
 - **Tokens the agent never sees** — host secrets live in a sidecar; the agent dials `http://sidecar:9099/<path>` and the proxy strips inbound `Authorization` and injects the real token before forwarding. `printenv` in the agent shows proxy URLs only.
 - **Gitleaks-scanned push (git-gate)** — `bottle.git` remotes route through a per-bottle `git daemon` that gitleaks-scans incoming refs pre-receive and forwards clean refs upstream over SSH. The agent never holds the upstream credential.
 - **Manifest-scoped skills + secrets** — each bottle declares its skills, env, git identity, remotes, and egress routes; unknown keys die at load.
@@ -106,15 +106,8 @@ egress:
  routes:
    - host: gitea.dideric.is
      auth:
-        scheme: token        # Bearer | token
+        scheme: token
        token_ref: BOT_BOTTLE_GITEA_TOKEN
-      matches:               # optional — restrict to specific paths/methods/headers
-        - paths:
-            - {type: prefix, value: /api/v1/}
-          methods: [GET, POST, PATCH, DELETE]
-      dlp:                   # optional — per-route detector overrides (default: all on)
-        outbound_detectors: [token_patterns, known_secrets]
-        inbound_detectors: false   # disable response scanning for this host
 ---

 The `gitea-dev` bottle. Provider auth via the inherited Claude route;
@@ -133,23 +126,6 @@ skills:
 You help maintain Gitea-hosted projects.
 ````

-**Egress route fields:**
-
-| Field | Required | Description |
-|---|---|---|
-| `host` | yes | Hostname to allowlist. One entry per host. |
-| `role` | no | Provider-specific role string (e.g. `claude_code_oauth`). Wires built-in auth flows; set by provider templates, not manually. |
-| `auth.scheme` | when `auth` present | `Bearer` or `token`. Injected by the proxy; the agent never sees the value. |
-| `auth.token_ref` | when `auth` present | Env-var name holding the secret on the host. |
-| `matches` | no | Array of `{paths, methods, headers}` filters. A request must match at least one entry (if any are given) to be forwarded. |
-| `matches[].paths` | no | Array of `{type, value}`. `type` is `prefix` (default), `exact`, or `regex`. |
-| `matches[].methods` | no | Array of HTTP method strings, e.g. `[GET, POST]`. |
-| `matches[].headers` | no | Array of `{name, value, type}`. `type` is `exact` (default) or `regex`. |
-| `dlp` | no | Per-route DLP overrides. Omit to use defaults (all detectors on). |
-| `dlp.outbound_detectors` | no | `false` disables outbound scanning; list restricts to named detectors (`token_patterns`, `known_secrets`). |
-| `dlp.inbound_detectors` | no | `false` disables inbound scanning; list restricts to named detectors (`naive_injection_detection`). |
-| `git.fetch` | no | `true` permits smart HTTP clone/fetch (`git-upload-pack`) for this host. Push (`git-receive-pack`) remains blocked. |
-
 More examples in `examples/`. Full design lives under `docs/prds/`; the trust-boundary rationale is in `docs/prds/0011-per-file-md-manifest.md`.

 ## Trademarks
@@ -40,6 +40,7 @@ from ..supervise import (
    STATUS_MODIFIED,
    STATUS_REJECTED,
    TOOL_CAPABILITY_BLOCK,
+    TOOL_GITLEAKS_ALLOW,
    archive_proposal,
    list_pending_proposals,
    render_diff,
@@ -115,6 +116,8 @@ def _detail_lines(
 def _suffix_for_tool(tool: str) -> str:
    if tool == TOOL_CAPABILITY_BLOCK:
        return ".dockerfile"
+    if tool == TOOL_GITLEAKS_ALLOW:
+        return ".txt"
    return ".txt"


@@ -154,7 +157,7 @@ def approve(
        qp, action=status, notes=notes,
        diff_before=diff_before, diff_after=diff_after,
    )
-    if qp.proposal.tool == TOOL_CAPABILITY_BLOCK:
+    if qp.proposal.tool in (TOOL_CAPABILITY_BLOCK, TOOL_GITLEAKS_ALLOW):
        archive_proposal(qp.queue_dir, qp.proposal.id)


@@ -170,6 +173,23 @@ def reject(qp: QueuedProposal, *, reason: str) -> None:
    _write_audit(qp, action=STATUS_REJECTED, notes=reason, diff_before="", diff_after="")


+def _approve_from_tui(
+    stdscr: "curses._CursesWindow",  # type: ignore
+    qp: QueuedProposal,
+    *,
+    final_file: str | None = None,
+    notes: str = "",
+) -> str:
+    """Approve from curses, prompting for any tool-specific audit note."""
+    if qp.proposal.tool == TOOL_GITLEAKS_ALLOW and final_file is None:
+        notes = _prompt(stdscr, "allow reason (test fixture/false positive): ")
+        if not notes:
+            return "approve aborted (empty reason)"
+    approve(qp, final_file=final_file, notes=notes)
+    verb = "modified+approved" if final_file is not None else "approved"
+    return _approval_status(qp, verb)
+
+
 def _write_audit(
    qp: QueuedProposal,
    *,
@@ -353,18 +373,22 @@ def _main_loop(stdscr: "curses._CursesWindow") -> None:  # type: ignore
            _detail_view(stdscr, qp, green_attr=green_attr)
        elif key == ord("a"):
            try:
-                approve(qp)
-                status_line = _approval_status(qp, "approved")
+                status_line = _approve_from_tui(stdscr, qp)
            except ApplyError as e:
                status_line = f"apply failed: {e}"
        elif key == ord("m"):
+            if qp.proposal.tool == TOOL_GITLEAKS_ALLOW:
+                status_line = "modify unavailable for gitleaks-allow"
+                continue
            edited = _modify(stdscr, qp)
            if edited is None:
                status_line = "modify aborted (no change)"
            else:
                try:
-                    approve(qp, final_file=edited, notes="operator modified before approving")
-                    status_line = _approval_status(qp, "modified+approved")
+                    status_line = _approve_from_tui(
+                        stdscr, qp, final_file=edited,
+                        notes="operator modified before approving",
+                    )
                except ApplyError as e:
                    status_line = f"apply failed: {e}"
        elif key == ord("r"):
@@ -462,15 +486,20 @@ def _detail_view(
            offset = max(0, len(lines) - 1)
        elif key == ord("a"):
            try:
-                approve(qp)
+                _approve_from_tui(stdscr, qp)
            except ApplyError:
                pass
            return
        elif key == ord("m"):
+            if qp.proposal.tool == TOOL_GITLEAKS_ALLOW:
+                return
            edited = _modify(stdscr, qp)
            if edited is not None:
                try:
-                    approve(qp, final_file=edited, notes="operator modified before approving")
+                    _approve_from_tui(
+                        stdscr, qp, final_file=edited,
+                        notes="operator modified before approving",
+                    )
                except ApplyError:
                    pass
            return
@@ -247,6 +247,164 @@ cat > "$refs_file"

 zero=0000000000000000000000000000000000000000

+supervise_gitleaks_allow() {
+  log_opts=$1
+  ref=$2
+  report_file=$(mktemp)
+  if ! gitleaks git \
+      --log-opts="$log_opts" \
+      --no-banner \
+      --redact \
+      --ignore-gitleaks-allow \
+      --report-format=json \
+      --report-path="$report_file" \
+      --exit-code 0 \
+      1>&2; then
+    rm -f "$report_file"
+    echo "git-gate: gitleaks inline-suppression scan failed for $ref" >&2
+    return 1
+  fi
+
+  proposal_id=$(
+    GITLEAKS_ALLOW_REF="$ref" python3 - "$report_file" <<'PY'
+import datetime
+import hashlib
+import json
+import os
+import sys
+import uuid
+from pathlib import Path
+
+report_path = Path(sys.argv[1])
+queue_dir = os.environ.get("SUPERVISE_QUEUE_DIR", "")
+slug = os.environ.get("SUPERVISE_BOTTLE_SLUG", "")
+if not queue_dir or not slug:
+    sys.exit(2)
+
+try:
+    raw = json.loads(report_path.read_text() or "[]")
+except json.JSONDecodeError:
+    sys.exit(3)
+if not isinstance(raw, list):
+    sys.exit(3)
+if not raw:
+    sys.exit(0)
+
+ref = os.environ.get("GITLEAKS_ALLOW_REF", "")
+lines = [
+    "gitleaks inline suppression requires supervisor approval",
+    f"ref: {ref}",
+    "",
+]
+for i, finding in enumerate(raw, 1):
+    if not isinstance(finding, dict):
+        continue
+    file_path = finding.get("File", "")
+    line_no = finding.get("StartLine", finding.get("Line", ""))
+    rule_id = finding.get("RuleID", "")
+    commit = finding.get("Commit", "")
+    line = finding.get("Line", "")
+    lines.extend([
+        f"finding {i}:",
+        f"  file: {file_path}",
+        f"  line: {line_no}",
+        f"  rule: {rule_id}",
+        f"  commit: {commit}",
+        f"  code: {line}",
+        "",
+    ])
+
+payload = "\n".join(lines).rstrip() + "\n"
+proposal_id = str(uuid.uuid4())
+proposal = {
+    "id": proposal_id,
+    "bottle_slug": slug,
+    "tool": "gitleaks-allow",
+    "proposed_file": payload,
+    "justification": (
+        "git-gate found gitleaks findings hidden by # gitleaks:allow; "
+        "approve only for dummy test fixtures or confirmed false positives"
+    ),
+    "arrival_timestamp": datetime.datetime.now(
+        datetime.timezone.utc
+    ).isoformat(),
+    "current_file_hash": hashlib.sha256(payload.encode("utf-8")).hexdigest(),
+}
+queue = Path(queue_dir)
+queue.mkdir(parents=True, exist_ok=True)
+path = queue / f"{proposal_id}.proposal.json"
+tmp = path.with_suffix(path.suffix + ".tmp")
+with tmp.open("w", encoding="utf-8") as f:
+    json.dump(proposal, f, indent=2)
+    f.write("\n")
+os.chmod(tmp, 0o600)
+os.replace(tmp, path)
+print(proposal_id)
+PY
+  )
+  rc=$?
+  rm -f "$report_file"
+  if [ "$rc" -eq 0 ] && [ -z "$proposal_id" ]; then
+    return 0
+  fi
+  if [ "$rc" -ne 0 ]; then
+    echo "git-gate: cannot route # gitleaks:allow finding to supervisor; refusing push" >&2
+    return 1
+  fi
+
+  queue_dir=${SUPERVISE_QUEUE_DIR:-}
+  response_file="$queue_dir/${proposal_id}.response.json"
+  timeout=${SUPERVISE_GITLEAKS_ALLOW_TIMEOUT_SECONDS:-300}
+  case "$timeout" in
+    ''|*[!0-9]*)
+      echo "git-gate: invalid SUPERVISE_GITLEAKS_ALLOW_TIMEOUT_SECONDS=$timeout" >&2
+      return 1
+      ;;
+  esac
+  echo "git-gate: queued # gitleaks:allow supervisor approval $proposal_id" >&2
+  echo "git-gate: approve with './cli.py supervise' to continue this push" >&2
+  waited=0
+  while [ "$waited" -lt "$timeout" ]; do
+    if [ -f "$response_file" ]; then
+      status=$(python3 - "$response_file" <<'PY'
+import json
+import sys
+try:
+    with open(sys.argv[1], encoding="utf-8") as f:
+        raw = json.load(f)
+except (OSError, json.JSONDecodeError):
+    sys.exit(1)
+status = raw.get("status")
+if not isinstance(status, str):
+    sys.exit(1)
+print(status)
+PY
+      ) || status=""
+      case "$status" in
+        approved|modified)
+          mkdir -p "$queue_dir/processed"
+          mv -f "$queue_dir/${proposal_id}.proposal.json" "$queue_dir/processed/" 2>/dev/null || true
+          mv -f "$queue_dir/${proposal_id}.response.json" "$queue_dir/processed/" 2>/dev/null || true
+          echo "git-gate: supervisor approved # gitleaks:allow for $ref" >&2
+          return 0
+          ;;
+        rejected)
+          echo "git-gate: supervisor rejected # gitleaks:allow for $ref" >&2
+          return 1
+          ;;
+        *)
+          echo "git-gate: invalid supervisor response for # gitleaks:allow" >&2
+          return 1
+          ;;
+      esac
+    fi
+    sleep 1
+    waited=$((waited + 1))
+  done
+  echo "git-gate: supervisor approval timed out for # gitleaks:allow; refusing push" >&2
+  return 1
+}
+
 # Phase 1: gitleaks scan each ref's incoming commits.
 while IFS=' ' read -r old new ref; do
  [ -z "$ref" ] && continue
@@ -268,6 +426,9 @@ while IFS=' ' read -r old new ref; do
    echo "git-gate: gitleaks rejected push to $ref" >&2
    exit 1
  fi
+  if ! supervise_gitleaks_allow "$log_opts" "$ref"; then
+    exit 1
+  fi
 done < "$refs_file"

 # Phase 2: forward each ref to the upstream (`origin`, configured
@@ -49,9 +49,11 @@ SUPERVISE_HOSTNAME = "supervise"
 SUPERVISE_PORT = 9100

 TOOL_CAPABILITY_BLOCK = "capability-block"
+TOOL_GITLEAKS_ALLOW = "gitleaks-allow"
 TOOL_LIST_EGRESS_ROUTES = "list-egress-routes"
 TOOLS: tuple[str, ...] = (
    TOOL_CAPABILITY_BLOCK,
+    TOOL_GITLEAKS_ALLOW,
    TOOL_LIST_EGRESS_ROUTES,
 )

@@ -0,0 +1,101 @@
+# PRD prd-new: Gitleaks inline suppression supervision
+
+- **Status:** Active
+- **Author:** codex
+- **Created:** 2026-06-10
+- **Issue:** #208
+
+## Summary
+
+Route every `# gitleaks:allow` inline suppression through the existing
+supervisor approval queue before git-gate forwards a push upstream. The
+annotation remains available for test fixtures and confirmed false positives,
+but it no longer lets an agent silently bypass the gate's secret scan.
+
+## Problem
+
+Gitleaks supports inline suppression comments. With the default behaviour,
+a pushed line that contains a secret-like value and `# gitleaks:allow` is
+ignored by gitleaks and accepted by git-gate. That is convenient for dummy
+credentials in tests, but it also gives an agent a one-line bypass for a real
+secret. Once the commit lands, the diff alone cannot prove whether the
+suppression was legitimate.
+
+## Goals / Success Criteria
+
+1. Git-gate continues to run the normal gitleaks scan for every incoming ref.
+2. After the normal scan passes, git-gate runs a second scan with
+   `--ignore-gitleaks-allow` and a JSON report so suppressed findings become
+   visible.
+3. If that second scan reports no suppressed findings, the push proceeds
+   unchanged.
+4. If it reports suppressed findings, git-gate creates a `gitleaks-allow`
+   supervisor proposal containing the ref, file path, line number, rule,
+   commit, and flagged line for each finding.
+5. The push proceeds only when the supervisor explicitly approves the
+   proposal; rejection, malformed responses, missing supervisor configuration,
+   and timeout all refuse the push.
+6. The supervisor TUI requires a reason when approving a `gitleaks-allow`
+   proposal, so the audit trail records whether the approval was for a test
+   fixture or a false positive.
+
+## Non-goals
+
+- Replacing gitleaks or changing the main secret-detection rule set.
+- Removing support for `# gitleaks:allow`.
+- Automatically classifying fixture files or false positives.
+- Adding new supervisor transport or authentication mechanisms.
+
+## Design
+
+### Git-gate flow
+
+`git_gate_render_hook()` emits a `supervise_gitleaks_allow` shell helper.
+For each incoming ref, git-gate first runs the existing gitleaks command. If
+that scan passes, it runs:
+
+```sh
+gitleaks git \
+  --log-opts="$log_opts" \
+  --no-banner \
+  --redact \
+  --ignore-gitleaks-allow \
+  --report-format=json \
+  --report-path="$report_file" \
+  --exit-code 0
+```
+
+The second pass keeps the push path non-interactive while producing a report
+of findings that would otherwise have been hidden by inline suppression.
+
+### Supervisor proposal
+
+When the JSON report contains findings, an embedded Python helper writes a
+proposal into `SUPERVISE_QUEUE_DIR` using the existing proposal schema. The
+proposal uses:
+
+- `tool: "gitleaks-allow"`
+- a text payload with the ref and each finding's file, line, rule, commit,
+  and redacted code line
+- a justification that tells the operator to approve only dummy test fixtures
+  or confirmed false positives
+
+Git-gate then waits for `<proposal-id>.response.json` for
+`SUPERVISE_GITLEAKS_ALLOW_TIMEOUT_SECONDS`, defaulting to 300 seconds.
+`approved` and `modified` responses allow the push; `rejected`, invalid
+responses, invalid timeout configuration, or timeout refuse it.
+
+### Supervisor UI
+
+`TOOL_GITLEAKS_ALLOW` is added to the supervisor tool registry. The curses
+supervisor renders the proposal as text and allows approval or rejection.
+Modification is unavailable for this proposal type because there is no file
+patch to apply. Approval from the TUI prompts for a non-empty reason and
+writes that reason to the response/audit path.
+
+### Tests
+
+Unit tests assert that the rendered git-gate hook includes the second gitleaks
+pass, supervisor queue fields, and fail-closed messages. Supervisor tests cover
+the new tool constant, proposal archiving, and the required TUI approval
+reason.
@@ -5,15 +5,10 @@ agent_provider:
 egress:
  routes:
    - host: api.anthropic.com
-      role: claude_code_oauth    # wires Claude Code OAuth; do not change
+      role: claude_code_oauth
      auth:
        scheme: Bearer
        token_ref: BOT_BOTTLE_CLAUDE_OAUTH_TOKEN
-      # dlp is omitted → all detectors on by default (token_patterns,
-      # known_secrets outbound; naive_injection_detection inbound).
-      # To disable inbound scanning for this route:
-      #   dlp:
-      #     inbound_detectors: false
 ---

 Common Claude provider boundary. Drop this file into
@@ -199,6 +199,30 @@ class TestHookRender(unittest.TestCase):
        self.assertIn('set -- "$@" --push-option="$opt"', hook)
        self.assertIn('git push "$@" origin "$refspec"', hook)

+    def test_inline_gitleaks_allow_routes_to_supervisor(self):
+        hook = git_gate_render_hook()
+        # First gitleaks runs normally; only if that passes does the
+        # hook ask gitleaks to ignore inline allow comments and report
+        # the suppressed findings for human approval.
+        self.assertIn("--ignore-gitleaks-allow", hook)
+        self.assertIn("--report-format=json", hook)
+        self.assertIn('"tool": "gitleaks-allow"', hook)
+        self.assertIn("SUPERVISE_QUEUE_DIR", hook)
+        self.assertIn("SUPERVISE_BOTTLE_SLUG", hook)
+        self.assertIn("supervisor approved # gitleaks:allow", hook)
+        self.assertIn("supervisor rejected # gitleaks:allow", hook)
+
+    def test_inline_gitleaks_allow_fails_closed_without_supervisor(self):
+        hook = git_gate_render_hook()
+        self.assertIn(
+            "cannot route # gitleaks:allow finding to supervisor; refusing push",
+            hook,
+        )
+        self.assertIn(
+            "supervisor approval timed out for # gitleaks:allow; refusing push",
+            hook,
+        )
+

 class TestAccessHookRender(unittest.TestCase):
    def test_access_hook_refreshes_origin_on_upload_pack(self):
@@ -17,6 +17,7 @@ from bot_bottle.supervise import (
    STATUS_MODIFIED,
    STATUS_REJECTED,
    TOOL_CAPABILITY_BLOCK,
+    TOOL_GITLEAKS_ALLOW,
    archive_proposal,
    audit_log_path,
    list_pending_proposals,
@@ -318,6 +319,7 @@ class TestToolConstants(unittest.TestCase):
        self.assertEqual(
            (
                TOOL_CAPABILITY_BLOCK,
+                TOOL_GITLEAKS_ALLOW,
                supervise.TOOL_LIST_EGRESS_ROUTES,
            ),
            supervise.TOOLS,
@@ -12,6 +12,7 @@ import tempfile
 import unittest
 from datetime import datetime, timezone
 from pathlib import Path
+from unittest.mock import patch

 from bot_bottle import supervise
 from bot_bottle.cli import supervise as supervise_cli
@@ -21,6 +22,7 @@ from bot_bottle.supervise import (
    STATUS_MODIFIED,
    STATUS_REJECTED,
    TOOL_CAPABILITY_BLOCK,
+    TOOL_GITLEAKS_ALLOW,
    read_audit_entries,
    read_response,
    sha256_hex,
@@ -33,6 +35,7 @@ FIXED = datetime(2026, 5, 25, 12, 0, 0, tzinfo=timezone.utc)
 def _proposal(slug: str = "dev", tool: str = TOOL_CAPABILITY_BLOCK) -> Proposal:
    payloads = {
        TOOL_CAPABILITY_BLOCK: "FROM python:3.13\n",
+        TOOL_GITLEAKS_ALLOW: "file: tests/test_fixture.py\nline: 3\n",
    }
    payload = payloads.get(tool, "")
    return Proposal.new(
@@ -154,6 +157,28 @@ class TestApproveReject(_FakeHomeMixin, unittest.TestCase):
        supervise_cli.approve(qp)
        self.assertEqual([], read_audit_entries("egress", "dev"))

+    def test_approve_archives_gitleaks_allow(self):
+        qp = self._enqueue(tool=TOOL_GITLEAKS_ALLOW)
+        supervise_cli.approve(qp, notes="dummy fixture")
+        resp = read_response(qp.queue_dir / "processed", qp.proposal.id)
+        self.assertEqual(STATUS_APPROVED, resp.status)
+        self.assertEqual("dummy fixture", resp.notes)
+
+    def test_tui_gitleaks_allow_requires_reason(self):
+        qp = self._enqueue(tool=TOOL_GITLEAKS_ALLOW)
+        with patch.object(supervise_cli, "_prompt", return_value=""):
+            status = supervise_cli._approve_from_tui(None, qp)  # type: ignore[arg-type]
+        self.assertEqual("approve aborted (empty reason)", status)
+        self.assertFalse((qp.queue_dir / "processed").exists())
+
+    def test_tui_gitleaks_allow_writes_reason(self):
+        qp = self._enqueue(tool=TOOL_GITLEAKS_ALLOW)
+        with patch.object(supervise_cli, "_prompt", return_value="test fixture"):
+            status = supervise_cli._approve_from_tui(None, qp)  # type: ignore[arg-type]
+        self.assertIn("approved gitleaks-allow", status)
+        resp = read_response(qp.queue_dir / "processed", qp.proposal.id)
+        self.assertEqual("test fixture", resp.notes)
+

 # class TestCapabilityApplyWiring(_FakeHomeMixin, unittest.TestCase):
 #     # DISABLED — capability_apply functionality is currently commented out.
Author	SHA1	Message	Date
didericis-codex	842caf40fe	docs(prd): add gitleaks allow supervision lint / lint (push) Successful in 1m35s Details test / unit (pull_request) Successful in 29s Details test / integration (pull_request) Successful in 16s Details	2026-06-19 21:58:29 -04:00
didericis-codex	4f58c57e70	Supervise gitleaks inline allow exceptions	2026-06-19 21:58:29 -04:00