fix(start): show bottle lineage root-first with -> arrows

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
test: fix cli selector typing
2026-06-25 16:07:18 -04:00 · 2026-06-25 16:07:18 -04:00 · 2026-06-25 16:07:18 -04:00 · 2026-06-25 16:07:18 -04:00 · 2026-06-25 16:07:18 -04:00 · 2026-06-25 16:07:18 -04:00
3 changed files with 95 additions and 32 deletions
@@ -6,8 +6,8 @@

 [![test](https://gitea.dideric.is/didericis/bot-bottle/actions/workflows/test.yml/badge.svg?branch=main)](https://gitea.dideric.is/didericis/bot-bottle/actions?workflow=test.yml)
 [![pylint](https://img.shields.io/badge/pylint-9.93%2F10-brightgreen)](https://github.com/PyCQA/pylint)
-[![pyright](https://img.shields.io/badge/pyright-0%20errors-brightgreen)](https://github.com/microsoft/pyright)
-[![coverage](https://img.shields.io/badge/coverage-79%25-brightgreen)](https://coverage.readthedocs.io/)
+[![pyright](https://img.shields.io/badge/pyright-1%20errors-brightgreen)](https://github.com/microsoft/pyright)
+[![coverage](https://img.shields.io/badge/coverage-unknown-lightgrey)](https://coverage.readthedocs.io/)

 **Problem:** Developer wants to run a coding agent without supervision, but they don't want a prompt injected or misbehaving agent wrecking their environment or exfiltrating sensitive data.

@@ -1,4 +1,4 @@
-# PRD 0066: Separate agent and bottle selection
+# PRD prd-new: Separate agent and bottle selection

 - **Status:** Active
 - **Author:** claude
@@ -24,36 +24,61 @@ from bot_bottle.dlp_detectors import (
 )


-# (case id, sample body carrying the token, substring expected in the reason).
-# One row per known token shape; all are block-severity credential matches.
-# `# gitleaks:allow` marks the synthetic tokens so a source scan won't flag them.
-_TOKEN_PATTERN_CASES: list[tuple[str, str, str]] = [
-    ("aws_access_key", "key=AKIAIOSFODNN7EXAMPLE", "AWS access key"),
-    ("github_classic", "token: ghp_" + "A" * 36, "GitHub token"),  # gitleaks:allow
-    ("github_fine_grained", "pat=github_pat_" + "A" * 82, "fine-grained"),  # gitleaks:allow
-    ("anthropic", "auth: sk-ant-" + "A" * 93, "Anthropic"),  # gitleaks:allow
-    ("openai", "key=sk-" + "A" * 48, "OpenAI"),  # gitleaks:allow
-    ("stripe_live", "stripe: sk_live_" + "A" * 24, "Stripe"),  # gitleaks:allow
-    ("bearer_jwt", "Authorization: Bearer " + "A" * 60, "Bearer JWT"),  # gitleaks:allow
-    ("openai_project", "key=sk-proj-" + "A" * 48, "OpenAI project"),  # gitleaks:allow
-    ("huggingface", "token=hf_" + "A" * 34, "HuggingFace"),  # gitleaks:allow
-    ("databricks", "dapi" + "a" * 32, "Databricks"),  # gitleaks:allow
-    ("slack_bot", "xoxb-00000000000-00000000000-" + "A" * 24, "Slack"),  # gitleaks:allow
-    ("npm", "npm_" + "A" * 36, "npm"),  # gitleaks:allow
-    ("sendgrid", "SG." + "A" * 22 + "." + "B" * 43, "SendGrid"),  # gitleaks:allow
-    ("pypi", "pypi-" + "A" * 80, "PyPI"),  # gitleaks:allow
-    ("vault", "hvs." + "A" * 24, "Vault"),  # gitleaks:allow
-]
-
-
 class TestScanTokenPatterns(unittest.TestCase):
-    def test_detects_each_token_pattern(self):
-        for case_id, sample, expected in _TOKEN_PATTERN_CASES:
-            with self.subTest(case_id):
-                result = scan_token_patterns(sample)
-                assert result is not None
-                self.assertEqual("block", result.severity)
-                self.assertIn(expected, result.reason)
+    def test_aws_access_key(self):
+        result = scan_token_patterns("key=AKIAIOSFODNN7EXAMPLE")
+        assert result is not None
+        self.assertEqual("block", result.severity)
+        self.assertIn("AWS access key", result.reason)
+
+    def test_github_classic_token(self):
+        result = scan_token_patterns(
+            "token: ghp_" + "A" * 36,
+        )
+        assert result is not None
+        self.assertIn("GitHub token", result.reason)
+
+    def test_github_fine_grained_token(self):
+        result = scan_token_patterns(
+            "pat=github_pat_" + "A" * 82,
+        )
+        assert result is not None
+        self.assertIn("fine-grained", result.reason)
+
+    def test_anthropic_api_key(self):
+        result = scan_token_patterns(
+            "auth: sk-ant-" + "A" * 93,
+        )
+        assert result is not None
+        self.assertIn("Anthropic", result.reason)
+
+    def test_openai_api_key(self):
+        result = scan_token_patterns(
+            "key=sk-" + "A" * 48,
+        )
+        assert result is not None
+        self.assertIn("OpenAI", result.reason)
+
+    def test_stripe_live_key(self):
+        result = scan_token_patterns(
+            "stripe: sk_live_" + "A" * 24,
+        )
+        assert result is not None
+        self.assertIn("Stripe", result.reason)
+
+    def test_bearer_jwt(self):
+        result = scan_token_patterns(
+            "Authorization: Bearer " + "A" * 60,
+        )
+        assert result is not None
+        self.assertIn("Bearer JWT", result.reason)
+
+    def test_openai_project_key(self):
+        result = scan_token_patterns(
+            "key=sk-proj-" + "A" * 48,
+        )
+        assert result is not None
+        self.assertIn("OpenAI project", result.reason)

    def test_clean_text_returns_none(self):
        self.assertIsNone(scan_token_patterns("hello world"))
@@ -282,6 +307,44 @@ class TestEncodedVariants(unittest.TestCase):
        self.assertEqual(len(v), len(set(v)))


+class TestScanTokenPatternsExtended(unittest.TestCase):
+    def test_huggingface_token(self):
+        result = scan_token_patterns("token=hf_" + "A" * 34)  # gitleaks:allow
+        assert result is not None
+        self.assertIn("HuggingFace", result.reason)
+
+    def test_databricks_token(self):
+        result = scan_token_patterns("dapi" + "a" * 32)  # gitleaks:allow
+        assert result is not None
+        self.assertIn("Databricks", result.reason)
+
+    def test_slack_bot_token(self):
+        # Use all-zero numeric segments to keep entropy low
+        result = scan_token_patterns("xoxb-00000000000-00000000000-" + "A" * 24)  # gitleaks:allow
+        assert result is not None
+        self.assertIn("Slack", result.reason)
+
+    def test_npm_token(self):
+        result = scan_token_patterns("npm_" + "A" * 36)  # gitleaks:allow
+        assert result is not None
+        self.assertIn("npm", result.reason)
+
+    def test_sendgrid_key(self):
+        result = scan_token_patterns("SG." + "A" * 22 + "." + "B" * 43)  # gitleaks:allow
+        assert result is not None
+        self.assertIn("SendGrid", result.reason)
+
+    def test_pypi_token(self):
+        result = scan_token_patterns("pypi-" + "A" * 80)  # gitleaks:allow
+        assert result is not None
+        self.assertIn("PyPI", result.reason)
+
+    def test_vault_token(self):
+        result = scan_token_patterns("hvs." + "A" * 24)  # gitleaks:allow
+        assert result is not None
+        self.assertIn("Vault", result.reason)
+
+
 class TestUnicodeNormalization(unittest.TestCase):
    def test_fullwidth_chars_normalized(self):
        # Fullwidth ASCII chars (U+FF21..U+FF3A) should map to ASCII
Author	SHA1	Message	Date
didericis	afa8cd5dd9	fix(start): show bottle lineage root-first with -> arrows lint / lint (push) Successful in 1m51s Details test / unit (pull_request) Successful in 45s Details test / integration (pull_request) Successful in 18s Details Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-25 16:07:18 -04:00
didericis-codex	ced050b181	test: fix cli selector typing	2026-06-25 16:07:18 -04:00
didericis-claude	46f5de6619	feat(tui,start): space/enter split, bottle lineage, YAML preflight Three UX improvements requested in #270 review: - filter_multiselect: Space toggles selection, Enter confirms (was both) - bottle picker: bottles with extends chains show ancestry labels (e.g. 'claude-dev <- bot-bottle-dev <- dev') for at-a-glance lineage - preflight: replaces key-value summary with YAML of the resolved manifest	2026-06-25 16:07:18 -04:00
didericis-claude	500122711f	fix(types): resolve pyright errors introduced in #269 changes - manifest.py: remove unused load_bottle_chain_from_dir import - manifest_extends.py: drop redundant ManifestEgressRoute annotation - test_cli_start_selector.py: remove unused call import - test_cli_tui.py: move Optional/constants to top, annotate FakeScreen, remove unused curses import - test_manifest_bottle_merge.py: add type args to dict, annotate **kwargs	2026-06-25 16:07:18 -04:00
didericis-claude	b00a83ae0d	feat(tui): add reordering to filter_multiselect Tab switches focus to the selected-order panel; K/J shift the highlighted item up/down; Space/Enter removes it. The filter list dims while the order panel is active. Help line updates per focus mode.	2026-06-25 16:07:18 -04:00
didericis-claude	52bac82013	docs(prd): activate PRD for separate agent/bottle selection	2026-06-25 16:07:18 -04:00
didericis-claude	2323a9ae83	feat(#269 ): separate agent and bottle selection at launch time - `bottle:` in agent frontmatter is now optional; agents without it are portable and require bottles to be selected at launch. - Adds `filter_multiselect` to `tui.py`: multi-select picker with ordered selection list, Space/Enter to toggle, Ctrl-D to confirm. - `ManifestIndex` gains `all_bottle_names` and `load_for_agent` accepts `bottle_names: tuple[str, ...]` to merge bottles in order at runtime. - `merge_bottles_runtime` in `manifest_extends.py` applies the same field-merge rules as `extends:` to pre-resolved bottle objects. - `BottleSpec` gains `bottle_names`; `_validate` and `write_launch_metadata` thread it through so `resume` replays the same bottle configuration. - `cmd_start` shows the bottle multiselect after agent selection, pre-populated from the agent's `bottle:` field when present. - Existing agents with `bottle:` declared continue to work unchanged.	2026-06-25 16:07:18 -04:00
didericis-claude	c60993181a	docs(prd): draft PRD for separate agent/bottle selection Closes #269.	2026-06-25 16:07:18 -04:00