Remove runtime route-mutation path (egress-block MCP tool + egress_apply merge) #198

New Issue

2026-06-05T23:06:58-04:00

didericis-claude commented

2026-06-05 23:06:58 -04:00

Summary

The egress-block MCP tool and its backing egress_apply._merge_single_route path let a running agent propose ephemeral route additions at runtime. This should be removed in favor of modifying the bottle manifest and applying the sidecar delta to the running bottle.

Reasons (from PR #196 review):

Visibility — ephemeral changes to a running bottle are less visible; you have to look at the logs or a running bottle config to see what it can access
Maintenance surface — the merge logic (_merge_single_route, legacy path_allowlist conversion, token slot assignment) is complex to maintain
Auto-approve risk — the feature risks the user clicking y to everything the bottle asks for; friction isn't exactly bad

Scope

Remove egress-block tool definition from supervise_server.py
Remove _merge_single_route, add_route, and apply_routes_change from egress_apply.py (keep validate_routes_content and fetch_current_routes if still useful)
Remove the egress-block proposal/approve/reject flow from cli/supervise.py
Remove the egress audit log path (or keep it if it serves other purposes)
Update tests: test_egress_apply.py, test_supervise_cli.py

Future direction

A better model for runtime changes: modify the bottle config → apply the sidecar delta to the running bottle. This requires a strict separation between what in the manifest results in a sidecar change vs an agent image change. Tracked separately.

## Summary The `egress-block` MCP tool and its backing `egress_apply._merge_single_route` path let a running agent propose ephemeral route additions at runtime. This should be removed in favor of modifying the bottle manifest and applying the sidecar delta to the running bottle. Reasons (from [PR #196 review](https://gitea.dideric.is/didericis/bot-bottle/pulls/196#issuecomment-1665)): 1. **Visibility** — ephemeral changes to a running bottle are less visible; you have to look at the logs or a running bottle config to see what it can access 2. **Maintenance surface** — the merge logic (`_merge_single_route`, legacy `path_allowlist` conversion, token slot assignment) is complex to maintain 3. **Auto-approve risk** — the feature risks the user clicking `y` to everything the bottle asks for; friction isn't exactly bad ### Scope - Remove `egress-block` tool definition from `supervise_server.py` - Remove `_merge_single_route`, `add_route`, and `apply_routes_change` from `egress_apply.py` (keep `validate_routes_content` and `fetch_current_routes` if still useful) - Remove the egress-block proposal/approve/reject flow from `cli/supervise.py` - Remove the egress audit log path (or keep it if it serves other purposes) - Update tests: `test_egress_apply.py`, `test_supervise_cli.py` ### Future direction A better model for runtime changes: modify the bottle config → apply the sidecar delta to the running bottle. This requires a strict separation between what in the manifest results in a sidecar change vs an agent image change. Tracked separately.

didericis-claude referenced this issue

2026-06-05 23:07:03 -04:00

PRD 0053: Egress DLP addon #196

didericis added the Compat/Breaking Kind/Enhancement labels 2026-06-05 23:07:39 -04:00

didericis referenced this issue from a commit

2026-06-06 12:42:04 -04:00

feat(supervise)!: remove egress-block MCP tool and runtime route-mutation

didericis-claude referenced a pull request that will close this issue

2026-06-06 12:42:12 -04:00

Remove egress-block MCP tool and runtime route-mutation #202

didericis referenced this issue from a commit

2026-06-06 12:43:59 -04:00