Require the per-bottle identity token at /resolve (retire source-IP-only attribution) #366
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Context
The consolidated gateway (PRD 0070) attributes each request to a bottle by source IP, with a per-bottle identity token as application-layer defense-in-depth. Today that token is optional:
PolicyResolver.resolve/resolve_bottle_idacceptidentity_token="", andPOST /resolvefalls back to source-IP-only attribution when it's absent (see the transitional notes inbot_bottle/policy_resolver.pyandgit_http_backend.resolve_sandbox_root).This issue tracks flipping the token to mandatory in the consolidated end state.
Why it's optional now
Identity-token delivery is still a PRD 0070 open question — "exactly how the per-bottle token is placed where the agent can present it but not swap in another bottle's." Until that mechanism exists, the agent has no token to send, so requiring it would make consolidated mode dead-on-arrival. Source-IP-only is the transitional bridge:
/31point-to-point TAP +bot_bottle_fcnft table make the source IP unforgeable), so the token is belt-and-suspenders there.Why require it (the end state)
Defense-in-depth only counts if it's enforced. Leaving the token optional means a misconfigured
/31+nft (or a weaker backend) silently degrades to "source IP is the sole attributor" with no second factor. Requiring it keeps the app-layer proof always-on and fail-closed.The change
POST /resolve(orchestrator/control_plane.py): reject an emptyidentity_token— return403(unattributed), same fail-closed path as an unknown IP. Remove the source-IP-only branch.PolicyResolver: drop theidentity_token=""default so callers must pass one; keep the403 -> Nonecontract.egress_addon,git_http_backend): already read the agent-injectedx-bot-bottle-identityheader — ensure they always forward it and that a missing token denies.Dependency / sequencing
Blocked on the identity-token delivery mechanism (how the agent obtains + presents an unforgeable, non-cross-leakable per-bottle token). Do this with the launch-integration slice that wires delivery — enforcing it standalone before delivery exists just breaks the consolidated path.
References