test(sidecars): integration sweep for the bundle path (PRD 0024 chunk 4) #58

2026-05-27T01:15:32-04:00

didericis commented

2026-05-27 01:15:32 -04:00

Summary

PRD 0024 chunk 4: integration test sweep for the bundle path. Three deliverables.

1. `test_pipelock_apply.py` un-skipped

Replaced the .start-based bringup (deleted in chunk 3) with a direct docker run sequence that mirrors what the production renderer does — docker create on the internal network → bind-mount yaml + CAs → connect egress network → docker start. Critically: stages the yaml + CAs to the real pipelock_state_dir(slug) rather than a private tempdir, so the bind-mount source and the apply_allowlist_change write target are the same file (otherwise the hot-reload writes to a nowhere-mounted host path and the container never sees the update).

All 4 cases passing locally.

2. New bundle-path smoke

tests/integration/test_sidecar_bundle_compose.py brings up a real bottle with CLAUDE_BOTTLE_SIDECAR_BUNDLE=1 and verifies the agent reaches pipelock + supervise via the bundle's legacy network aliases — proving no agent-side config changes are needed between flag positions. Skipped under act_runner like other multi-stage-build tests.

3. Two bundle bugs found + fixed running PRD 0022 with the flag on

egress_entrypoint.sh now passes --set confdir=/home/mitmproxy/.mitmproxy to mitmdump. The legacy Dockerfile.egress runs as user mitmproxy (so ~/.mitmproxy/ resolves correctly); the bundle runs as root, where ~/.mitmproxy/ is /root/.mitmproxy/ — the bind-mounted CA at /home/mitmproxy/.mitmproxy/mitmproxy-ca.pem would be invisible to mitmdump, which would then mint a fresh CA the agent's installed trust anchor doesn't recognize. Symptom: curl: (60) SSL certificate problem: unable to get local issuer certificate.
sidecar_init.py now passes --listen 0.0.0.0:8888 to pipelock. Without it pipelock defaults to 127.0.0.1, so the in-bundle egress's upstream connect to claude-bottle-pipelock-<slug> (which DNS-resolves to the bundle on the docker network, not localhost) gets refused. The legacy renderer passed this flag verbatim; the bundle's argv had dropped it. Symptom: HTTP 502 with Connect call failed ('172.x.x.x', 8888).

PRD 0022's 5-attack sandbox-escape suite now passes with the flag on AND off.

Test status

Unit: 533 passing.
Integration: 9 passing locally with flag off (test_pipelock_apply included), 5 passing with flag on (test_sandbox_escape full suite).

Remaining for chunk 5

Flip the default, delete the flag, delete Dockerfile.{egress,git-gate,supervise}, update README + CLAUDE.md.

## Summary PRD 0024 chunk 4: integration test sweep for the bundle path. Three deliverables. ### 1. `test_pipelock_apply.py` un-skipped Replaced the `.start`-based bringup (deleted in chunk 3) with a direct `docker run` sequence that mirrors what the production renderer does — `docker create` on the internal network → bind-mount yaml + CAs → connect egress network → `docker start`. Critically: stages the yaml + CAs to the real `pipelock_state_dir(slug)` rather than a private tempdir, so the bind-mount source and the `apply_allowlist_change` write target are the same file (otherwise the hot-reload writes to a nowhere-mounted host path and the container never sees the update). All 4 cases passing locally. ### 2. New bundle-path smoke `tests/integration/test_sidecar_bundle_compose.py` brings up a real bottle with `CLAUDE_BOTTLE_SIDECAR_BUNDLE=1` and verifies the agent reaches pipelock + supervise via the bundle's legacy network aliases — proving no agent-side config changes are needed between flag positions. Skipped under act_runner like other multi-stage-build tests. ### 3. Two bundle bugs found + fixed running PRD 0022 with the flag on - **`egress_entrypoint.sh`** now passes `--set confdir=/home/mitmproxy/.mitmproxy` to mitmdump. The legacy `Dockerfile.egress` runs as user `mitmproxy` (so `~/.mitmproxy/` resolves correctly); the bundle runs as root, where `~/.mitmproxy/` is `/root/.mitmproxy/` — the bind-mounted CA at `/home/mitmproxy/.mitmproxy/mitmproxy-ca.pem` would be invisible to mitmdump, which would then mint a fresh CA the agent's installed trust anchor doesn't recognize. Symptom: `curl: (60) SSL certificate problem: unable to get local issuer certificate`. - **`sidecar_init.py`** now passes `--listen 0.0.0.0:8888` to pipelock. Without it pipelock defaults to 127.0.0.1, so the in-bundle egress's upstream connect to `claude-bottle-pipelock-<slug>` (which DNS-resolves to the bundle on the docker network, not localhost) gets refused. The legacy renderer passed this flag verbatim; the bundle's argv had dropped it. Symptom: HTTP 502 with `Connect call failed ('172.x.x.x', 8888)`. PRD 0022's 5-attack sandbox-escape suite now passes with the flag on AND off. ## Test status - Unit: 533 passing. - Integration: 9 passing locally with flag off (test_pipelock_apply included), 5 passing with flag on (`test_sandbox_escape` full suite). ## Remaining for chunk 5 Flip the default, delete the flag, delete `Dockerfile.{egress,git-gate,supervise}`, update README + CLAUDE.md.

didericis added 1 commit 2026-05-27 01:15:33 -04:00

test(sidecars): integration sweep for the bundle path (PRD 0024 chunk 4)

test / unit (pull_request) Successful in 20s

Details

test / integration (pull_request) Successful in 40s

Details

2287b0dd08

Three deliverables:

1. Rewrite test_pipelock_apply bringup with a direct `docker run`.
   Replaces the .start-based bringup deleted in chunk 3. Stages
   the yaml + CAs to the real pipelock_state_dir so the bind-
   mount target matches what apply_allowlist_change writes to —
   the legacy .start path did this implicitly because it lived
   inside the production flow; the new bringup needs to be
   explicit about the path. All 4 cases pass.

2. New tests/integration/test_sidecar_bundle_compose.py: end-
   to-end smoke with CLAUDE_BOTTLE_SIDECAR_BUNDLE=1. Brings up
   a real bottle via the compose path and verifies the agent
   can reach pipelock + supervise through the bundle's legacy
   aliases (no agent-side config changes between flag positions).
   Skipped under act_runner — multi-stage build + bind mounts.

3. Two bundle-path bugs surfaced and fixed while running PRD
   0022 with the flag on:

   - egress_entrypoint.sh: add `--set confdir=/home/mitmproxy/
     .mitmproxy` so mitmdump finds the bind-mounted CA. The
     legacy Dockerfile.egress runs as user mitmproxy (~mitmproxy
     resolves correctly); the bundle runs as root and otherwise
     would look in /root/.mitmproxy/ and mint a NEW CA the agent
     doesn't trust. Symptom: PRD 0022 attack-3 curl failed with
     "unable to get local issuer certificate".

   - sidecar_init.py: add `--listen 0.0.0.0:8888` to pipelock's
     argv. Without it pipelock defaults to 127.0.0.1, so the
     in-bundle egress's upstream connect to the
     `claude-bottle-pipelock-<slug>` alias arrives over the
     docker network and gets refused. The legacy renderer
     passed this flag verbatim; the bundle dropped it. Symptom:
     egress returned HTTP 502 with "Connect call failed
     ('172.x.x.x', 8888)".

   PRD 0022's 5-attack sandbox-escape suite now passes with the
   bundle flag on AND off.

Test status:
- Unit: 533 passing.
- Integration: 9 passing locally with flag off, 5 passing with
  flag on. Bundle compose smoke + PRD 0022 sandbox-escape both
  green under CLAUDE_BOTTLE_SIDECAR_BUNDLE=1.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

didericis merged commit 9348d4b343 into main

2026-05-27 01:18:51 -04:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: didericis/bot-bottle#58