didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 5 Actions Packages Projects Releases Wiki Activity

PRD 0031: Provisioned-wins merge + EgressRoute inherits Route #121

Merged
didericis merged 5 commits from prd-0031 into main 2026-06-02 02:02:23 -04:00
Conversation 7 Commits 5 Files Changed 3
+11 -18
1 changed files with 11 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 07c8593999 - Show all commits
bot_bottle/egress.py
+11 -18
View File
@@ -30,6 +30,7 @@ from dataclasses import dataclass
from pathlib import Path from pathlib import Path
from typing import TYPE_CHECKING from typing import TYPE_CHECKING
from .egress_addon_core import Route
from .log import die from .log import die
if TYPE_CHECKING: if TYPE_CHECKING:
@@ -54,21 +55,17 @@ EGRESS_ROUTES_IN_CONTAINER = "/etc/egress/routes.yaml"
@dataclass(frozen=True) @dataclass(frozen=True)
class EgressRoute: class EgressRoute(Route):
"""One resolved route on the egress sidecar. """Host-side extension of the addon's `Route`.
`host` matches the request's hostname (case-insensitive). The Inherits `host`, `path_allowlist`, `auth_scheme`, and `token_env`
optional `path_allowlist` constrains the URL path; empty tuple from `egress_addon_core.Route` — those are the fields that cross the
means no path-level filtering. The `auth_scheme` / `token_env` / YAML wire into the sidecar. The three fields below are host-only and
`token_ref` triple is the credential-injection config; empty are never serialised to the addon.
strings mean "no auth injection" (the manifest's nested `auth`
block was omitted).
`token_env` is the env-var slot inside the egress container `token_ref` is the host env var the CLI reads at launch and forwards
(e.g. `EGRESS_TOKEN_0`); `token_ref` is the host env var into the container's environ under `token_env`. Routes that share a
the CLI reads at launch and forwards into the container's environ `token_ref` coalesce to one `token_env` slot.
under `token_env`. Routes that share a `token_ref` coalesce to
one `token_env` slot.
`roles` carries the manifest route's role tuple (reserved for `roles` carries the manifest route's role tuple (reserved for
future use; always empty today). future use; always empty today).
@@ -79,10 +76,6 @@ class EgressRoute:
route set it (e.g. egress injects its own Bearer on that host route set it (e.g. egress injects its own Bearer on that host
after the agent boundary and pipelock's header DLP would block it).""" after the agent boundary and pipelock's header DLP would block it)."""
host: str
path_allowlist: tuple[str, ...] = ()
auth_scheme: str = ""
token_env: str = ""
token_ref: str = "" token_ref: str = ""
roles: tuple[str, ...] = () roles: tuple[str, ...] = ()
tls_passthrough: bool = False tls_passthrough: bool = False
@@ -223,7 +216,7 @@ def egress_token_env_map(
return out return out
def _route_to_yaml_fields(r: EgressRoute) -> dict: def _route_to_yaml_fields(r: Route) -> dict:
"""Return the addon-visible fields for one route. """Return the addon-visible fields for one route.
Single authoritative mapping between EgressRoute (host-side) and Single authoritative mapping between EgressRoute (host-side) and