Replace typed-attribute assertions (TlsPassthrough, SsrfIpAllowlist)
with Config dict lookups, drop the four strict-validation tests that
were intentionally removed in the refactor, and add a
skip_scan_for_extensions test to cover the PR's stated new feature.
- Merge arbitrary pipelock settings from routes into global config
- Allows routes to configure new pipelock options without code changes
- Special-case tls_passthrough and ssrf_ip_allowlist (already aggregated)
Note: Pipelock doesn't currently support per-path/per-host response
scanning rules or response size limits, so response_body_scanning config
is not yet usable. For now, use tls_passthrough for binary download hosts.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Change PipelockRoutePolicy to store raw pipelock config dict instead
of individual coerced fields (TlsPassthrough, SsrfIpAllowlist)
- Update pipelock.py and egress.py to extract values from Config dict
- Simplifies manifest validation: pipelock handles its own schema
- Enables new pipelock options like skip_scan_for_extensions without
updating bot-bottle code
This allows bottles to configure pipelock directly, e.g.:
pipelock:
skip_scan_for_extensions: [".whl", ".tar.gz"]
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
didericis-claude
didericis