didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

PRD: Promote smolmachines to default backend; convert Docker to example-only #210

Merged
didericis merged 8 commits from prd-0055-smolmachines-default into main 2026-06-08 23:34:53 -04:00
Conversation 1 Commits 8 Files Changed 16
+205 -64
didericis-claude commented 2026-06-06 16:03:31 -04:00
Collaborator
Copy Link
Copy Source

Closes #206.

PRD 0058

Summary

Makes smolmachines the default backend (BOT_BOTTLE_BACKEND default changes from docker to smolmachines), closing the DNS sinkhole gap in the Docker default path. The smolmachines VMM enforces DNS filtering at the vsock layer — the agent cannot exfiltrate via DNS tunnelling because the host returns NXDOMAIN for non-allowlisted names before the query leaves the machine. Docker remains functional but is demoted to example-only. Two open questions (TSI+pipelock loopback verification, availability fallback UX) are called out in the PRD before implementation begins.

Closes #206. [PRD 0058](https://gitea.dideric.is/didericis/bot-bottle/src/commit/1c36b66ffd0158955cc3b2be1c4e379050008454/docs/prds/0058-smolmachines-default.md) ## Summary Makes smolmachines the default backend (`BOT_BOTTLE_BACKEND` default changes from `docker` to `smolmachines`), closing the DNS sinkhole gap in the Docker default path. The smolmachines VMM enforces DNS filtering at the vsock layer — the agent cannot exfiltrate via DNS tunnelling because the host returns NXDOMAIN for non-allowlisted names before the query leaves the machine. Docker remains functional but is demoted to example-only. Two open questions (TSI+pipelock loopback verification, availability fallback UX) are called out in the PRD before implementation begins.
didericis-claude changed title from PRD 0055: Promote smolmachines to default backend; convert Docker to example-only to PRD 0058: Promote smolmachines to default backend; convert Docker to example-only 2026-06-06 16:49:25 -04:00
didericis-claude changed title from PRD 0058: Promote smolmachines to default backend; convert Docker to example-only to PRD: Promote smolmachines to default backend; convert Docker to example-only 2026-06-06 22:10:40 -04:00
didericis added 3 commits 2026-06-08 23:10:13 -04:00
docs(prd): PRD 0055 - promote smolmachines to default backend 43a5700ae6
docs(prd): renumber PRD 0055 → 0058 (0055 slot taken by extended-outbound-scan) 39b0c4f720
ci(prd): rename PRD to prd-new placeholder per new convention
lint / lint (push) Successful in 1m47s
Details
aff042855a
didericis force-pushed prd-0055-smolmachines-default from 38ad0fc052 to aff042855a 2026-06-08 23:10:13 -04:00 Compare
didericis added 1 commit 2026-06-08 23:15:08 -04:00
test(smolmachines): verify TSI egress proxy path
lint / lint (push) Successful in 1m47s
Details
test / unit (pull_request) Successful in 39s
Details
test / integration (pull_request) Successful in 23s
Details
fabcd026af
didericis added 1 commit 2026-06-08 23:23:06 -04:00
test: fix smolmachines proxy assertions
lint / lint (push) Successful in 1m52s
Details
test / unit (pull_request) Successful in 41s
Details
test / integration (pull_request) Successful in 25s
Details
cc1d986a74
didericis-claude commented 2026-06-08 23:24:24 -04:00
Author
Collaborator
Copy Link
Copy Source

Current TSI + egress-proxy state:

  • The smolmachines launch path no longer relies on broad host loopback passthrough. It publishes the egress sidecar on a per-bottle 127.x loopback alias and patches smolvm's TSI allowlist to that alias as a /32.
  • The integration test now asserts that the guest receives matching HTTP_PROXY/HTTPS_PROXY values on that 127.x alias, an allowlisted HTTPS request to example.com succeeds through the proxy, direct egress with proxy env vars unset fails, and a non-allowlisted host fails through the proxy.
  • This gives us executable coverage for the intended security property: the guest can reach bot-bottle's egress proxy through scoped TSI loopback, but cannot use direct internet egress or broad host loopback as a bypass.
  • The test is macOS + smolvm + Docker gated, so it imports in Linux CI but must be exercised on a macOS smolvm host for full runtime validation.
Current TSI + egress-proxy state: - The smolmachines launch path no longer relies on broad host loopback passthrough. It publishes the egress sidecar on a per-bottle 127.x loopback alias and patches smolvm's TSI allowlist to that alias as a /32. - The integration test now asserts that the guest receives matching HTTP_PROXY/HTTPS_PROXY values on that 127.x alias, an allowlisted HTTPS request to example.com succeeds through the proxy, direct egress with proxy env vars unset fails, and a non-allowlisted host fails through the proxy. - This gives us executable coverage for the intended security property: the guest can reach bot-bottle's egress proxy through scoped TSI loopback, but cannot use direct internet egress or broad host loopback as a bypass. - The test is macOS + smolvm + Docker gated, so it imports in Linux CI but must be exercised on a macOS smolvm host for full runtime validation.
didericis added 2 commits 2026-06-08 23:28:09 -04:00
feat(backend): default to smolmachines 1bebb7467f
complete(prd): mark smolmachines default active
lint / lint (push) Successful in 1m46s
Details
test / unit (pull_request) Successful in 41s
Details
test / integration (pull_request) Successful in 22s
Details
17fc44d0d8
didericis added 1 commit 2026-06-08 23:31:40 -04:00
fix(start): skip backend selector
test / unit (pull_request) Successful in 40s
Details
test / integration (pull_request) Successful in 24s
Details
lint / lint (push) Successful in 1m47s
Details
prd-number / assign-numbers (push) Successful in 29s
Details
test / unit (push) Successful in 38s
Details
test / integration (push) Successful in 27s
Details
Update Quality Badges / update-badges (push) Failing after 1m20s
Details
e6040fc824
didericis merged commit e6040fc824 into main 2026-06-08 23:34:53 -04:00
didericis deleted branch prd-0055-smolmachines-default 2026-06-08 23:34:53 -04:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
Compat/Breaking
Breaking change that won't be backward compatible
 Kind/Bug
Something is not working
 Kind/Documentation
Documentation changes
 Kind/Enhancement
Improve existing functionality
 Kind/Feature
New functionality
 Kind/Security
This is security issue
 Kind/Testing
Issue or pull request related to testing
Priority
Critical
1
The priority is critical
Priority
High
2
The priority is high
Priority
Low
4
The priority is low
Priority
Medium
3
The priority is medium
Reviewed
Confirmed
1
Issue has been confirmed
Reviewed
Duplicate
2
This issue or pull request already exists
Reviewed
Invalid
3
Invalid issue
Reviewed
Won't Fix
3
This issue won't be fixed
Status
Abandoned
3
Somebody has started to work on this but abandoned work
Status
Blocked
1
Something is blocking this issue or pull request
Status
Need More Info
2
Feedback is required to reproduce issue or to continue work
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
didericis-claude (didericis (claude)) didericis-codex (didericis (codex)) didericis-gemma (gemma) didericis
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: didericis/bot-bottle#210
Delete Branch "prd-0055-smolmachines-default"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?