feat(supervise+orchestrator): slice 11 — per-bottle supervise queue + DLP safelist #367
Closed
didericis-claude
wants to merge 1 commits from
orchestrator-supervise-multitenant into orchestrator-gitgate-multitenant
pull from: orchestrator-supervise-multitenant
merge into: didericis:orchestrator-gitgate-multitenant
didericis:main
didericis:post-build-image-smoke-test
didericis:lazy-backend-imports
didericis:orchestrator-agent-compose
didericis:orchestrator-gateway-ca
didericis:orchestrator-consolidated-launch
didericis:orchestrator-gateway-provision
didericis:orchestrator-gateway-network
didericis:orchestrator-client
didericis:orchestrator-gateway-net
didericis:orchestrator-gitgate-provision
didericis:orchestrator-registration
didericis:orchestrator-lifecycle
didericis:orchestrator-supervise-writers
didericis:orchestrator-gitgate-multitenant
didericis:orchestrator-rename-gateway
didericis:orchestrator-slice8
didericis:orchestrator-slice7
didericis:orchestrator-slice6
didericis:prd-orchestrator
didericis:orchestrator-slice5
didericis:orchestrator-slice4
didericis:orchestrator-slice3
didericis:orchestrator-slice2
didericis:ci-kvm-runner
didericis:firecracker-backend
didericis:issue-330-cached-images
didericis:forge-native-integration
didericis:prd-smolmachines-linux
didericis:claude-forward-host-credentials
didericis:fold-orchestrator-subpackage
didericis:prd-egress-control-plane
didericis:manifest-break-import-cycle
didericis:dlp-supervise-quality-fixes
didericis:table-drive-dlp-tests
didericis:fix-integration-test-failures
didericis:fix/macos-container-relative-dockerfile
didericis:prd-0054-install-script
didericis:commit-bottle-state
didericis:pr-211
didericis:move-codex-auth-to-contrib
didericis:feat/pipelock-skip-scan-extensions
didericis:prd-0049-named-labelled-agents
didericis:harden-git-gate-shell-rendering
Labels
Clear labels
Compat/Breaking
Kind/Bug
Kind/Documentation
Kind/Enhancement
Kind/Feature
Kind/Security
Kind/Testing
Breaking change that won't be backward compatible
Something is not working
Documentation changes
Improve existing functionality
New functionality
This is security issue
Issue or pull request related to testing
Priority
Critical
1
The priority is critical
Priority
High
2
The priority is high
Priority
Low
4
The priority is low
Priority
Medium
3
The priority is medium
Reviewed
Confirmed
1
Issue has been confirmed
Reviewed
Duplicate
2
This issue or pull request already exists
Reviewed
Invalid
3
Invalid issue
Reviewed
Won't Fix
3
This issue won't be fixed
Status
Abandoned
3
Somebody has started to work on this but abandoned work
Status
Blocked
1
Something is blocking this issue or pull request
Status
Need More Info
2
Feedback is required to reproduce issue or to continue work
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: didericis/bot-bottle#367
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "orchestrator-supervise-multitenant"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Slice 11 of the docker consolidation program: make the supervise path multi-tenant in the shared gateway.
The gap this closes (a real cross-tenant leak)
Consolidated egress (slice 8) already served every bottle from one process, but supervise stayed single-tenant in two ways that are wrong under sharing:
SUPERVISE_BOTTLE_SLUGenv, so every bottle's proposal landed under the same slug.self.safe_tokenswas one global set. An operator approving bottle A's flagged token would add it to the set that bottle B's DLP scan consults — i.e. A's approved secret silently passes B's egress. A per-bottle-impossible bug that the shared process introduced.Both are now keyed per bottle, resolved by source IP (same attribution invariant as egress/git-gate).
Changes
policy_resolver:resolve_policy_and_bottle_id— policy and bottle id from a single/resolve, so egress keys routing + the supervise queue/safelist in one round-trip. Fail-closed (403 → (None, None)).egress_addon_core:resolve_client_context(+ContextResolverLike) returns(Config, bottle_id), sharing the fail-closed parse withresolve_client_configvia_config_from_policy.egress_addon:_active_config → _resolve_flowreturns(Config, slug); the globalsafe_tokensset → per-bottle_safe_tokens_for(slug); the token-allow write/await/archive + the approved-token add all use the resolved slug. Single-tenant unchanged (no resolver → slug = envSUPERVISE_BOTTLE_SLUG).Tests
New coverage for the resolver, the fail-closed
(Config, slug)matrix, and the cross-tenant isolation: an approval lands only in the calling bottle's safelist; the proposal is keyed by the source-IP-attributed bottle; unattributed IPs can't supervise.Out of scope (follow-up slices)
gitleaks-allowhook +supervise_serveragent-proposal paths (also key offSUPERVISE_BOTTLE_SLUG).self.configonly (inert in consolidated mode) — a separate slice, noted in-code.Verification
pyright 0 errors, pylint 9.83/10, unit suite green (1700 tests; the 13
test_sidecar_init/bin/sleeperrors are pre-existing NixOS-local noise).Stacked on #365.
🤖 Generated with Claude Code
Collapsed into the single stack PR #380 (per-host orchestrator, PRD 0070). Closing this slice PR; review + merge happens on #380.
Pull request closed