didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

feat(smolmachines): provision_ca + provision_git + provision_supervise (PRD 0023 chunk 4d) #72

Merged
didericis merged 1 commits from prd-0023-chunk-4d-provision-ca-git-supervise into main 2026-05-27 14:27:30 -04:00
Conversation 1 Commits 1 Files Changed 10
+661 -77
didericis-claude commented 2026-05-27 14:16:15 -04:00
Collaborator
Copy Link
Copy Source

Summary

  • Adds three smolmachines provisioning modules: ca, git, supervise. Each mirrors its docker counterpart, dispatched via smolvm machine cp / smolvm machine exec and addresses the bundle by <bundle_ip>:<port> (no DNS in the TSI-allowlisted guest) where docker uses short network aliases.
  • Moves render_git_gate_gitconfig from backend/docker/provision/git.py to the platform-neutral claude_bottle/git_gate.py (renamed to git_gate_render_gitconfig for consistency with the existing git_gate_render_* helpers) and parameterizes on a gate_host arg so both backends reuse the same render with different addresses.
  • Path/user fixups for the post-chunk-4c agent image: prompt + skills default to /home/node/... instead of /root/..., with chown node:node after machine cp (the VM exec runs as root so we have to flip ownership ourselves; same pattern as the docker backend's docker exec -u 0 chown).
  • 575 unit tests pass (+11 covering CA selection, git-gate URL form, supervise noop/failure, prompt/skills user fixups).

Chunk 5 — running the PRD 0022 sandbox-escape suite under CLAUDE_BOTTLE_BACKEND=smolmachines — is the next and final piece.

## Summary - Adds three smolmachines provisioning modules: `ca`, `git`, `supervise`. Each mirrors its docker counterpart, dispatched via `smolvm machine cp` / `smolvm machine exec` and addresses the bundle by `<bundle_ip>:<port>` (no DNS in the TSI-allowlisted guest) where docker uses short network aliases. - Moves `render_git_gate_gitconfig` from `backend/docker/provision/git.py` to the platform-neutral `claude_bottle/git_gate.py` (renamed to `git_gate_render_gitconfig` for consistency with the existing `git_gate_render_*` helpers) and parameterizes on a `gate_host` arg so both backends reuse the same render with different addresses. - Path/user fixups for the post-chunk-4c agent image: prompt + skills default to `/home/node/...` instead of `/root/...`, with `chown node:node` after `machine cp` (the VM exec runs as root so we have to flip ownership ourselves; same pattern as the docker backend's `docker exec -u 0 chown`). - 575 unit tests pass (+11 covering CA selection, git-gate URL form, supervise noop/failure, prompt/skills user fixups). Chunk 5 — running the PRD 0022 sandbox-escape suite under `CLAUDE_BOTTLE_BACKEND=smolmachines` — is the next and final piece.
didericis-claude added 1 commit 2026-05-27 14:16:16 -04:00
feat(smolmachines): provision_ca + provision_git + provision_supervise (PRD 0023 chunk 4d)
test / unit (pull_request) Successful in 26s
Details
test / integration (pull_request) Successful in 43s
Details
test / unit (push) Successful in 26s
Details
test / integration (push) Successful in 42s
Details
ac8c7ba696 
End-to-end provisioning parity with the docker backend. After this
chunk a smolmachines bottle has a working trust store, git-gate
gitconfig, and supervise MCP registration — same shape as docker,
dispatched via `smolvm machine cp` / `smolvm machine exec` instead
of `docker cp` / `docker exec`.

Adds three new provision modules:
- ca.py:        select egress vs pipelock CA (same logic as
                docker), machine cp + update-ca-certificates,
                log sha256 fingerprint.
- git.py:       copy host .git when --cwd was passed; render
                ~/.gitconfig with insteadOf URLs. URL prefix is
                `git://<bundle_ip>:9418/...` (no DNS in the
                TSI-allowlisted guest) vs docker's
                `git://git-gate/...`.
- supervise.py: `claude mcp add` via machine_exec; URL is
                `http://<bundle_ip>:9100/`. Failure is logged but
                non-fatal (matches docker).

Shared render: `render_git_gate_gitconfig` moves out of
backend/docker/provision/git.py into the platform-neutral
claude_bottle/git_gate.py (renamed to git_gate_render_gitconfig
for consistency with the existing git_gate_render_* helpers),
parameterized on a `gate_host` argument so both backends use the
same logic with different addresses.

Path/user fixups for the post-chunk-4c agent image (real
claude-bottle image, USER node, $HOME=/home/node):
- prompt.py default path moves from /root/... to
  /home/node/.claude-bottle-prompt.txt; chown + chmod after
  machine cp.
- skills.py default skills dir moves from /root/.claude/skills to
  /home/node/.claude/skills; chown -R per skill.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
didericis approved these changes 2026-05-27 14:27:18 -04:00
didericis merged commit ac8c7ba696 into main 2026-05-27 14:27:30 -04:00
didericis deleted branch prd-0023-chunk-4d-provision-ca-git-supervise 2026-05-27 14:27:30 -04:00
Sign in to join this conversation.
Reviewers
No Reviewers
didericis
Labels
Clear labels
Compat/Breaking
Breaking change that won't be backward compatible
 Kind/Bug
Something is not working
 Kind/Documentation
Documentation changes
 Kind/Enhancement
Improve existing functionality
 Kind/Feature
New functionality
 Kind/Security
This is security issue
 Kind/Testing
Issue or pull request related to testing
Priority
Critical
1
The priority is critical
Priority
High
2
The priority is high
Priority
Low
4
The priority is low
Priority
Medium
3
The priority is medium
Reviewed
Confirmed
1
Issue has been confirmed
Reviewed
Duplicate
2
This issue or pull request already exists
Reviewed
Invalid
3
Invalid issue
Reviewed
Won't Fix
3
This issue won't be fixed
Status
Abandoned
3
Somebody has started to work on this but abandoned work
Status
Blocked
1
Something is blocking this issue or pull request
Status
Need More Info
2
Feedback is required to reproduce issue or to continue work
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
didericis-claude (didericis (claude)) didericis-codex (didericis (codex)) didericis-gemma (gemma) didericis
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: didericis/bot-bottle#72
Delete Branch "prd-0023-chunk-4d-provision-ca-git-supervise"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?