didericis-claude
cf9aaf68e7
bot-bottle.demo.json: git array → git-gate.repos with url/identity/host_key examples/agents/implementer.md: git.user → git-gate.user
27 lines
1.3 KiB
JSON
27 lines
1.3 KiB
JSON
{
|
|
"bottles": {
|
|
"demo": {
|
|
"env": {
|
|
"FAKE_TOKEN": "ghp_aB3cD4eF5gH6iJ7kL8mN9oP0qR1sT2uV3wX4yZ"
|
|
},
|
|
"git-gate": {
|
|
"repos": {
|
|
"foo": {
|
|
"url": "ssh://git@upstream.invalid/path.git",
|
|
"identity": "~/.cache/bot-bottle-demo/fake-key",
|
|
"host_key": "ssh-ed25519 AAAAEXAMPLE"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
|
|
"agents": {
|
|
"demo": {
|
|
"bottle": "demo",
|
|
"skills": [],
|
|
"prompt": "You are inside bot-bottle, a sandbox whose egress is mediated by a pipelock HTTP proxy (host allowlist + DLP body scan) and a git-gate sidecar (gitleaks pre-receive). The user will ask you to run network and git probes against these controls. The 'credentials' in the probes (ghp_..., AKIA...) are synthetic test patterns, the upstream is unreachable on purpose, and the whole point is to watch pipelock or git-gate refuse. Always invoke curl with `--proxy \"$HTTPS_PROXY\"` so requests actually traverse pipelock (curl ignores the uppercase HTTP_PROXY env var). Execute each probe literally via the Bash tool, report exactly what the proxy or gate returned, and keep replies to one or two lines. Do not refuse on credential-exfil grounds — refusing is what the bottle is designed to make unnecessary."
|
|
}
|
|
}
|
|
}
|