didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity
Files
22bc13dc3cc27da1da49f7a40d78dee7f0aced5a
bot-bottle/tests
T
History
didericis 22bc13dc3c
test / unit (pull_request) Successful in 20s
Details
test / integration (pull_request) Successful in 15s
Details
feat(mitmproxy): integration tests for the bumped HTTPS path 
Fourth and final step of PRD 0005. Two new end-to-end tests that
exercise the full chain agent -> mitmproxy(bump) -> addon ->
pipelock -> upstream and pin the two paths the addon implements.

- test_mitmproxy_blocks_secret_https_post: HTTPS variant of the
  existing test_pipelock_blocks_secret_post. Posts a credential
  pattern in the body over HTTPS through the bottle. mitmproxy
  bumps the CONNECT (the agent trusts the per-bottle ephemeral CA
  installed by provision_ca), the addon forwards the decrypted
  request to pipelock, pipelock returns 403 with the known
  `blocked: ...` body shape, and the addon short-circuits the
  flow with status=403 + X-Pipelock-Bridge: block. The two-axis
  assertion (status + header) proves the addon-mediated path is
  what produced the block, not some other layer.

- test_mitmproxy_allows_normal_https: hits raw.githubusercontent.com
  (a baked-in allowlist host) over HTTPS through the bottle.
  Verifies the addon's allow path: mitmproxy bumps, addon
  forwards to pipelock for the scan, pipelock allows, mitmproxy
  proceeds to the real upstream, response comes back through. The
  absence of X-Pipelock-Bridge on the response is the signal that
  the addon didn't short-circuit. Body length sanity-checks that
  the response is real upstream content, not a synthesized stub.

Both probes are stdlib-only Node (http.request CONNECT + tls.connect
on the tunneled socket) — pulling in undici as a dep would be the
clean way to do HTTPS-through-proxy but is out of scope.

The earlier integration tests still pass with mitmproxy in path:
their assertions hold under the new topology, though their semantic
coverage shifts (e.g. test_pipelock_allow_node now exercises
mitmproxy's CONNECT-200 path rather than pipelock's host allowlist
on CONNECT). Updating those tests is a follow-up.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-12 13:46:09 -04:00
..
canaries
style: pass explicit check= to every subprocess.run call
2026-05-12 10:13:56 -04:00
integration
feat(mitmproxy): integration tests for the bumped HTTPS path
2026-05-12 13:46:09 -04:00
unit
feat(mitmproxy): vendor the addon and Docker sidecar lifecycle
2026-05-12 13:32:36 -04:00
__init__.py
refactor: convert project from bash to Python
2026-05-08 15:26:58 +00:00
_docker.py
style: pass explicit check= to every subprocess.run call
2026-05-12 10:13:56 -04:00
fixtures.py
chore(types): add pyright strict config and fix resulting errors
2026-05-12 10:03:48 -04:00
README.md
test: reorganize suite into unit/integration/canaries directories
2026-05-11 16:23:02 -04:00

README.md

Tests

Plain-Python test suite using stdlib unittest. No external dependencies. Unit tests run anywhere Python 3 is present; integration tests need Docker and skip cleanly otherwise.

Layout

tests/
  fixtures.py                       # JSON manifest builders (shared)
  _docker.py                        # docker-availability skip helper (shared)
  unit/
    test_pipelock_classify.py
    test_pipelock_allowlist.py
    test_pipelock_yaml.py
    test_manifest_runtime.py
  integration/
    test_pipelock_sidecar_smoke.py
    test_dry_run_plan.py
    test_orphan_cleanup.py
  canaries/
    test_pipelock_image.py          # opt-in; see below

Classification falls out of the directory — no hand-maintained list to keep in sync.

Running

python -m unittest discover -t . -s tests/unit -v         # unit only
python -m unittest discover -t . -s tests/integration -v  # integration only
python -m unittest discover -t . -s tests -v              # both (recursive)
python -m unittest tests.unit.test_pipelock_yaml          # one file

Discovery is invoked with -t . (top-level dir = repo root) so the claude_bottle package on sys.path resolves correctly.

What the integration tests cover

  • test_pipelock_sidecar_smoke.py — drives DockerPipelockProxy.prepare
    • .start (the production code path) against a real Docker daemon and probes the sidecar's /health from an in-network curl container.
  • test_dry_run_plan.pycli.py start --dry-run --format=json emits a structured plan that contains the resolved egress allowlist and the bottle's runtime, and creates zero Docker resources.
  • test_orphan_cleanup.pynetwork_remove and PipelockProxy.stop are idempotent against missing resources, so the EXIT trap can call them unconditionally.

Canaries

tests/canaries/ holds upstream-regression checks (e.g. the pinned pipelock digest's binary still runs). These are gated on CLAUDE_BOTTLE_RUN_CANARIES=1 and not part of the per-push suite. They're invoked by the scheduled canaries workflow.

CLAUDE_BOTTLE_RUN_CANARIES=1 python -m unittest discover -t . -s tests/canaries -v

What's NOT covered

  • claude_bottle/ssh.py end-to-end (would need a fake SSH host inside the container).
  • A live SSH-through-pipelock tunnel against a real Tailscale-style IP.
  • DLP false-positive measurements.
  • TLS handling / cert pinning behavior.

Adding a test

  1. Pick the directory: tests/unit/ for a pure unit test, tests/integration/ for one that needs Docker.
  2. Filename: test_<topic>.py.
  3. Boilerplate: 
    import unittest

from claude_bottle.<module> import <symbol>

class TestThing(unittest.TestCase):
    def test_x(self):
        ...

if __name__ == "__main__":
    unittest.main()
  4. For Docker-dependent tests, decorate the class with @skip_unless_docker() from tests._docker.
Reference in New Issue View Git Blame Copy Permalink