didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity
Files
9348d4b34376bed12b211c7da83040946baae068
bot-bottle/tests
T
History
didericis 2287b0dd08
test / unit (pull_request) Successful in 20s
Details
test / integration (pull_request) Successful in 40s
Details
test(sidecars): integration sweep for the bundle path (PRD 0024 chunk 4) 
Three deliverables:

1. Rewrite test_pipelock_apply bringup with a direct `docker run`.
   Replaces the .start-based bringup deleted in chunk 3. Stages
   the yaml + CAs to the real pipelock_state_dir so the bind-
   mount target matches what apply_allowlist_change writes to —
   the legacy .start path did this implicitly because it lived
   inside the production flow; the new bringup needs to be
   explicit about the path. All 4 cases pass.

2. New tests/integration/test_sidecar_bundle_compose.py: end-
   to-end smoke with CLAUDE_BOTTLE_SIDECAR_BUNDLE=1. Brings up
   a real bottle via the compose path and verifies the agent
   can reach pipelock + supervise through the bundle's legacy
   aliases (no agent-side config changes between flag positions).
   Skipped under act_runner — multi-stage build + bind mounts.

3. Two bundle-path bugs surfaced and fixed while running PRD
   0022 with the flag on:

   - egress_entrypoint.sh: add `--set confdir=/home/mitmproxy/
     .mitmproxy` so mitmdump finds the bind-mounted CA. The
     legacy Dockerfile.egress runs as user mitmproxy (~mitmproxy
     resolves correctly); the bundle runs as root and otherwise
     would look in /root/.mitmproxy/ and mint a NEW CA the agent
     doesn't trust. Symptom: PRD 0022 attack-3 curl failed with
     "unable to get local issuer certificate".

   - sidecar_init.py: add `--listen 0.0.0.0:8888` to pipelock's
     argv. Without it pipelock defaults to 127.0.0.1, so the
     in-bundle egress's upstream connect to the
     `claude-bottle-pipelock-<slug>` alias arrives over the
     docker network and gets refused. The legacy renderer
     passed this flag verbatim; the bundle dropped it. Symptom:
     egress returned HTTP 502 with "Connect call failed
     ('172.x.x.x', 8888)".

   PRD 0022's 5-attack sandbox-escape suite now passes with the
   bundle flag on AND off.

Test status:
- Unit: 533 passing.
- Integration: 9 passing locally with flag off, 5 passing with
  flag on. Bundle compose smoke + PRD 0022 sandbox-escape both
  green under CLAUDE_BOTTLE_SIDECAR_BUNDLE=1.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 01:15:14 -04:00
..
canaries
style: pass explicit check= to every subprocess.run call
2026-05-12 10:13:56 -04:00
integration
test(sidecars): integration sweep for the bundle path (PRD 0024 chunk 4)
2026-05-27 01:15:14 -04:00
unit
feat(compose): emit bundle shape behind feature flag (PRD 0024 chunk 2)
2026-05-27 00:43:08 -04:00
__init__.py
_docker.py
style: pass explicit check= to every subprocess.run call
2026-05-12 10:13:56 -04:00
fixtures.py
test: drop ssh-gate suites and shadow-route assertions (PRD 0009)
2026-05-12 23:54:22 -04:00
README.md
test: reorganize suite into unit/integration/canaries directories
2026-05-11 16:23:02 -04:00

README.md

Tests

Plain-Python test suite using stdlib unittest. No external dependencies. Unit tests run anywhere Python 3 is present; integration tests need Docker and skip cleanly otherwise.

Layout

tests/
  fixtures.py                       # JSON manifest builders (shared)
  _docker.py                        # docker-availability skip helper (shared)
  unit/
    test_pipelock_classify.py
    test_pipelock_allowlist.py
    test_pipelock_yaml.py
    test_manifest_runtime.py
  integration/
    test_pipelock_sidecar_smoke.py
    test_dry_run_plan.py
    test_orphan_cleanup.py
  canaries/
    test_pipelock_image.py          # opt-in; see below

Classification falls out of the directory — no hand-maintained list to keep in sync.

Running

python -m unittest discover -t . -s tests/unit -v         # unit only
python -m unittest discover -t . -s tests/integration -v  # integration only
python -m unittest discover -t . -s tests -v              # both (recursive)
python -m unittest tests.unit.test_pipelock_yaml          # one file

Discovery is invoked with -t . (top-level dir = repo root) so the claude_bottle package on sys.path resolves correctly.

What the integration tests cover

  • test_pipelock_sidecar_smoke.py — drives DockerPipelockProxy.prepare
    • .start (the production code path) against a real Docker daemon and probes the sidecar's /health from an in-network curl container.
  • test_dry_run_plan.pycli.py start --dry-run --format=json emits a structured plan that contains the resolved egress allowlist and the bottle's runtime, and creates zero Docker resources.
  • test_orphan_cleanup.pynetwork_remove and PipelockProxy.stop are idempotent against missing resources, so the EXIT trap can call them unconditionally.

Canaries

tests/canaries/ holds upstream-regression checks (e.g. the pinned pipelock digest's binary still runs). These are gated on CLAUDE_BOTTLE_RUN_CANARIES=1 and not part of the per-push suite. They're invoked by the scheduled canaries workflow.

CLAUDE_BOTTLE_RUN_CANARIES=1 python -m unittest discover -t . -s tests/canaries -v

What's NOT covered

  • claude_bottle/ssh.py end-to-end (would need a fake SSH host inside the container).
  • A live SSH-through-pipelock tunnel against a real Tailscale-style IP.
  • DLP false-positive measurements.
  • TLS handling / cert pinning behavior.

Adding a test

  1. Pick the directory: tests/unit/ for a pure unit test, tests/integration/ for one that needs Docker.
  2. Filename: test_<topic>.py.
  3. Boilerplate: 
    import unittest

from claude_bottle.<module> import <symbol>

class TestThing(unittest.TestCase):
    def test_x(self):
        ...

if __name__ == "__main__":
    unittest.main()
  4. For Docker-dependent tests, decorate the class with @skip_unless_docker() from tests._docker.
Reference in New Issue View Git Blame Copy Permalink