didericis
70f773ac61
Hard cutover. cred-proxy is deleted; egress-proxy is now the agent's
HTTP_PROXY (when routes are declared) with pipelock on its outbound
leg. Two per-bottle CAs are minted: egress-proxy's (agent trust
store) and pipelock's (egress-proxy's outbound trust store).
Manifest:
- `bottle.cred_proxy` → hard error with a migration recipe.
- `bottle.egress_proxy` is the new shape (PRD 0017 chunk 1).
- CredProxy* types + role validators removed.
Wiring:
- launch.py: `egress_proxy_tls_init` mints the egress-proxy CA
(cert+key concat for mitmproxy + cert-only for agent trust);
`DockerEgressProxy.start` docker-cps both CAs in, sets
`HTTPS_PROXY=pipelock` + `EGRESS_PROXY_UPSTREAM_CA` so mitmdump
trusts pipelock's MITM. Agent's HTTP_PROXY points at
egress-proxy when routes exist, else falls back to pipelock
(no-routes bottles unchanged).
- prepare.py / backend.py: `cred_proxy` arg → `egress_proxy`;
sidecar-orphan probe + plan field + dashboard view all
renamed.
- provision_ca: selects the egress-proxy CA when present, else
pipelock's (filename renamed to claude-bottle-mitm-ca.crt).
- bottle.provision: cred-proxy dotfile rewrites (~/.npmrc,
~/.gitconfig insteadOf, tea config) are gone — HTTP_PROXY
catches everything respecting it.
Pipelock helpers:
- `pipelock_token_hosts` → `pipelock_route_hosts` (now reading
egress_proxy.routes).
- cred-proxy hostname auto-allow → egress-proxy hostname
auto-allow.
- Anthropic seed-phrase workaround now triggers when an
egress_proxy route targets api.anthropic.com (was based on the
cred-proxy `anthropic-base-url` role).
Dockerfile.egress-proxy:
- Entrypoint conditionally passes
`--set ssl_verify_upstream_trusted_ca=$EGRESS_PROXY_UPSTREAM_CA`
(via the `${VAR:+...}` shell expansion) so standalone runs without
a mounted pipelock CA still boot.
- mkdirs `/home/mitmproxy/.mitmproxy` ahead of `docker cp`.
Deleted: claude_bottle/{cred_proxy,cred_proxy_server}.py,
backend/docker/{cred_proxy,provision/cred_proxy}.py,
Dockerfile.cred-proxy, plus the corresponding unit + integration
tests. backend/docker/cred_proxy_apply.py stays as a stub for
chunk 3 to rewrite (its container-name + routes-path constants
are inlined so it survives without the deleted module).
Test changes:
- test_pipelock_allowlist rewritten against egress-proxy routes
+ the new `pipelock_route_hosts`.
- test_manifest_md_load + test_pipelock_yaml + test_yaml_subset
fixtures migrated to the `egress_proxy: { routes: [...] }`
shape.
- test_supervise_sidecar's round-trip test switched from
`dashboard.approve` to `dashboard.reject`: the approval-apply
path on cred-proxy-block proposals hits a deleted sidecar in
chunk 2's transitional state. Chunk 3 restores the approval
test once the remediation flow is retargeted at egress-proxy.
376 tests pass (was 427; net delta is removed cred-proxy tests).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
58 lines
2.8 KiB
Docker
58 lines
2.8 KiB
Docker
# Per-bottle egress-proxy sidecar image (PRD 0017).
|
|
#
|
|
# Replaces cred-proxy (PRD 0010). Sits on the agent's HTTP_PROXY /
|
|
# HTTPS_PROXY path (wiring lands in chunk 2) and owns three jobs:
|
|
# 1. MITM HTTPS using the per-bottle CA (chunk 2 moves the CA
|
|
# generation from pipelock).
|
|
# 2. Enforce manifest-declared path_allowlist per route.
|
|
# 3. Inject Authorization headers for routes that declare an auth
|
|
# block.
|
|
#
|
|
# Chunk 1 of PRD 0017 ships this image and the addon. Wiring it
|
|
# into the bottle launch (and the per-bottle CA + the pipelock
|
|
# upstream proxy) is chunk 2.
|
|
|
|
# mitmproxy base image. mitmdump + addon API are already there; we
|
|
# only need to drop our addon in. TODO: pin by digest.
|
|
FROM mitmproxy/mitmproxy:11.1.3
|
|
|
|
USER root
|
|
|
|
# The addon ships as two files. `_core.py` is pure-logic, importable
|
|
# both inside the container and from the host's tests; `_addon.py` is
|
|
# the mitmproxy hook wrapper. Both land flat in /app/ so mitmdump's
|
|
# loader finds them as top-level sibling modules.
|
|
COPY claude_bottle/egress_proxy_addon_core.py /app/egress_proxy_addon_core.py
|
|
COPY claude_bottle/egress_proxy_addon.py /app/egress_proxy_addon.py
|
|
|
|
# Pre-create the runtime directories the backend's start step will
|
|
# `docker cp` into. docker cp does not create intermediate dirs, so
|
|
# the mkdir must be baked into the image.
|
|
# /etc/egress-proxy routes.yaml lands here
|
|
# ~/.mitmproxy mitmproxy CA (cert+key concat) + the
|
|
# pipelock CA (cert only, for upstream
|
|
# trust on the HTTPS_PROXY=pipelock leg)
|
|
# Ownership lets the unprivileged mitmproxy user read the files.
|
|
RUN mkdir -p /etc/egress-proxy /home/mitmproxy/.mitmproxy \
|
|
&& chown -R mitmproxy:mitmproxy /etc/egress-proxy /home/mitmproxy/.mitmproxy /app
|
|
|
|
USER mitmproxy
|
|
|
|
# Listening port. Agents dial egress-proxy on this port via their
|
|
# HTTP_PROXY env. Surfaced as EXPOSE for documentation; not required
|
|
# for the internal network to route to it.
|
|
EXPOSE 9099
|
|
|
|
# Entrypoint:
|
|
# --mode regular@9099 standard HTTP/HTTPS forward proxy on :9099.
|
|
# --set ssl_verify_upstream_trusted_ca=... only when
|
|
# EGRESS_PROXY_UPSTREAM_CA env is set (the backend's start step
|
|
# sets it to the in-container pipelock-CA path when pipelock is
|
|
# present, so the upstream leg trusts pipelock's MITM). The
|
|
# ${VAR:+expansion} form omits the flag when the var is unset
|
|
# or empty — useful for standalone runs of the image (e.g. unit
|
|
# tests) where no upstream CA is mounted.
|
|
# -s /app/egress_proxy_addon.py loads our addon, which reads the
|
|
# route table from /etc/egress-proxy/routes.yaml.
|
|
ENTRYPOINT ["sh", "-c", "exec mitmdump --mode regular@9099 ${EGRESS_PROXY_UPSTREAM_CA:+--set ssl_verify_upstream_trusted_ca=$EGRESS_PROXY_UPSTREAM_CA} -s /app/egress_proxy_addon.py"]
|