didericis
61f63684ac
New Dockerfile.sidecars multi-stage build: pulls the pinned
pipelock and gitleaks binaries into a mitmproxy-base final image,
installs git + openssh-client, and ships the project's egress
addon + supervise server alongside a stdlib-Python init at
/app/sidecar_init.py.
The init supervisor (claude_bottle/sidecar_init.py) is PID 1 in
the bundle. It spawns the daemons named in
CLAUDE_BOTTLE_SIDECAR_DAEMONS (or all four by default),
propagates SIGTERM/SIGINT to children with an 8s grace before
SIGKILL, and exits with the first-unexpected-child exit code so
a daemon crash tears down the bundle (per PRD 0024 open
question 1's default).
claude_bottle/egress_entrypoint.sh extracted verbatim from
Dockerfile.egress's prior inline sh -c so the supervisor can
call it as a normal child.
Tests:
- unit: _selected_daemons env-var subset behavior (7 cases),
_Supervisor signal/exit-code semantics including SIGKILL
escalation, and end-to-end main() via subprocess.
- integration: builds the image and probes that pipelock,
gitleaks, mitmdump, and the supervise Python module are
present + executable, plus a no-daemons-selected smoke test
of the entrypoint wiring. Skipped under act_runner (200+MB
base pulls + multi-stage build).
Renderer collapse and the deletion of Dockerfile.{egress,git-gate,
supervise} land in chunk 2 + 3.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
36 lines
1.4 KiB
Bash
36 lines
1.4 KiB
Bash
#!/bin/sh
|
|
# Egress daemon entrypoint inside the sidecar bundle (PRD 0024).
|
|
#
|
|
# Extracted verbatim from Dockerfile.egress's prior inline `sh -c`
|
|
# ENTRYPOINT so the supervisor in claude_bottle/sidecar_init.py can
|
|
# call it as a normal child. Behavior is unchanged:
|
|
#
|
|
# * Upstream proxy: when EGRESS_UPSTREAM_PROXY is set, switch
|
|
# to `--mode upstream:URL` to forward all post-MITM traffic
|
|
# through pipelock. mitmproxy does NOT honor HTTPS_PROXY on
|
|
# its outbound side, so the upstream wiring has to be the
|
|
# mitmproxy mode flag, not env.
|
|
# * Upstream trust: when EGRESS_UPSTREAM_CA is set, build a
|
|
# combined trust bundle (system roots + pipelock CA) and point
|
|
# mitmproxy at it. The option REPLACES mitmproxy's default
|
|
# trust store, so passing pipelock's CA alone would break
|
|
# pipelock-passthrough hosts (api.anthropic.com etc.).
|
|
# * `-s /app/egress_addon.py` loads the addon that reads
|
|
# /etc/egress/routes.yaml.
|
|
|
|
set -e
|
|
|
|
MODE="--mode regular@9099"
|
|
if [ -n "$EGRESS_UPSTREAM_PROXY" ]; then
|
|
MODE="--mode upstream:$EGRESS_UPSTREAM_PROXY --listen-port 9099"
|
|
fi
|
|
|
|
TRUST_FLAG=""
|
|
if [ -n "$EGRESS_UPSTREAM_CA" ] && [ -f "$EGRESS_UPSTREAM_CA" ]; then
|
|
COMBINED=/home/mitmproxy/.mitmproxy/combined-trust.pem
|
|
cat /etc/ssl/certs/ca-certificates.crt "$EGRESS_UPSTREAM_CA" > "$COMBINED"
|
|
TRUST_FLAG="--set ssl_verify_upstream_trusted_ca=$COMBINED"
|
|
fi
|
|
|
|
exec mitmdump $MODE $TRUST_FLAG -s /app/egress_addon.py
|