Splits `Manifest.resolve` into a two-phase load:
1. $HOME/claude-bottle.json parses under the full schema as today.
This file owns bottle infrastructure (cred_proxy.routes, git,
env, egress).
2. $CWD/claude-bottle.json parses under the new CwdExtension schema
— agents-only. Any `bottles:` section dies at parse with a
pointer at the home file. Each cwd agent's `bottle:` must
resolve against a home-defined bottle name.
When CWD == HOME (running from $HOME directly) the resolver
short-circuits to home-only — no false trust-boundary error from
parsing the same file twice.
Closes the exfil vector documented in PRD 0011: a cloned repo's
claude-bottle.json can no longer redefine cred-proxy routes, and
therefore can't redirect $CLAUDE_BOTTLE_OAUTH_TOKEN /
$GITHUB_TOKEN / etc. to an attacker-named upstream on first
launch.
Preflight surfaces the boundary positively: print() shows
`bottle: <name> (from $HOME/claude-bottle.json)`, and to_dict
emits `"bottle_source": "home"`. README + the existing dry-run
integration test pick that up.
BREAKING: existing cwd manifests that define bottles now fail.
The error message names the file path, the offending field, and
the fix ("move bottles section to $HOME/claude-bottle.json").
Tests:
- tests/unit/test_manifest_trust_boundary.py — 10 cases covering
PRD 0011's success criteria (bottles rejected, agents allowed,
cwd overrides agent fields, no silent fallback, home-only
unchanged, etc.).
- tests/integration/test_dry_run_plan.py picks up the
bottle_source assertion.
didericis
ccfdb141dd