Bottles defined in $CWD/claude-bottle.json can redefine
cred_proxy.routes / git / env / egress on key conflict, which
gives a cloned repo's manifest the ability to redirect a host
env var (CLAUDE_BOTTLE_OAUTH_TOKEN, GITHUB_TOKEN, ...) to an
attacker-controlled upstream on first launch — no agent
compromise required.
This PRD proposes drawing the trust boundary at the bottle
level: $HOME owns bottle definitions; $CWD can only declare
agents that reference home-defined bottles. Six success
criteria + the resolver-split design.
PRD-only; no code in this commit.
didericis
579a9dae3e
