didericis 579a9dae3e docs: add PRD 0011 for cwd-manifest trust boundary ...

Bottles defined in $CWD/claude-bottle.json can redefine
cred_proxy.routes / git / env / egress on key conflict, which
gives a cloned repo's manifest the ability to redirect a host
env var (CLAUDE_BOTTLE_OAUTH_TOKEN, GITHUB_TOKEN, ...) to an
attacker-controlled upstream on first launch — no agent
compromise required.

This PRD proposes drawing the trust boundary at the bottle
level: $HOME owns bottle definitions; $CWD can only declare
agents that reference home-defined bottles. Six success
criteria + the resolver-split design.

PRD-only; no code in this commit.

2026-05-24 14:59:11 -04:00

..

.gitkeep

Initial commit

2026-05-07 22:45:36 -04:00

0001-per-agent-egress-proxy-via-pipelock.md

docs: replace stale .sh paths with claude_bottle/*.py equivalents

2026-05-10 00:27:25 -04:00

0002-test-pipeline-on-gitea-actions.md

PRD 0002: Test pipeline on Gitea Actions (#3)

2026-05-09 02:48:03 -04:00

0003-bottle-backend-abstraction.md

docs(prd): update PRD 0003 to reflect the shipped design

2026-05-11 14:47:17 -04:00

0004-split-out-provisioners.md

docs(prd): add 0004 split out provisioners

2026-05-11 19:36:39 -04:00

0006-pipelock-tls-interception.md

docs(prd): fold 0006 walkthrough resolutions into the design

2026-05-12 14:22:59 -04:00

0007-ssh-egress-gate.md

docs: drop ssh from README/example, supersede PRD 0007 (PRD 0009)

2026-05-12 23:57:50 -04:00

0008-git-gate.md

docs(git-gate): document ExtraHosts on bottle.git entries

2026-05-12 23:18:46 -04:00

0009-remove-ssh-gate.md

docs(prds): add PRD 0009 to remove ssh-gate and bottle.ssh

2026-05-12 23:34:11 -04:00

0010-cred-proxy.md

feat(cred_proxy)!: cred-proxy is the only Anthropic auth path

2026-05-24 12:56:09 -04:00

0011-cwd-manifest-trust-boundary.md

docs: add PRD 0011 for cwd-manifest trust boundary

2026-05-24 14:59:11 -04:00