didericis
ccfdb141dd
Splits `Manifest.resolve` into a two-phase load:
1. $HOME/claude-bottle.json parses under the full schema as today.
This file owns bottle infrastructure (cred_proxy.routes, git,
env, egress).
2. $CWD/claude-bottle.json parses under the new CwdExtension schema
— agents-only. Any `bottles:` section dies at parse with a
pointer at the home file. Each cwd agent's `bottle:` must
resolve against a home-defined bottle name.
When CWD == HOME (running from $HOME directly) the resolver
short-circuits to home-only — no false trust-boundary error from
parsing the same file twice.
Closes the exfil vector documented in PRD 0011: a cloned repo's
claude-bottle.json can no longer redefine cred-proxy routes, and
therefore can't redirect $CLAUDE_BOTTLE_OAUTH_TOKEN /
$GITHUB_TOKEN / etc. to an attacker-named upstream on first
launch.
Preflight surfaces the boundary positively: print() shows
`bottle: <name> (from $HOME/claude-bottle.json)`, and to_dict
emits `"bottle_source": "home"`. README + the existing dry-run
integration test pick that up.
BREAKING: existing cwd manifests that define bottles now fail.
The error message names the file path, the offending field, and
the fix ("move bottles section to $HOME/claude-bottle.json").
Tests:
- tests/unit/test_manifest_trust_boundary.py — 10 cases covering
PRD 0011's success criteria (bottles rejected, agents allowed,
cwd overrides agent fields, no silent fallback, home-only
unchanged, etc.).
- tests/integration/test_dry_run_plan.py picks up the
bottle_source assertion.
143 lines
6.0 KiB
Python
143 lines
6.0 KiB
Python
"""Integration: cli.py start --dry-run --format=json renders a stable
|
|
machine-readable plan and creates zero Docker resources. The shape of
|
|
the JSON document is part of the CLI's user-facing contract."""
|
|
|
|
import json
|
|
import os
|
|
import subprocess
|
|
import sys
|
|
import tempfile
|
|
import unittest
|
|
from pathlib import Path
|
|
|
|
from tests._docker import skip_unless_docker
|
|
|
|
REPO_ROOT = Path(__file__).resolve().parent.parent.parent
|
|
|
|
|
|
@skip_unless_docker()
|
|
class TestDryRunPlan(unittest.TestCase):
|
|
def test_dry_run_emits_structured_plan(self):
|
|
work_dir = Path(tempfile.mkdtemp())
|
|
try:
|
|
manifest = work_dir / "claude-bottle.json"
|
|
manifest.write_text(json.dumps({
|
|
"bottles": {"dev": {"egress": {"allowlist": ["example.org"]}}},
|
|
"agents": {
|
|
"demo": {"skills": [], "prompt": "", "bottle": "dev"},
|
|
},
|
|
}))
|
|
|
|
# Under act_runner with a host-mounted docker socket, the
|
|
# `docker network ls` / `docker ps -a` calls from inside the
|
|
# job container exit non-zero (see docs/ci.md for the same
|
|
# topology issue affecting other integration tests). Skip
|
|
# the side-effects guard there; locally the check still
|
|
# catches accidental docker resource creation by the dry
|
|
# run.
|
|
check_side_effects = os.environ.get("GITEA_ACTIONS") != "true"
|
|
nets_before = self._count_claude_bottle_networks() if check_side_effects else 0
|
|
ctrs_before = self._count_claude_bottle_containers() if check_side_effects else 0
|
|
|
|
env = os.environ.copy()
|
|
env["HOME"] = str(work_dir)
|
|
env.pop("CLAUDE_BOTTLE_DRY_RUN", None)
|
|
# The HOME override above isolates the manifest under test
|
|
# from the dev's real ~/claude-bottle.json. On Docker Desktop
|
|
# that same override breaks docker CLI endpoint resolution,
|
|
# since the active context lives in $HOME/.docker/config.json
|
|
# and the per-user socket sits under $HOME/.docker/run/.
|
|
# Pin DOCKER_HOST to the parent's resolved endpoint so the
|
|
# subprocess reaches the same daemon regardless of $HOME.
|
|
endpoint = subprocess.run(
|
|
["docker", "context", "inspect",
|
|
"--format", "{{.Endpoints.docker.Host}}"],
|
|
capture_output=True, text=True, check=True,
|
|
).stdout.strip()
|
|
if endpoint:
|
|
env["DOCKER_HOST"] = endpoint
|
|
result = subprocess.run(
|
|
[
|
|
sys.executable, str(REPO_ROOT / "cli.py"),
|
|
"start", "--dry-run", "--format", "json", "demo",
|
|
],
|
|
cwd=work_dir,
|
|
env=env,
|
|
capture_output=True,
|
|
text=True,
|
|
check=False,
|
|
)
|
|
self.assertEqual(
|
|
0, result.returncode,
|
|
f"start --dry-run failed: stderr={result.stderr}",
|
|
)
|
|
|
|
plan = json.loads(result.stdout)
|
|
|
|
self.assertEqual("demo", plan["agent"])
|
|
self.assertEqual("dev", plan["bottle"])
|
|
# PRD 0011: bottles can only come from $HOME; this field
|
|
# is the positive audit signal.
|
|
self.assertEqual("home", plan["bottle_source"])
|
|
self.assertEqual("runc", plan["runtime"],
|
|
"runsc isn't available on the CI runner")
|
|
self.assertEqual([], plan["skills"])
|
|
self.assertEqual([], plan["git_remotes"])
|
|
self.assertEqual([], plan["git_gate"])
|
|
self.assertEqual(False, plan["remote_control"])
|
|
self.assertEqual(0, plan["prompt"]["length"])
|
|
|
|
# User-declared host + a baked default both present; the union
|
|
# is sorted and deduplicated.
|
|
hosts = plan["egress"]["hosts"]
|
|
self.assertIn("example.org", hosts)
|
|
self.assertIn("api.anthropic.com", hosts)
|
|
self.assertEqual(plan["egress"]["host_count"], len(hosts))
|
|
self.assertEqual(sorted(set(hosts)), hosts,
|
|
"hosts must be sorted and deduplicated")
|
|
|
|
# PRD 0006: TLS interception is on for every launched
|
|
# bottle. Fingerprint is null at dry-run (no CA exists
|
|
# yet); real launches log it from provision_ca.
|
|
self.assertEqual(
|
|
{"enabled": True, "ca_fingerprint": None},
|
|
plan["egress"]["tls_interception"],
|
|
)
|
|
|
|
# No Docker side effects (see the GITEA_ACTIONS skip note
|
|
# above — this guard runs locally only).
|
|
if check_side_effects:
|
|
self.assertEqual(nets_before, self._count_claude_bottle_networks(),
|
|
"no networks created")
|
|
self.assertEqual(ctrs_before, self._count_claude_bottle_containers(),
|
|
"no containers created")
|
|
finally:
|
|
import shutil
|
|
shutil.rmtree(work_dir, ignore_errors=True)
|
|
|
|
def _count_claude_bottle_networks(self) -> int:
|
|
return self._count_with_prefix(
|
|
["docker", "network", "ls", "--format", "{{.Name}}"], "claude-bottle"
|
|
)
|
|
|
|
def _count_claude_bottle_containers(self) -> int:
|
|
return self._count_with_prefix(
|
|
["docker", "ps", "-a", "--format", "{{.Names}}"], "claude-bottle"
|
|
)
|
|
|
|
def _count_with_prefix(self, cmd: list[str], prefix: str) -> int:
|
|
# capture_output + explicit returncode check so a docker
|
|
# failure surfaces its stderr in the test report instead of
|
|
# the bare CalledProcessError we used to get.
|
|
result = subprocess.run(cmd, capture_output=True, text=True, check=False)
|
|
if result.returncode != 0:
|
|
self.fail(
|
|
f"{' '.join(cmd)!r} failed (exit {result.returncode}): "
|
|
f"stderr={result.stderr.strip()!r}"
|
|
)
|
|
return sum(1 for n in result.stdout.splitlines() if n.startswith(prefix))
|
|
|
|
|
|
if __name__ == "__main__":
|
|
unittest.main()
|