dev-bubble 0.7.2__tar.gz → 0.7.3__tar.gz

{dev_bubble-0.7.2 → dev_bubble-0.7.3}/.claude/CLAUDE.md

@@ -114,7 +114,7 @@ Bubbles can run on a remote machine instead of locally. The `--ssh HOST` flag (o
 
 **Priority chain for remote host resolution:** `--local` > `--ssh HOST` > `--cloud` > `[cloud] default` > `[remote] default_host`
 
-**State:** `~/.bubble/cloud.json` tracks server ID, IP, SSH key ID. Token comes from `HETZNER_TOKEN` env var (never stored).
+**State:** `~/.bubble/cloud.json` tracks server ID, IP, SSH key ID. Token comes from `HCLOUD_TOKEN` env var (never stored).
 
 ### User Customization Script
 Users can place a `customize.sh` script at `~/.bubble/customize.sh` to run custom setup in all container images. The script runs as root as the final step when building any image (base, lean, lean-v4.X.Y). This lets users add tools, dotfiles, shell config, etc. without forking image scripts. The script's content hash is tracked in `~/.bubble/customize-hash`; on `bubble open`, if the hash differs from the stored value, a background rebuild of the base image is triggered (same pattern as VS Code commit hash drift). Code is in `builder.py` (`customize_hash()`, `_run_customize_script()`).

{dev_bubble-0.7.2 → dev_bubble-0.7.3}/CHANGELOG.md

@@ -278,8 +278,8 @@
 - `bubble config accept-risks` silences on-by-default warnings; `bubble config lockdown` disables off-by-default features
 - Security warnings printed to stderr for all `auto` settings during `bubble open`
 - `BUBBLE_QUIET_SECURITY=1` env var suppresses warnings for CI/automation
-- Settings: `shared_cache`, `user_mounts`, `network_github`, `relay`, `claude_credentials`, `host_key_trust`, `git_manifest_trust`
-- When `shared_cache=off`, shared mounts are read-only; when `network_github=off`, GitHub domains stripped from allowlist
+- Settings: `shared_cache`, `user_mounts`, `relay`, `claude_credentials`, `host_key_trust`, `git_manifest_trust`
+- When `shared_cache=off`, shared mounts are read-only
 - When `user_mounts=off` or `claude_credentials=off`, corresponding CLI flags are rejected
 - Relay enable/disable migrated to `[security] relay` with backwards compatibility for `[relay] enabled`
 - Replaces ad-hoc "Tip: use --claude-credentials" message with unified security warning system

{dev_bubble-0.7.2/dev_bubble.egg-info → dev_bubble-0.7.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dev-bubble
-Version: 0.7.2
+Version: 0.7.3
 Summary: Containerized development environments powered by Incus
 Author-email: Kim Morrison <kim@tqft.net>
 License-Expression: Apache-2.0
@@ -34,7 +34,10 @@ Dynamic: license-file
 
 # bubble
 
-Containerized development environments for the Lean language, powered by [Incus](https://linuxcontainers.org/incus/).
+Containerized development environments,
+with opinionated presets for users of the [Lean](https://lean-lang.org/) programming language,
+powered by [Incus](https://linuxcontainers.org/incus/).
+We assume that you work using VSCode, emacs, or neovim, and that you collaborate via GitHub.
 
 ## Quick Start
 
@@ -51,6 +54,29 @@ bubble list
 
 See [Examples](#examples) for branches, local repos, issues, remote, and non-interactive use.
 
+## Use cases
+
+You might be worried about:
+* Reviewing and running Lean code from strangers.
+* Running an AI agent like Claude in "yolo" mode.
+* Managing work and AI threads across many repositories and branches.
+
+The `bubble` tool attempts to provide a fast, low-friction, secure solution to these problems.
+It launches containers pre-built for working with Lean (and your favorite AI tools),
+and handles repository management and caches behind the scenes.
+
+By working in containers, you can prevent AI tools from accidentally damaging your system
+(or other repositories you have access to)
+and handle potentially adversarial code from other humans or agents.
+Opening Lean files from untrusted sources
+(e.g. reviewing code, or supply chain attacks on your upstream dependencies)
+can execute arbitrary code, so if you regularly do this you should be using containers.
+
+`bubble` also allows you to limit how your GitHub access can be used:
+containers don't have direct access to GitHub, and never see your authorization token,
+but interact through a restricted proxy.
+You can choose via the `bubble security` tool the capability/security trade-off you prefer.
+
 ## Examples
 
 ```bash
@@ -121,7 +147,7 @@ Each "bubble" is a lightweight Linux container (via Incus) with:
 
 **Language hooks**: bubble automatically detects the project's language and selects the right image. For Lean 4 projects (detected via `lean-toolchain`), the container includes elan, pre-installed VS Code extensions, and auto-downloads the mathlib cache when needed.
 
-**Network allowlisting**: Containers can only reach allowed domains (GitHub by default, plus language-specific domains like `releases.lean-lang.org` for Lean). IPv6 is blocked, DNS is restricted to the container resolver, and outbound SSH is blocked. Configurable in `~/.bubble/config.toml`.
+**Network allowlisting**: Containers can only reach allowed domains (language-specific domains like `releases.lean-lang.org` for Lean, plus any configured in `~/.bubble/config.toml`). Direct GitHub access is blocked by iptables — all GitHub traffic is forced through the auth proxy, which enforces repo-scoping and rate limits. IPv6 is blocked, DNS is restricted to the container resolver, and outbound SSH is blocked.
 
 ## Requirements
 
@@ -148,21 +174,37 @@ Each "bubble" is a lightweight Linux container (via Incus) with:
 | `bubble cloud default on\|off` | Set cloud as the default for all bubbles |
 | `bubble cloud ssh` | SSH directly to the cloud server |
 | `bubble tools list\|set\|status` | Manage tools installed in container images |
+| `bubble security [set\|permissive\|lockdown\|default]` | Review and manage security posture |
 | `bubble doctor` | Diagnose and fix common issues |
 
+## Security
+
+- **No sudo**: The `user` account has no sudo access and a locked password
+- **Network allowlisting**: iptables rules restrict outbound connections to allowed domains only
+- **IPv6 blocked**: All IPv6 traffic is dropped
+- **DNS restricted**: DNS queries only go to the container's configured resolver
+- **No outbound SSH**: Containers cannot SSH out (VSCode uses `incus exec` ProxyCommand)
+- **SSH key-only auth**: Password authentication is disabled
+- **Shell injection hardening**: All user-supplied values are quoted with `shlex.quote()`
+- **Per-repo git mount**: Each container only sees its own bare repo, not the entire git store
+- **Bubble-in-bubble relay**: Containers can open new bubbles on the host, but only for repos already cloned in `~/.bubble/git/`. Disable with `bubble security set relay off`
+- **GitHub auth proxy**: Host token never enters containers. Git and REST API are repo-scoped. **GraphQL queries are read-only but account-wide** — can read any data the host token can access. API access can be set to `off`, `on` (read-only, the default), or `read-write` (enables mutations) via `bubble security set github-api`
+- **Shared mathlib cache**: The mathlib cache at `~/.bubble/mathlib-cache/` is shared across Lean containers. Modes: `on` (default) = read-write (a compromised container could poison cached artifacts), `off` = read-only (prevents poisoning), `overlay` = read-only with per-container writable overlay. This cache is *not* shared with `lake exe cache` run outside a bubble. Configure with `bubble security set shared-cache`. If you suspect poisoning, delete `~/.bubble/mathlib-cache/`.
+
 ## Images
 
-Images are built automatically on first use.
+Images are built automatically on first use. Any enabled [tools](#tools) are installed in the `base` image and inherited by all derived images.
 
 | Image | Contents |
 |-------|----------|
-| `base` | Ubuntu 24.04, git, openssh-server, build-essential, pre-baked VS Code Server |
-| `lean` | base + elan, leantar, VS Code Lean 4 extension, auto-cache extension |
+| `base` | Ubuntu 24.04, git, openssh-server, build-essential, plus configured tools |
+| `lean` | base + leantar (+ elan fallback if not installed as a tool) |
+| `python` | base + uv, ruff |
 | `lean-v4.X.Y` | lean + specific toolchain pre-installed (built lazily on demand) |
 
-`base` and `lean` are static images you can rebuild with `bubble images build <name>`. Versioned `lean-v4.X.Y` images are built automatically in the background when a project uses a stable/RC toolchain not yet cached — the current bubble proceeds immediately with elan downloading the toolchain on demand, and the next bubble for that version starts instantly.
+`base`, `lean`, and `python` are static images you can rebuild with `bubble images build <name>`. Versioned `lean-v4.X.Y` images are built automatically in the background when a project uses a stable/RC toolchain not yet cached — the current bubble proceeds immediately with elan downloading the toolchain on demand, and the next bubble for that version starts instantly.
 
-For mathlib or mathlib-dependent projects, a VS Code terminal automatically runs `lake exe cache get` when the workspace opens.
+When VS Code is the configured editor and elan is installed, the base image also includes pre-baked VS Code Lean 4 extensions and an auto-cache extension. For mathlib or mathlib-dependent projects, a VS Code terminal automatically runs `lake exe cache get` when the workspace opens.
 
 ## Configuration
 
@@ -203,7 +245,7 @@ Tools like Claude Code and OpenAI Codex can be installed in container images. Ea
 
 ```bash
 bubble tools list                  # show all tools and their settings
-bubble tools set claude yes   # always install
+bubble tools set claude yes        # always install
 bubble tools set codex no          # never install
 bubble tools status                # show what would actually be installed
 ```
@@ -239,7 +281,7 @@ Run bubbles on auto-provisioned Hetzner Cloud servers. The server shuts down aut
 2. Go to your project → Security → API Tokens → Generate API Token (read/write)
 3. Set the token in your environment:
    ```bash
-   export HETZNER_TOKEN="your-token-here"
+   export HCLOUD_TOKEN="your-token-here"
    ```
 4. Install the cloud dependency:
    ```bash
@@ -319,37 +361,21 @@ location = "fsn1"            # datacenter: fsn1, nbg1, hel1, ash, hil
 idle_timeout = 900           # seconds before idle shutdown (default: 900 = 15min)
 ```
 
-The `HETZNER_TOKEN` environment variable is always required — the token is never stored on disk.
+The `HCLOUD_TOKEN` environment variable is always required — the token is never stored on disk.
 
 ## Bubble-in-Bubble
 
-You can run `bubble` from inside a container to open another bubble on the host. This is useful when reviewing a related PR while working on a feature branch.
+You can run `bubble` from inside a container to open another bubble on the host. This is enabled by default and is useful when reviewing a related PR while working on a feature branch.
 
 ```bash
-# On the host: enable the relay (one-time setup)
-bubble relay enable
-
 # Inside a container: open another bubble
 bubble leanprover/lean4/pull/456
 bubble mathlib4
 ```
 
-The relay only allows opening repos already cloned in `~/.bubble/git/` — it cannot trigger cloning of new repos. Local paths are rejected. Existing bubbles need to be recreated after enabling the relay to get the relay socket.
-
-## Security
-
-- **No sudo**: The `user` account has no sudo access and a locked password
-- **Network allowlisting**: iptables rules restrict outbound connections to allowed domains only
-- **IPv6 blocked**: All IPv6 traffic is dropped
-- **DNS restricted**: DNS queries only go to the container's configured resolver
-- **No outbound SSH**: Containers cannot SSH out (VSCode uses `incus exec` ProxyCommand)
-- **SSH key-only auth**: Password authentication is disabled
-- **Shell injection hardening**: All user-supplied values are quoted with `shlex.quote()`
-- **Per-repo git mount**: Each container only sees its own bare repo, not the entire git store
-- **GitHub auth proxy**: Host token never enters containers. Git and REST API are repo-scoped. **GraphQL queries are read-only but account-wide** — can read any data the host token can access. Disable API access with `bubble security set github-api off`
-- **Shared mathlib cache**: When `shared_cache` is enabled (the default), the mathlib cache at `~/.bubble/mathlib-cache/` is mounted **read-write** into every Mathlib-using Lean container. A compromised container could write poisoned build artifacts that would be picked up by subsequent containers running `lake exe cache get`. This cache is *not* shared with `lake exe cache` run outside a bubble — it only affects bubble containers. To prevent future poisoning, run `bubble security set shared-cache off`, which mounts the cache read-only. If you suspect the cache has already been compromised, delete `~/.bubble/mathlib-cache/`.
+The relay only allows opening repos already cloned in `~/.bubble/git/` — it cannot trigger cloning of new repos. Local paths are rejected. To disable the relay, run `bubble security set relay off`.
 
-### Known Limitations
+## Other Security Limitations
 
 These are inherent consequences of the architecture, not bugs. Understanding them helps you make informed trust decisions.
 
@@ -361,7 +387,7 @@ These are inherent consequences of the architecture, not bugs. Understanding the
 
 4. **Boot-time network window**: There is a brief window between container launch and iptables rule application during which the container has unrestricted network access. No user code runs during this window with stock images.
 
-5. **Auth proxy token visibility**: The per-container auth proxy token is stored in the user's git config and in `/etc/profile.d/bubble-gh.sh` (mode 644). Any process in the container can read it. The token is scoped to one repository and access level for git and REST API requests, but GraphQL queries (level 3+) are not repo-scoped and can read any data the host token can access.
+5. **Auth proxy token visibility**: The per-container auth proxy token (an internal bubble token, not a GitHub token) is stored in the user's git config and in `/etc/profile.d/bubble-gh.sh` (mode 644). Any process in the container can read it and use it to make requests through the auth proxy. The proxy enforces repo-scoping for git and REST API requests, but GraphQL queries (level 3+) are not repo-scoped and can read any data the host's GitHub token can access.
 
 ## License
 

{dev_bubble-0.7.2 → dev_bubble-0.7.3}/README.md

@@ -1,6 +1,9 @@
 # bubble
 
-Containerized development environments for the Lean language, powered by [Incus](https://linuxcontainers.org/incus/).
+Containerized development environments,
+with opinionated presets for users of the [Lean](https://lean-lang.org/) programming language,
+powered by [Incus](https://linuxcontainers.org/incus/).
+We assume that you work using VSCode, emacs, or neovim, and that you collaborate via GitHub.
 
 ## Quick Start
 
@@ -17,6 +20,29 @@ bubble list
 
 See [Examples](#examples) for branches, local repos, issues, remote, and non-interactive use.
 
+## Use cases
+
+You might be worried about:
+* Reviewing and running Lean code from strangers.
+* Running an AI agent like Claude in "yolo" mode.
+* Managing work and AI threads across many repositories and branches.
+
+The `bubble` tool attempts to provide a fast, low-friction, secure solution to these problems.
+It launches containers pre-built for working with Lean (and your favorite AI tools),
+and handles repository management and caches behind the scenes.
+
+By working in containers, you can prevent AI tools from accidentally damaging your system
+(or other repositories you have access to)
+and handle potentially adversarial code from other humans or agents.
+Opening Lean files from untrusted sources
+(e.g. reviewing code, or supply chain attacks on your upstream dependencies)
+can execute arbitrary code, so if you regularly do this you should be using containers.
+
+`bubble` also allows you to limit how your GitHub access can be used:
+containers don't have direct access to GitHub, and never see your authorization token,
+but interact through a restricted proxy.
+You can choose via the `bubble security` tool the capability/security trade-off you prefer.
+
 ## Examples
 
 ```bash
@@ -87,7 +113,7 @@ Each "bubble" is a lightweight Linux container (via Incus) with:
 
 **Language hooks**: bubble automatically detects the project's language and selects the right image. For Lean 4 projects (detected via `lean-toolchain`), the container includes elan, pre-installed VS Code extensions, and auto-downloads the mathlib cache when needed.
 
-**Network allowlisting**: Containers can only reach allowed domains (GitHub by default, plus language-specific domains like `releases.lean-lang.org` for Lean). IPv6 is blocked, DNS is restricted to the container resolver, and outbound SSH is blocked. Configurable in `~/.bubble/config.toml`.
+**Network allowlisting**: Containers can only reach allowed domains (language-specific domains like `releases.lean-lang.org` for Lean, plus any configured in `~/.bubble/config.toml`). Direct GitHub access is blocked by iptables — all GitHub traffic is forced through the auth proxy, which enforces repo-scoping and rate limits. IPv6 is blocked, DNS is restricted to the container resolver, and outbound SSH is blocked.
 
 ## Requirements
 
@@ -114,21 +140,37 @@ Each "bubble" is a lightweight Linux container (via Incus) with:
 | `bubble cloud default on\|off` | Set cloud as the default for all bubbles |
 | `bubble cloud ssh` | SSH directly to the cloud server |
 | `bubble tools list\|set\|status` | Manage tools installed in container images |
+| `bubble security [set\|permissive\|lockdown\|default]` | Review and manage security posture |
 | `bubble doctor` | Diagnose and fix common issues |
 
+## Security
+
+- **No sudo**: The `user` account has no sudo access and a locked password
+- **Network allowlisting**: iptables rules restrict outbound connections to allowed domains only
+- **IPv6 blocked**: All IPv6 traffic is dropped
+- **DNS restricted**: DNS queries only go to the container's configured resolver
+- **No outbound SSH**: Containers cannot SSH out (VSCode uses `incus exec` ProxyCommand)
+- **SSH key-only auth**: Password authentication is disabled
+- **Shell injection hardening**: All user-supplied values are quoted with `shlex.quote()`
+- **Per-repo git mount**: Each container only sees its own bare repo, not the entire git store
+- **Bubble-in-bubble relay**: Containers can open new bubbles on the host, but only for repos already cloned in `~/.bubble/git/`. Disable with `bubble security set relay off`
+- **GitHub auth proxy**: Host token never enters containers. Git and REST API are repo-scoped. **GraphQL queries are read-only but account-wide** — can read any data the host token can access. API access can be set to `off`, `on` (read-only, the default), or `read-write` (enables mutations) via `bubble security set github-api`
+- **Shared mathlib cache**: The mathlib cache at `~/.bubble/mathlib-cache/` is shared across Lean containers. Modes: `on` (default) = read-write (a compromised container could poison cached artifacts), `off` = read-only (prevents poisoning), `overlay` = read-only with per-container writable overlay. This cache is *not* shared with `lake exe cache` run outside a bubble. Configure with `bubble security set shared-cache`. If you suspect poisoning, delete `~/.bubble/mathlib-cache/`.
+
 ## Images
 
-Images are built automatically on first use.
+Images are built automatically on first use. Any enabled [tools](#tools) are installed in the `base` image and inherited by all derived images.
 
 | Image | Contents |
 |-------|----------|
-| `base` | Ubuntu 24.04, git, openssh-server, build-essential, pre-baked VS Code Server |
-| `lean` | base + elan, leantar, VS Code Lean 4 extension, auto-cache extension |
+| `base` | Ubuntu 24.04, git, openssh-server, build-essential, plus configured tools |
+| `lean` | base + leantar (+ elan fallback if not installed as a tool) |
+| `python` | base + uv, ruff |
 | `lean-v4.X.Y` | lean + specific toolchain pre-installed (built lazily on demand) |
 
-`base` and `lean` are static images you can rebuild with `bubble images build <name>`. Versioned `lean-v4.X.Y` images are built automatically in the background when a project uses a stable/RC toolchain not yet cached — the current bubble proceeds immediately with elan downloading the toolchain on demand, and the next bubble for that version starts instantly.
+`base`, `lean`, and `python` are static images you can rebuild with `bubble images build <name>`. Versioned `lean-v4.X.Y` images are built automatically in the background when a project uses a stable/RC toolchain not yet cached — the current bubble proceeds immediately with elan downloading the toolchain on demand, and the next bubble for that version starts instantly.
 
-For mathlib or mathlib-dependent projects, a VS Code terminal automatically runs `lake exe cache get` when the workspace opens.
+When VS Code is the configured editor and elan is installed, the base image also includes pre-baked VS Code Lean 4 extensions and an auto-cache extension. For mathlib or mathlib-dependent projects, a VS Code terminal automatically runs `lake exe cache get` when the workspace opens.
 
 ## Configuration
 
@@ -169,7 +211,7 @@ Tools like Claude Code and OpenAI Codex can be installed in container images. Ea
 
 ```bash
 bubble tools list                  # show all tools and their settings
-bubble tools set claude yes   # always install
+bubble tools set claude yes        # always install
 bubble tools set codex no          # never install
 bubble tools status                # show what would actually be installed
 ```
@@ -205,7 +247,7 @@ Run bubbles on auto-provisioned Hetzner Cloud servers. The server shuts down aut
 2. Go to your project → Security → API Tokens → Generate API Token (read/write)
 3. Set the token in your environment:
    ```bash
-   export HETZNER_TOKEN="your-token-here"
+   export HCLOUD_TOKEN="your-token-here"
    ```
 4. Install the cloud dependency:
    ```bash
@@ -285,37 +327,21 @@ location = "fsn1"            # datacenter: fsn1, nbg1, hel1, ash, hil
 idle_timeout = 900           # seconds before idle shutdown (default: 900 = 15min)
 ```
 
-The `HETZNER_TOKEN` environment variable is always required — the token is never stored on disk.
+The `HCLOUD_TOKEN` environment variable is always required — the token is never stored on disk.
 
 ## Bubble-in-Bubble
 
-You can run `bubble` from inside a container to open another bubble on the host. This is useful when reviewing a related PR while working on a feature branch.
+You can run `bubble` from inside a container to open another bubble on the host. This is enabled by default and is useful when reviewing a related PR while working on a feature branch.
 
 ```bash
-# On the host: enable the relay (one-time setup)
-bubble relay enable
-
 # Inside a container: open another bubble
 bubble leanprover/lean4/pull/456
 bubble mathlib4
 ```
 
-The relay only allows opening repos already cloned in `~/.bubble/git/` — it cannot trigger cloning of new repos. Local paths are rejected. Existing bubbles need to be recreated after enabling the relay to get the relay socket.
-
-## Security
-
-- **No sudo**: The `user` account has no sudo access and a locked password
-- **Network allowlisting**: iptables rules restrict outbound connections to allowed domains only
-- **IPv6 blocked**: All IPv6 traffic is dropped
-- **DNS restricted**: DNS queries only go to the container's configured resolver
-- **No outbound SSH**: Containers cannot SSH out (VSCode uses `incus exec` ProxyCommand)
-- **SSH key-only auth**: Password authentication is disabled
-- **Shell injection hardening**: All user-supplied values are quoted with `shlex.quote()`
-- **Per-repo git mount**: Each container only sees its own bare repo, not the entire git store
-- **GitHub auth proxy**: Host token never enters containers. Git and REST API are repo-scoped. **GraphQL queries are read-only but account-wide** — can read any data the host token can access. Disable API access with `bubble security set github-api off`
-- **Shared mathlib cache**: When `shared_cache` is enabled (the default), the mathlib cache at `~/.bubble/mathlib-cache/` is mounted **read-write** into every Mathlib-using Lean container. A compromised container could write poisoned build artifacts that would be picked up by subsequent containers running `lake exe cache get`. This cache is *not* shared with `lake exe cache` run outside a bubble — it only affects bubble containers. To prevent future poisoning, run `bubble security set shared-cache off`, which mounts the cache read-only. If you suspect the cache has already been compromised, delete `~/.bubble/mathlib-cache/`.
+The relay only allows opening repos already cloned in `~/.bubble/git/` — it cannot trigger cloning of new repos. Local paths are rejected. To disable the relay, run `bubble security set relay off`.
 
-### Known Limitations
+## Other Security Limitations
 
 These are inherent consequences of the architecture, not bugs. Understanding them helps you make informed trust decisions.
 
@@ -327,7 +353,7 @@ These are inherent consequences of the architecture, not bugs. Understanding the
 
 4. **Boot-time network window**: There is a brief window between container launch and iptables rule application during which the container has unrestricted network access. No user code runs during this window with stock images.
 
-5. **Auth proxy token visibility**: The per-container auth proxy token is stored in the user's git config and in `/etc/profile.d/bubble-gh.sh` (mode 644). Any process in the container can read it. The token is scoped to one repository and access level for git and REST API requests, but GraphQL queries (level 3+) are not repo-scoped and can read any data the host token can access.
+5. **Auth proxy token visibility**: The per-container auth proxy token (an internal bubble token, not a GitHub token) is stored in the user's git config and in `/etc/profile.d/bubble-gh.sh` (mode 644). Any process in the container can read it and use it to make requests through the auth proxy. The proxy enforces repo-scoping for git and REST API requests, but GraphQL queries (level 3+) are not repo-scoped and can read any data the host's GitHub token can access.
 
 ## License
 

{dev_bubble-0.7.2 → dev_bubble-0.7.3}/SPEC.md

@@ -777,7 +777,7 @@ entry has a `remote_host` field. The command is forwarded via
 
 ### 8.1 Requirements
 
-- `HETZNER_TOKEN` environment variable (never stored)
+- `HCLOUD_TOKEN` environment variable (never stored)
 - `hcloud` Python package (optional dependency)
 
 ### 8.2 Commands
@@ -1104,7 +1104,6 @@ values: `auto`, `on`, `off`.
 
 | Setting | Auto default | Description |
 |---------|-------------|-------------|
-| `network-github` | on | GitHub domains in network allowlist |
 | `shared-cache` | on | Writable shared mounts (mathlib cache) — see [Lean 4 hook](#22-lean-4-hook) security note |
 | `user-mounts` | on | `--mount` flag support |
 | `git-manifest-trust` | on | Auto-clone Lake manifest dependencies |
@@ -1126,8 +1125,10 @@ user to `bubble security`. Suppressed by `BUBBLE_QUIET_SECURITY=1`.
 - `bubble security lockdown` — set all to `off`
 - `bubble security default` — reset all to `auto`
 
-When `network-github` is `off`, all GitHub-related domains are stripped from the
-network allowlist.
+**GitHub network access:** Direct GitHub network access (via iptables) is only
+allowed when `github-token-inject` is enabled (level 5). At all other auth
+levels (0–4), iptables blocks direct GitHub traffic and forces it through the
+auth proxy on loopback, which enforces repo-scoping and rate limits.
 
 ---
 

{dev_bubble-0.7.2 → dev_bubble-0.7.3}/bubble/__init__.py

@@ -1,3 +1,3 @@
 """bubble: Containerized development environments."""
 
-__version__ = "0.7.2"
+__version__ = "0.7.3"