Fix the WAF User-Agent gap: the two pynetbox importers could never write upstream
A C2 blocker, measured 2026-07-14: upstream netbox.baldurkeep.com 403s the default
Python User-Agent (references/platform-traps.md) -- curl->200, urllib/pynetbox->403.
The stdlib tools (prod-draft-dump/sandbox-seed/d115-office-carve) already send an
accepted UA, but roles-aggregates-import.py and dc-dc-prefixes-import.py built
pynetbox.api() with the DEFAULT UA and never overrode it. So they would 403 against
upstream -- they could only ever have written to the WAF-less sandbox, never to the
apex C2 must feed. The gap was invisible because every real run so far hit the sandbox.

Fix: get_nb() sets nb.http_session.headers["User-Agent"] = "curl/8.5.0" in both
(same value/rationale as the stdlib tools; pynetbox exposes its requests.Session).

Tests: prefixes-import 85->86 (the fake now has .http_session; the UA is asserted at
RUNTIME, not by source grep). roles-aggregates 19->20. GAUNTLET ALL GREEN (58).

Still open for C2 (logged in the changelog): pynetbox is NOT on vcloud, so the two
importers must run on office1-netbox (has pynetbox 7.0.0); the sandbox re-verify
needs the operator-held token; the upstream write stays operator-gated.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 585fb92 commit cb83f8e1064f4757395079d727629abdc6337ec4
@JANeumatrix JANeumatrix authored 21 hours ago
Showing 6 changed files
View
docs/changelog-20260714-netbox-importers-waf-useragent.md 0 → 100644
View
netbox/dc-dc-prefixes-import.py
View
netbox/roles-aggregates-import.py
View
tests/dc-dc-prefixes-import/fake_pynetbox.py
View
tests/dc-dc-prefixes-import/test_logic.py
View
tests/roles-aggregates-import/run-tests.sh