refactor(egress): use provisioned_env instead of sentinel for Codex token (PRD 0030)

Add `provisioned_env: dict[str, str]` to `AgentProvisionPlan`. When
`forward_host_credentials=True`, `agent_provision_plan` reads the host
Codex access token at prepare time and stores it under
`CODEX_HOST_CREDENTIAL_TOKEN_REF`. Both backends merge `provisioned_env`
over `os.environ` before calling `egress_resolve_token_values`, so the
token slot resolves like any other manifest-declared token ref.

Removes `egress_resolve_token_values_with_provider` and the sentinel
`continue` skip from `egress_resolve_token_values`. The function is now
fully generic — it neither knows nor cares about provider identity.

bot_bottle/backend/docker/launch.py

@@ -42,7 +42,7 @@ from contextlib import ExitStack, contextmanager
 from pathlib import Path
 from typing import Callable, Generator
 
-from ...egress import egress_resolve_token_values_with_provider
+from ...egress import egress_resolve_token_values
 from ...log import info
 from . import network as network_mod
 from . import util as docker_mod
@@ -176,11 +176,9 @@ def launch(
         # Step 7: compose up. Token values + the OAuth placeholder
         # flow through subprocess env; the compose file holds only
         # bare names for the secret-carrying entries.
-        bottle = plan.spec.manifest.bottle_for(plan.spec.agent_name)
-        token_values = egress_resolve_token_values_with_provider(
-            plan.egress_plan.token_env_map,
-            bottle.agent_provider.forward_host_credentials,
-            dict(os.environ),
+        effective_env = {**dict(os.environ), **plan.agent_provision.provisioned_env}
+        token_values = egress_resolve_token_values(
+            plan.egress_plan.token_env_map, effective_env,
         )
         compose_env: dict[str, str] = {
             **os.environ,

bot_bottle/backend/smolmachines/launch.py

@@ -28,7 +28,7 @@ from typing import Callable, Generator
 
 from ...egress import (
     EGRESS_ROUTES_IN_CONTAINER,
-    egress_resolve_token_values_with_provider,
+    egress_resolve_token_values,
 )
 from ...pipelock import (
     PIPELOCK_CA_CERT_IN_CONTAINER,
@@ -423,12 +423,8 @@ def _resolve_token_env(
     """Resolve the egress token env-var values from the host's
     environ so they reach the bundle's process env via docker's
     `-e NAME` inheritance. Empty when no routes declare auth."""
-    bottle = plan.spec.manifest.bottle_for(plan.spec.agent_name)
-    return egress_resolve_token_values_with_provider(
-        plan.egress_plan.token_env_map,
-        bottle.agent_provider.forward_host_credentials,
-        host_env,
-    )
+    effective_env = {**host_env, **plan.agent_provision.provisioned_env}
+    return egress_resolve_token_values(plan.egress_plan.token_env_map, effective_env)
 
 
 def _ensure_smolmachine(image_ref: str, *, dockerfile: str = "") -> Path: