refactor(docker): inline pipelock_write_yaml body into prepare_proxy

The yaml generation logic moves wholesale onto DockerBottleBackend
where it's used. pipelock_write_yaml is deleted; pipelock.py keeps
the allowlist resolution helpers (still called by prepare_proxy and
by pipelock_allowlist_summary).

The pipelock_start error message that referenced "pipelock_write_yaml
must run first" now says "backend.prepare_proxy must run first."

tests/test_pipelock_yaml.py rewritten to drive DockerBottleBackend().
prepare_proxy(spec, yaml_path); test_pipelock_sidecar_smoke.py call
site updated similarly. Same coverage at the new location.

claude_bottle/backend/docker/backend.py

@@ -102,7 +102,7 @@ class DockerBottleBackend(BottleBackend):
         prompt_file.write_text("")
         prompt_file.chmod(0o600)
 
-        pipelock.pipelock_write_yaml(manifest, bottle_name, pipelock_yaml)
+        self.prepare_proxy(spec, pipelock_yaml)
         env_resolve(manifest, spec.agent_name, env_file, args_file)
         prompt_file.write_text(agent.prompt)
 
@@ -127,6 +127,51 @@ class DockerBottleBackend(BottleBackend):
             use_runsc=use_runsc,
         )
 
+    def prepare_proxy(self, spec: BottleSpec, yaml_path: Path) -> None:
+        """Write the pipelock proxy's yaml config (mode 600) to
+        `yaml_path` for the sidecar to consume when it boots in
+        `launch`. Carries the effective allowlist (bottle.egress.allowlist
+        UNION claude-bottle defaults UNION ssh hostnames), a fixed
+        listen port, strict mode + forward_proxy + DLP defaults +
+        scan_env. Deliberately contains no env values, no secrets, no
+        per-agent customization beyond the hostname list."""
+        bottle_name = spec.manifest.agents[spec.agent_name].bottle
+        allowlist = pipelock.pipelock_effective_allowlist(spec.manifest, bottle_name)
+        trusted = pipelock.pipelock_bottle_ssh_trusted_domains(spec.manifest, bottle_name)
+        ip_cidrs = pipelock.pipelock_bottle_ssh_ip_cidrs(spec.manifest, bottle_name)
+
+        lines: list[str] = []
+        lines.append("version: 1")
+        lines.append("mode: strict")
+        lines.append("enforce: true")
+        lines.append("")
+        lines.append("# Hostnames the agent is allowed to reach. Effective list is")
+        lines.append("# claude-bottle defaults UNION bottle.egress.allowlist (sorted, deduped).")
+        lines.append("api_allowlist:")
+        for h in allowlist:
+            lines.append(f'  - "{h}"')
+        lines.append("")
+        lines.append("forward_proxy:")
+        lines.append("  enabled: true")
+        lines.append("")
+        if trusted:
+            lines.append("trusted_domains:")
+            for td in trusted:
+                lines.append(f'  - "{td}"')
+            lines.append("")
+        if ip_cidrs:
+            lines.append("ssrf:")
+            lines.append("  ip_allowlist:")
+            for cidr in ip_cidrs:
+                lines.append(f'    - "{cidr}"')
+            lines.append("")
+        lines.append("dlp:")
+        lines.append("  include_defaults: true")
+        lines.append("  scan_env: true")
+
+        yaml_path.write_text("\n".join(lines) + "\n")
+        yaml_path.chmod(0o600)
+
     @contextmanager
     def launch(self, plan: BottlePlan) -> Iterator[DockerBottle]:
         """Build, launch, and provision a Docker bottle. Teardown on exit."""

claude_bottle/pipelock.py

@@ -119,53 +119,6 @@ def pipelock_allowlist_summary(manifest: Manifest, bottle_name: str) -> str:
     return f"{count} hosts allowed ({joined})"
 
 
-# --- YAML generation -------------------------------------------------------
-
-
-def pipelock_write_yaml(manifest: Manifest, bottle_name: str, out_path: Path) -> None:
-    """Write a pipelock YAML config (mode 600) carrying:
-      - the effective allowlist (hostnames),
-      - a fixed listen port,
-      - strict mode + forward_proxy.enabled + DLP defaults + scan_env.
-
-    Deliberately contains no env values, no secrets, no per-agent
-    customization beyond the hostname list."""
-    allowlist = pipelock_effective_allowlist(manifest, bottle_name)
-    trusted = pipelock_bottle_ssh_trusted_domains(manifest, bottle_name)
-    ip_cidrs = pipelock_bottle_ssh_ip_cidrs(manifest, bottle_name)
-
-    lines: list[str] = []
-    lines.append("version: 1")
-    lines.append("mode: strict")
-    lines.append("enforce: true")
-    lines.append("")
-    lines.append("# Hostnames the agent is allowed to reach. Effective list is")
-    lines.append("# claude-bottle defaults UNION bottle.egress.allowlist (sorted, deduped).")
-    lines.append("api_allowlist:")
-    for h in allowlist:
-        lines.append(f'  - "{h}"')
-    lines.append("")
-    lines.append("forward_proxy:")
-    lines.append("  enabled: true")
-    lines.append("")
-    if trusted:
-        lines.append("trusted_domains:")
-        for td in trusted:
-            lines.append(f'  - "{td}"')
-        lines.append("")
-    if ip_cidrs:
-        lines.append("ssrf:")
-        lines.append("  ip_allowlist:")
-        for cidr in ip_cidrs:
-            lines.append(f'    - "{cidr}"')
-        lines.append("")
-    lines.append("dlp:")
-    lines.append("  include_defaults: true")
-    lines.append("  scan_env: true")
-
-    out_path.write_text("\n".join(lines) + "\n")
-    out_path.chmod(0o600)
-
 
 # --- Sidecar lifecycle -----------------------------------------------------
 
@@ -188,7 +141,7 @@ def pipelock_start(
     name = pipelock_container_name(slug)
     host_yaml = yaml_dir / yaml_filename
     if not host_yaml.is_file():
-        die(f"pipelock yaml not found at {host_yaml}; pipelock_write_yaml must run first")
+        die(f"pipelock yaml not found at {host_yaml}; backend.prepare_proxy must run first")
 
     info(f"starting pipelock sidecar {name} on network {internal_network}")