refactor(docker): inline pipelock_write_yaml body into prepare_proxy

The yaml generation logic moves wholesale onto DockerBottleBackend
where it's used. pipelock_write_yaml is deleted; pipelock.py keeps
the allowlist resolution helpers (still called by prepare_proxy and
by pipelock_allowlist_summary).

The pipelock_start error message that referenced "pipelock_write_yaml
must run first" now says "backend.prepare_proxy must run first."

tests/test_pipelock_yaml.py rewritten to drive DockerBottleBackend().
prepare_proxy(spec, yaml_path); test_pipelock_sidecar_smoke.py call
site updated similarly. Same coverage at the new location.

tests/test_pipelock_yaml.py

@@ -1,20 +1,34 @@
-"""Unit: pipelock_write_yaml — produces a YAML config containing the
-expected top-level keys and per-bottle entries. We don't fully parse
-YAML; we grep for content shape."""
+"""Unit: DockerBottleBackend.prepare_proxy — produces a pipelock YAML
+config containing the expected top-level keys and per-bottle entries.
+We don't fully parse YAML; we grep for content shape."""
 
 import os
 import tempfile
 import unittest
 from pathlib import Path
 
+from claude_bottle.backend import BottleSpec
+from claude_bottle.backend.docker import DockerBottleBackend
 from claude_bottle.manifest import Manifest
-from claude_bottle.pipelock import pipelock_write_yaml
 from tests.fixtures import fixture_minimal, fixture_with_ssh
 
 
-class TestPipelockYaml(unittest.TestCase):
+def _spec(manifest: Manifest) -> BottleSpec:
+    """Construct a minimal BottleSpec around a fixture manifest. The
+    fixtures all define an agent named 'demo' on a bottle named 'dev'."""
+    return BottleSpec(
+        manifest=manifest,
+        agent_name="demo",
+        copy_cwd=False,
+        user_cwd="/tmp",
+        forward_oauth_token=False,
+    )
+
+
+class TestPrepareProxyYaml(unittest.TestCase):
     def setUp(self):
         self.out_dir = Path(tempfile.mkdtemp())
+        self.backend = DockerBottleBackend()
 
     def tearDown(self):
         import shutil
@@ -22,7 +36,7 @@ class TestPipelockYaml(unittest.TestCase):
 
     def test_minimal(self):
         yaml_path = self.out_dir / "min.yaml"
-        pipelock_write_yaml(fixture_minimal(), "dev", yaml_path)
+        self.backend.prepare_proxy(_spec(fixture_minimal()), yaml_path)
         content = yaml_path.read_text()
         self.assertIn("mode: strict", content)
         self.assertIn("enforce: true", content)
@@ -40,7 +54,7 @@ class TestPipelockYaml(unittest.TestCase):
 
     def test_ssh_blocks(self):
         yaml_path = self.out_dir / "ssh.yaml"
-        pipelock_write_yaml(fixture_with_ssh(), "dev", yaml_path)
+        self.backend.prepare_proxy(_spec(fixture_with_ssh()), yaml_path)
         content = yaml_path.read_text()
         self.assertIn("trusted_domains:", content)
         self.assertIn("github.com", content)
@@ -64,7 +78,7 @@ class TestPipelockYaml(unittest.TestCase):
             "agents": {"demo": {"skills": [], "prompt": "", "bottle": "dev"}},
         })
         yaml_path = self.out_dir / "secret.yaml"
-        pipelock_write_yaml(manifest, "dev", yaml_path)
+        self.backend.prepare_proxy(_spec(manifest), yaml_path)
         content = yaml_path.read_text()
         self.assertNotIn("literal-value-should-not-appear", content)
         self.assertNotIn("MY_SECRET", content)
@@ -72,7 +86,7 @@ class TestPipelockYaml(unittest.TestCase):
 
     def test_file_mode_is_600(self):
         yaml_path = self.out_dir / "min.yaml"
-        pipelock_write_yaml(fixture_minimal(), "dev", yaml_path)
+        self.backend.prepare_proxy(_spec(fixture_minimal()), yaml_path)
         mode = os.stat(yaml_path).st_mode & 0o777
         self.assertEqual(0o600, mode)