Default agent-provider routes to the redact on-match policy

Provider routes (the agent talking to its own LLM API — api.anthropic.com,
the Codex backend, etc.) carry the whole conversation payload, which is the
worst source of token-shaped false positives. egress_routes_for_bottle now
fills outbound_on_match=redact on any provider route that doesn't set it
explicitly, so a match there is scrubbed and forwarded rather than blocked
or queued for the operator. A provider that sets the policy keeps its
choice; manifest routes still default to supervise.

Tests: provider route gets redact default, explicit provider policy
preserved, manifest route unaffected. README + PRD 0062 updated.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01HnvBjPZC5V7qeQpFbQdDmS

docs/prds/0062-egress-supervisor-token-override.md

@@ -87,6 +87,15 @@ rendered `routes.yaml` (`egress_render_routes`), and the addon's `Route`
 request time. The `list-egress-routes` introspection endpoint round-trips it so
 the agent's proposals preserve it.
 
+**Provider routes default to `redact`.** Agent-provider routes (the agent
+talking to its own LLM API — `api.anthropic.com`, the Codex backend, etc.) are
+the worst source of token-shaped false positives because the whole
+conversation payload flows through them. `egress_routes_for_bottle` fills
+`outbound_on_match=redact` on any provider route that doesn't set it
+explicitly, so a match there is scrubbed and forwarded rather than blocked or
+queued. A provider that sets the policy keeps its choice; manifest routes are
+unaffected (they default to `supervise`).
+
 On an outbound block the addon dispatches on the resolved policy:
 
 - **Structural blocks always 403.** A `ScanResult` with no `matched` value