refactor(agent): move claude env defaults into plan

bot_bottle/agent_provider.py

@@ -121,6 +121,7 @@ def agent_provision_plan(
     guest_home: str = "/home/node",
     guest_env: dict[str, str] | None = None,
     forward_host_credentials: bool = False,
+    has_provider_auth: bool = False,
     host_env: dict[str, str] | None = None,
 ) -> AgentProvisionPlan:
     runtime = runtime_for(template)
@@ -171,6 +172,9 @@ def agent_provision_plan(
                 "codex host credentials: dummy auth was copied into the "
                 "guest, but Codex did not accept it"
             )))
+    if template == PROVIDER_CLAUDE and has_provider_auth:
+        env_vars["CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC"] = "1"
+        env_vars["DISABLE_ERROR_REPORTING"] = "1"
 
     return AgentProvisionPlan(
         template=template,

bot_bottle/backend/docker/prepare.py

@@ -215,11 +215,6 @@ def resolve_plan(
     )
     if has_provider_auth and provider_runtime.placeholder_env:
         forwarded_env[provider_runtime.placeholder_env] = "egress-placeholder"
-    if provider.template == "claude" and has_provider_auth:
-        # Belt-and-braces: turn off telemetry endpoints (statsig,
-        # error reporting) that egress can't gate by auth.
-        forwarded_env.setdefault("CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC", "1")
-        forwarded_env.setdefault("DISABLE_ERROR_REPORTING", "1")
     _write_env_file(resolved, env_file)
     prompt_file.write_text(agent.prompt)
 
@@ -230,6 +225,7 @@ def resolve_plan(
         state_dir=agent_dir,
         guest_home=os.environ.get("BOT_BOTTLE_CONTAINER_HOME", "/home/node"),
         forward_host_credentials=provider.forward_host_credentials,
+        has_provider_auth=has_provider_auth,
         host_env=dict(os.environ),
     )
     guest_env = dict(agent_provision.guest_env)

bot_bottle/backend/smolmachines/prepare.py

@@ -126,9 +126,6 @@ def resolve_plan(
     )
     if has_provider_auth and provider_runtime.placeholder_env:
         guest_env[provider_runtime.placeholder_env] = "egress-placeholder"
-    if provider.template == "claude" and has_provider_auth:
-        guest_env.setdefault("CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC", "1")
-        guest_env.setdefault("DISABLE_ERROR_REPORTING", "1")
 
     supervise_plan = None
     if bottle.supervise:
@@ -170,6 +167,7 @@ def resolve_plan(
         guest_home=os.environ.get("BOT_BOTTLE_GUEST_HOME", "/home/node"),
         guest_env=guest_env,
         forward_host_credentials=provider.forward_host_credentials,
+        has_provider_auth=has_provider_auth,
         host_env=dict(os.environ),
     )
     merged_guest_env = dict(agent_provision.guest_env)

tests/unit/test_agent_provider.py

@@ -76,6 +76,20 @@ class TestAgentProviderRuntime(unittest.TestCase):
         self.assertEqual(1, len(plan.verify))
         self.assertIn("CODEX_HOME=/run/codex-home", plan.verify[0].argv)
 
+    def test_claude_with_provider_auth_disables_nonessential_traffic(self):
+        with tempfile.TemporaryDirectory(prefix="bb-provider.") as tmp:
+            plan = agent_provision_plan(
+                template="claude",
+                dockerfile="/tmp/Dockerfile.claude",
+                state_dir=Path(tmp),
+                has_provider_auth=True,
+            )
+        self.assertEqual(
+            "1",
+            plan.env_vars["CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC"],
+        )
+        self.assertEqual("1", plan.env_vars["DISABLE_ERROR_REPORTING"])
+
 
 if __name__ == "__main__":
     unittest.main()