test: drop ssh-gate suites and shadow-route assertions (PRD 0009)

- Delete tests/unit/test_ssh_gate.py and the fixture_with_ssh helpers.
- test_pipelock_yaml: drop the ssh-leak guard (structurally
  impossible now); the remaining tests switch to fixture_minimal.
- test_pipelock_allowlist: rewrite the union/dedup test to
  exercise an egress.allowlist that duplicates a baked default
  (the property the ssh-leak assertion was hitching onto).
- test_manifest_git: shadow-route assertion becomes a legacy-ssh-
  dies-with-hint assertion, since bottle.ssh is now parse-fail.
- test_orphan_cleanup: drop the SSHGate.stop idempotency check;
  pipelock equivalent stays.
- test_dry_run_plan: drop assertions on the removed ssh_hosts /
  ssh_gate keys.

52 unit tests pass.

tests/unit/test_pipelock_yaml.py

@@ -19,7 +19,7 @@ from claude_bottle.pipelock import (
     pipelock_build_config,
     pipelock_render_yaml,
 )
-from tests.fixtures import fixture_minimal, fixture_with_ssh
+from tests.fixtures import fixture_minimal
 
 
 class TestBuildConfig(unittest.TestCase):
@@ -38,26 +38,14 @@ class TestBuildConfig(unittest.TestCase):
         # Baked defaults always present.
         self.assertIn("api.anthropic.com", cast(list[str], cfg["api_allowlist"]))
         self.assertIn("raw.githubusercontent.com", cast(list[str], cfg["api_allowlist"]))
-        # PRD 0007: pipelock has no SSH carve-outs at all — neither
-        # trusted_domains nor ssrf are ever emitted from bottle data
-        # in v1.
+        # pipelock has no SSH carve-outs at all — neither
+        # trusted_domains nor ssrf are emitted from bottle data.
         self.assertNotIn("trusted_domains", cfg)
         self.assertNotIn("ssrf", cfg)
         # Without CA paths, the tls_interception block is omitted —
         # pipelock falls back to its built-in default of `enabled: false`.
         self.assertNotIn("tls_interception", cfg)
 
-    def test_ssh_entries_do_not_leak_into_pipelock(self):
-        # PRD 0007: bottle.ssh routes through the ssh-gate sidecar,
-        # so pipelock's config must not reflect those hostnames or
-        # IPs in any of its blocks.
-        cfg = pipelock_build_config(fixture_with_ssh().bottles["dev"])
-        allow = cast(list[str], cfg["api_allowlist"])
-        self.assertNotIn("github.com", allow)
-        self.assertNotIn("100.78.141.42", allow)
-        self.assertNotIn("trusted_domains", cfg)
-        self.assertNotIn("ssrf", cfg)
-
     def test_tls_interception_block_emitted_when_paths_supplied(self):
         # PRD 0006: paths flow in via DockerPipelockProxy's in-container
         # constants; this directly pins the dict shape. passthrough_domains
@@ -102,7 +90,7 @@ class TestRenderAndWrite(unittest.TestCase):
         """One render-level smoke check: the serialized YAML is plausibly
         the shape pipelock expects. We don't grep every key here — that's
         what TestBuildConfig is for."""
-        cfg = pipelock_build_config(fixture_with_ssh().bottles["dev"])
+        cfg = pipelock_build_config(fixture_minimal().bottles["dev"])
         text = pipelock_render_yaml(cfg)
         for required in (
             "api_allowlist:",
@@ -111,7 +99,7 @@ class TestRenderAndWrite(unittest.TestCase):
             "request_body_scanning:",
         ):
             self.assertIn(required, text)
-        # PRD 0007: no ssh carve-outs in the rendered yaml.
+        # No ssh carve-outs in the rendered yaml.
         self.assertNotIn("trusted_domains:", text)
         self.assertNotIn("ssrf:", text)