refactor(pipelock): allowlist-resolution helpers take a Bottle, not (manifest, name)

Every function in the 'Allowlist resolution' section was doing
`manifest.bottles[bottle_name].X` as its first move. Push the lookup
to the caller and have each helper take a resolved Bottle:

  pipelock_bottle_allowlist
  pipelock_bottle_ssh_hostnames
  pipelock_bottle_ssh_trusted_domains
  pipelock_bottle_ssh_ip_cidrs
  pipelock_effective_allowlist
  pipelock_allowlist_summary

PipelockProxy._build_pipelock_yaml resolves bottle once at the top
and passes it through; DockerBottleBackend.prepare already had the
bottle in scope and now uses it directly. Tests pass the resolved
bottle from each fixture.

claude_bottle/backend/docker/backend.py

@@ -52,7 +52,6 @@ class DockerBottleBackend(BottleBackend):
         manifest.require_agent(spec.agent_name)
         agent = manifest.agents[spec.agent_name]
         bottle = manifest.bottle_for(spec.agent_name)
-        bottle_name = agent.bottle
 
         slug = docker_mod.slugify(spec.agent_name)
 
@@ -106,7 +105,7 @@ class DockerBottleBackend(BottleBackend):
         env_resolve(manifest, spec.agent_name, env_file, args_file)
         prompt_file.write_text(agent.prompt)
 
-        allowlist_summary = pipelock.pipelock_allowlist_summary(manifest, bottle_name)
+        allowlist_summary = pipelock.pipelock_allowlist_summary(bottle)
         use_runsc = docker_mod.runsc_available()
 
         return DockerBottlePlan(