refactor(pipelock): introduce PipelockProxy class housing the yaml body

The YAML generation now lives on PipelockProxy.prepare(manifest,
bottle_name, yaml_path) in claude_bottle/pipelock.py. The class is the
natural home for any future proxy-level state.

DockerBottleBackend keeps an instance as a class attribute
(_proxy = PipelockProxy()) and its prepare_proxy becomes a thin
delegation. A future backend that wants a different egress proxy
(or none) plugs in its own strategy.

Tests retarget at the new home — PipelockProxy.prepare gets the
content-shape assertions; the sidecar smoke test uses the class
directly too. Same coverage.

claude_bottle/backend/docker/backend.py

@@ -39,6 +39,7 @@ class DockerBottleBackend(BottleBackend):
     (default)."""
 
     name = "docker"
+    _proxy: pipelock.PipelockProxy = pipelock.PipelockProxy()
 
     def prepare(self, spec: BottleSpec, *, stage_dir: Path) -> DockerBottlePlan:
         """Resolve names, validate, write scratch files. No Docker
@@ -128,49 +129,10 @@ class DockerBottleBackend(BottleBackend):
         )
 
     def prepare_proxy(self, spec: BottleSpec, yaml_path: Path) -> None:
-        """Write the pipelock proxy's yaml config (mode 600) to
-        `yaml_path` for the sidecar to consume when it boots in
-        `launch`. Carries the effective allowlist (bottle.egress.allowlist
-        UNION claude-bottle defaults UNION ssh hostnames), a fixed
-        listen port, strict mode + forward_proxy + DLP defaults +
-        scan_env. Deliberately contains no env values, no secrets, no
-        per-agent customization beyond the hostname list."""
+        """Delegate to PipelockProxy to write the sidecar's yaml
+        config. Stage-only: no Docker resources created yet."""
         bottle_name = spec.manifest.agents[spec.agent_name].bottle
-        allowlist = pipelock.pipelock_effective_allowlist(spec.manifest, bottle_name)
-        trusted = pipelock.pipelock_bottle_ssh_trusted_domains(spec.manifest, bottle_name)
-        ip_cidrs = pipelock.pipelock_bottle_ssh_ip_cidrs(spec.manifest, bottle_name)
-
-        lines: list[str] = []
-        lines.append("version: 1")
-        lines.append("mode: strict")
-        lines.append("enforce: true")
-        lines.append("")
-        lines.append("# Hostnames the agent is allowed to reach. Effective list is")
-        lines.append("# claude-bottle defaults UNION bottle.egress.allowlist (sorted, deduped).")
-        lines.append("api_allowlist:")
-        for h in allowlist:
-            lines.append(f'  - "{h}"')
-        lines.append("")
-        lines.append("forward_proxy:")
-        lines.append("  enabled: true")
-        lines.append("")
-        if trusted:
-            lines.append("trusted_domains:")
-            for td in trusted:
-                lines.append(f'  - "{td}"')
-            lines.append("")
-        if ip_cidrs:
-            lines.append("ssrf:")
-            lines.append("  ip_allowlist:")
-            for cidr in ip_cidrs:
-                lines.append(f'    - "{cidr}"')
-            lines.append("")
-        lines.append("dlp:")
-        lines.append("  include_defaults: true")
-        lines.append("  scan_env: true")
-
-        yaml_path.write_text("\n".join(lines) + "\n")
-        yaml_path.chmod(0o600)
+        self._proxy.prepare(spec.manifest, bottle_name, yaml_path)
 
     @contextmanager
     def launch(self, plan: BottlePlan) -> Iterator[DockerBottle]: