diff --git a/README.md b/README.md
index 415b915..f2ad087 100644
--- a/README.md
+++ b/README.md
@@ -138,7 +138,7 @@ You help maintain Gitea-hosted projects.
 | Field | Required | Description |
 |---|---|---|
 | `host` | yes | Hostname to allowlist. One entry per host. |
-| `role` | no | Provider-specific role string (e.g. `claude_code_oauth`). Wires built-in auth flows; set by provider templates, not manually. |
+| `role` | no | Reserved for future use. The key is recognised but any value is currently rejected at load. Provider auth routes (e.g. Claude's `api.anthropic.com`) are injected automatically from `agent_provider.auth_token`, not via `role`. |
 | `auth.scheme` | when `auth` present | `Bearer` or `token`. Injected by the proxy; the agent never sees the value. |
 | `auth.token_ref` | when `auth` present | Env-var name holding the secret on the host. |
 | `matches` | no | Array of `{paths, methods, headers}` filters. A request must match at least one entry (if any are given) to be forwarded. |
diff --git a/examples/bottles/claude.md b/examples/bottles/claude.md
index 219d0db..9f9670b 100644
--- a/examples/bottles/claude.md
+++ b/examples/bottles/claude.md
@@ -1,19 +1,14 @@
 ---
 agent_provider:
   template: claude
-
-egress:
-  routes:
-    - host: api.anthropic.com
-      role: claude_code_oauth    # wires Claude Code OAuth; do not change
-      auth:
-        scheme: Bearer
-        token_ref: BOT_BOTTLE_CLAUDE_OAUTH_TOKEN
-      # dlp is omitted → all detectors on by default (token_patterns,
-      # known_secrets outbound; naive_injection_detection inbound).
-      # To disable inbound scanning for this route:
-      #   dlp:
-      #     inbound_detectors: false
+  # auth_token names the host env var holding the Claude OAuth token. The
+  # provider injects a provider-owned api.anthropic.com egress route that
+  # re-injects this token as the Bearer header; the agent only ever sees a
+  # placeholder CLAUDE_CODE_OAUTH_TOKEN. DLP defaults (token_patterns,
+  # known_secrets outbound; naive_injection_detection inbound) apply to
+  # that route. To scan additional hosts, declare them under egress.routes
+  # with per-route matches/dlp (see README "Egress route fields").
+  auth_token: BOT_BOTTLE_CLAUDE_OAUTH_TOKEN
 ---
 
 Common Claude provider boundary. Drop this file into