feat(cred_proxy)!: cred-proxy is the only Anthropic auth path

Removes the legacy `CLAUDE_BOTTLE_OAUTH_TOKEN` -> `CLAUDE_CODE_OAUTH_TOKEN`
forward in prepare.py. Bottles that need claude-code to authenticate
must declare a cred_proxy route with role: "anthropic-base-url" — there
is no fallback that hands the token to the agent directly.

Drops the now-dead BottleSpec.forward_oauth_token field, the CLI
setter that read CLAUDE_BOTTLE_OAUTH_TOKEN from the host env at
prepare time, and the forward_oauth_token=False arg in the six
pipelock integration tests.

PRD 0010 and README updated; the dev ~/claude-bottle.json gains an
anthropic-base-url route so the implementer/researcher agents keep
working.

BREAKING: bottles previously relying on the implicit OAuth forward
will now produce an agent environ without any Anthropic credential.
Verified with --dry-run: a bottle with no anthropic-base-url route
yields env_names: [] (no token at all); a bottle that declares the
route yields ANTHROPIC_BASE_URL plus a non-secret placeholder for
CLAUDE_CODE_OAUTH_TOKEN.

claude_bottle/backend/__init__.py

@@ -53,7 +53,6 @@ class BottleSpec:
     agent_name: str
     copy_cwd: bool
     user_cwd: str
-    forward_oauth_token: bool
 
 
 @dataclass(frozen=True)

claude_bottle/backend/docker/prepare.py

@@ -118,17 +118,15 @@ def resolve_plan(
     forwarded_env: dict[str, str] = dict(resolved.forwarded)
     # Find the (at most one) cred-proxy route claiming the
     # anthropic-base-url role. Manifest validation enforces the
-    # singleton constraint.
+    # singleton constraint. cred-proxy is the only path the Anthropic
+    # OAuth token reaches the bottle — there is no fallback that
+    # forwards it into the agent's environ directly. Bottles that
+    # need claude-code to authenticate must declare an
+    # anthropic-base-url route.
     anthropic_route = next(
         (r for r in cred_proxy_plan.routes if "anthropic-base-url" in r.roles),
         None,
     )
-    if spec.forward_oauth_token and anthropic_route is None:
-        # Pre-PRD 0010 behavior: agent reads CLAUDE_CODE_OAUTH_TOKEN
-        # directly. Still the path when no cred_proxy.routes entry
-        # is tagged anthropic-base-url; otherwise the sidecar holds
-        # the token.
-        forwarded_env["CLAUDE_CODE_OAUTH_TOKEN"] = os.environ["CLAUDE_BOTTLE_OAUTH_TOKEN"]
     if anthropic_route is not None:
         # Point claude-code at the cred-proxy. The sidecar holds the
         # OAuth token; the agent's environ does not. Strip the

claude_bottle/cli/start.py

@@ -42,7 +42,6 @@ def cmd_start(argv: list[str]) -> int:
         agent_name=args.name,
         copy_cwd=args.cwd,
         user_cwd=USER_CWD,
-        forward_oauth_token=bool(os.environ.get("CLAUDE_BOTTLE_OAUTH_TOKEN")),
     )
 
     stage_dir = Path(tempfile.mkdtemp(prefix="claude-bottle-stage."))