feat(pipelock): enable tls_interception with per-bottle ephemeral CA

First step of PRD 0006. Pipelock now does the CONNECT bumping that
PR #8's mitmproxy chain was supposed to provide — natively, in the
same single sidecar PRD 0001 wired up.

- claude_bottle/pipelock.py: pipelock_build_config grows optional
  ca_cert_path / ca_key_path kwargs. When both are passed the
  rendered YAML carries a `tls_interception: { enabled: true,
  ca_cert, ca_key }` block. PipelockProxy gains class-level
  CA_CERT_IN_CONTAINER / CA_KEY_IN_CONTAINER constants that
  subclasses set to wherever they place the CA inside the
  sidecar. PipelockProxyPlan gains ca_cert_host_path /
  ca_key_host_path fields (default empty Path() — sentinel for
  "not yet populated", filled by launch via dataclasses.replace).

- claude_bottle/backend/docker/pipelock.py: new
  pipelock_tls_init(stage_dir) helper runs `pipelock tls init`
  in a one-shot container against a host-mounted scratch dir.
  DockerPipelockProxy sets its class constants to
  /etc/pipelock-ca.pem and /etc/pipelock-ca-key.pem; .start
  docker-cp's the cert + key into those paths between
  `docker create` and `docker start`. Pipelock runs as root in
  its distroless image, so no chown is needed (verified).

- claude_bottle/backend/docker/launch.py: calls pipelock_tls_init
  between network creation and proxy.start. Prepare stays
  side-effect-free on docker; the one-shot ca-init container
  only runs on a real launch, not on `start --dry-run`.

- tests/unit/test_pipelock_yaml.py: new assertions that
  pipelock_build_config emits the tls_interception block only
  when both paths are supplied (and rejects a half-set pair),
  plus a test that the docker proxy's prepare plumbs the
  in-container paths through to the rendered YAML.

The end-to-end "bumping actually fires" assertion lands in
chunk 4 (HTTPS integration tests).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

claude_bottle/backend/docker/pipelock.py

@@ -6,6 +6,7 @@ from __future__ import annotations
 
 import os
 import subprocess
+from pathlib import Path
 
 from ...log import die, info, warn
 from ...pipelock import PipelockProxy, PipelockProxyPlan
@@ -21,6 +22,12 @@ PIPELOCK_IMAGE = os.environ.get(
 # Listening port for pipelock's forward proxy.
 PIPELOCK_PORT = os.environ.get("CLAUDE_BOTTLE_PIPELOCK_PORT", "8888")
 
+# In-container paths where the per-bottle CA cert + key land after
+# `docker cp` in `DockerPipelockProxy.start`. Pipelock's rendered
+# YAML references these paths under `tls_interception`.
+PIPELOCK_CA_CERT_IN_CONTAINER = "/etc/pipelock-ca.pem"
+PIPELOCK_CA_KEY_IN_CONTAINER = "/etc/pipelock-ca-key.pem"
+
 
 def pipelock_container_name(slug: str) -> str:
     return f"claude-bottle-pipelock-{slug}"
@@ -34,19 +41,56 @@ def pipelock_proxy_host_port(slug: str) -> str:
     return f"{pipelock_container_name(slug)}:{PIPELOCK_PORT}"
 
 
+def pipelock_tls_init(stage_dir: Path) -> tuple[Path, Path]:
+    """Generate a fresh per-bottle CA via a one-shot pipelock container.
+
+    Runs `pipelock tls init` against a host-mounted scratch dir, leaving
+    `ca.pem` (public cert, mode 600) and `ca-key.pem` (private key, mode
+    600) under `<stage_dir>/pipelock-ca/`. Returns the two host paths.
+
+    The image is pinned (same digest the running sidecar uses) so the
+    generated CA matches what the sidecar expects. Output is owned by
+    whatever UID the one-shot ran as; `DockerPipelockProxy.start`
+    `docker cp`s the files into the sidecar's filesystem layer, so
+    runtime ownership inside the sidecar (root in pipelock's
+    distroless image) is independent."""
+    work = stage_dir / "pipelock-ca"
+    work.mkdir(exist_ok=True)
+    result = subprocess.run(
+        ["docker", "run", "--rm",
+         "-v", f"{work}:/h",
+         "-e", "PIPELOCK_HOME=/h",
+         PIPELOCK_IMAGE, "tls", "init"],
+        capture_output=True,
+        text=True,
+        check=False,
+    )
+    if result.returncode != 0:
+        die(f"pipelock tls init failed: {result.stderr.strip()}")
+    cert = work / "ca.pem"
+    key = work / "ca-key.pem"
+    if not cert.is_file() or not key.is_file():
+        die(f"pipelock tls init did not produce ca files in {work}")
+    return (cert, key)
+
+
 class DockerPipelockProxy(PipelockProxy):
     """Brings the pipelock sidecar up and down via Docker."""
 
+    CA_CERT_IN_CONTAINER = PIPELOCK_CA_CERT_IN_CONTAINER
+    CA_KEY_IN_CONTAINER = PIPELOCK_CA_KEY_IN_CONTAINER
+
     def start(self, plan: PipelockProxyPlan) -> str:
         """Boot the pipelock sidecar:
           1. `docker create` on the internal network with the canonical
              name and argv `run --config /etc/pipelock.yaml --listen
              0.0.0.0:<port>`.
-          2. `docker cp` the YAML config to /etc/pipelock.yaml in the
-             writable layer (parent dir must already exist; image is
-             distroless).
-          3. Attach to the per-agent egress network.
-          4. `docker start`.
+          2. `docker cp` the YAML config to /etc/pipelock.yaml.
+          3. `docker cp` the CA cert + key to /etc/pipelock-ca.pem
+             and /etc/pipelock-ca-key.pem (pipelock runs as root in
+             its distroless image, so no chown is needed).
+          4. Attach to the per-agent egress network.
+          5. `docker start`.
         Returns the container name (the proxy_target passed to .stop)."""
         name = pipelock_container_name(plan.slug)
         if not plan.yaml_path.is_file():
@@ -54,6 +98,11 @@ class DockerPipelockProxy(PipelockProxy):
                 f"pipelock yaml not found at {plan.yaml_path}; "
                 f"PipelockProxy.prepare must run first"
             )
+        if not plan.ca_cert_host_path.is_file() or not plan.ca_key_host_path.is_file():
+            die(
+                f"pipelock CA missing at {plan.ca_cert_host_path} / "
+                f"{plan.ca_key_host_path}; pipelock_tls_init must run first"
+            )
 
         info(f"starting pipelock sidecar {name} on network {plan.internal_network}")
 
@@ -68,15 +117,23 @@ class DockerPipelockProxy(PipelockProxy):
         if subprocess.run(create_args, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, check=False).returncode != 0:
             die(f"failed to create pipelock sidecar {name}")
 
-        cp_result = subprocess.run(
-            ["docker", "cp", str(plan.yaml_path), f"{name}:/etc/pipelock.yaml"],
-            capture_output=True,
-            text=True,
-            check=False,
-        )
-        if cp_result.returncode != 0:
-            subprocess.run(["docker", "rm", "-f", name], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, check=False)
-            die(f"failed to copy pipelock yaml into {name}: {cp_result.stderr.strip()}")
+        for src, dst, label in (
+            (plan.yaml_path, "/etc/pipelock.yaml", "yaml"),
+            (plan.ca_cert_host_path, PIPELOCK_CA_CERT_IN_CONTAINER, "ca cert"),
+            (plan.ca_key_host_path, PIPELOCK_CA_KEY_IN_CONTAINER, "ca key"),
+        ):
+            cp_result = subprocess.run(
+                ["docker", "cp", str(src), f"{name}:{dst}"],
+                capture_output=True,
+                text=True,
+                check=False,
+            )
+            if cp_result.returncode != 0:
+                subprocess.run(
+                    ["docker", "rm", "-f", name],
+                    stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, check=False,
+                )
+                die(f"failed to copy pipelock {label} into {name}: {cp_result.stderr.strip()}")
 
         if subprocess.run(
             ["docker", "network", "connect", plan.egress_network, name],