feat(supervise): list-egress-proxy-routes MCP tool, defaults on egress-proxy

Reshape the allowlist topology so the egress-proxy is the bottle's
single allowlist surface, and replace the agent-side
routes/allowlist file mounts with a live MCP tool.

Policy change (move defaults to egress-proxy):

  - `egress_proxy_routes_for_bottle(bottle)` now folds in
    DEFAULT_ALLOWLIST (the claude-code defaults) and
    `bottle.egress.allowlist` (user adds) as bare-pass routes (no
    auth, no path filter), on top of the bottle's
    `egress_proxy.routes`. Manifest routes win on host collision.
  - `pipelock_effective_allowlist(bottle)` mirrors egress-proxy's
    effective host set when egress-proxy is in use. Pipelock is
    no longer the bottle's primary allowlist authority; it
    enforces a downstream copy as defense-in-depth + does DLP body
    scanning.
  - Split out `egress_proxy_manifest_routes(bottle)` for callers
    that want just the manifest entries (tests, internal use).
  - DEFAULT_ALLOWLIST moves from `pipelock.py` to `egress_proxy.py`
    (pipelock re-imports for the no-egress-proxy fallback path).
  - Dropped the `egress-proxy` auto-allow on pipelock's allowlist
    — the agent never dials egress-proxy via the proxy mechanism;
    pipelock only sees upstream hostnames from egress-proxy's
    CONNECTs.

Introspection endpoint (existing mitmproxy feature):

  - Egress-proxy addon recognises requests to the magic host
    `_egress-proxy.local` and synthesizes responses via
    `flow.response = http.Response.make(...)` — no upstream
    connection, no allowlist enforcement on the magic host.
  - `GET /allowlist` returns the in-memory route table as JSON
    (host + path_allowlist + auth_scheme + token_env per route;
    no token VALUES).
  - Smoke-tested end-to-end against a real egress-proxy container.

MCP tool (existing supervise plumbing):

  - New `list-egress-proxy-routes` tool (no inputs, no operator
    approval). Handler fetches via egress-proxy's introspection
    endpoint using urllib's ProxyHandler against
    `EGRESS_PROXY_FORWARD_PROXY`. Returns the JSON payload as the
    tool's text content; `isError: true` if the proxy is
    unreachable.
  - `egress-proxy-block` description now points the agent at
    `list-egress-proxy-routes` instead of a staged file path.
  - `pipelock-block` description acknowledges the mirror — agents
    should prefer `egress-proxy-block` to add hosts; pipelock-block
    stays for the rare divergence case.

Drop agent-side file mounts:

  - Supervise's `current-config` dir staging no longer writes
    routes.yaml / allowlist. Only `Dockerfile` remains
    (capability-block still reads it from
    `/etc/claude-bottle/current-config/Dockerfile`).
  - `prepare.py` stops passing `routes_content` /
    `allowlist_content` to `supervise.prepare`.
  - `Supervise.prepare` signature simplified to one
    `dockerfile_content` kwarg.

Tests: 400 unit + integration pass. Added coverage for
defaults-folding (`TestRoutesForBottleFoldsDefaults`), the new
tool definition + handler, and the updated supervise.prepare
shape.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

claude_bottle/egress_proxy.py

@@ -127,7 +127,24 @@ class EgressProxyPlan:
     pipelock_proxy_url: str = ""
 
 
-def egress_proxy_routes_for_bottle(
+# Hosts the agent needs by default for claude-code itself. Folded
+# into every bottle's egress-proxy routes table as bare-pass entries
+# (no auth, no path filter) so the agent reaches them without each
+# bottle having to opt in. Pipelock used to own this list; PRD 0017
+# moves it to egress-proxy because egress-proxy is the primary gate
+# now and pipelock's allowlist is mirrored from egress-proxy.
+DEFAULT_ALLOWLIST: tuple[str, ...] = (
+    "api.anthropic.com",
+    "statsig.anthropic.com",
+    "sentry.io",
+    "claude.ai",
+    "platform.claude.com",
+    "downloads.claude.ai",
+    "raw.githubusercontent.com",
+)
+
+
+def egress_proxy_manifest_routes(
     bottle: Bottle,
 ) -> tuple[EgressProxyRoute, ...]:
     """Lift each `bottle.egress_proxy.routes[]` manifest entry into a
@@ -138,7 +155,12 @@ def egress_proxy_routes_for_bottle(
     authenticated route with `token_ref` "GH_PAT" gets
     `EGRESS_PROXY_TOKEN_0`; a second route with the same `token_ref`
     shares slot 0. Unauthenticated routes (`auth` omitted) contribute
-    no slot."""
+    no slot.
+
+    Does NOT include the folded-in DEFAULT_ALLOWLIST /
+    bottle.egress.allowlist bare-pass entries — see
+    `egress_proxy_routes_for_bottle` for the effective set the
+    addon enforces."""
     out: list[EgressProxyRoute] = []
     slot_for_token: dict[str, str] = {}
     for r in bottle.egress_proxy.routes:
@@ -164,6 +186,30 @@ def egress_proxy_routes_for_bottle(
     return tuple(out)
 
 
+def egress_proxy_routes_for_bottle(
+    bottle: Bottle,
+) -> tuple[EgressProxyRoute, ...]:
+    """Effective egress-proxy routes: manifest routes followed by
+    bare-pass entries for DEFAULT_ALLOWLIST hosts and
+    `bottle.egress.allowlist` hosts. This is what gets rendered into
+    routes.yaml + what the addon enforces.
+
+    Manifest routes win over defaults on host collision (manifest
+    routes carry more specific config — auth, path filter, role
+    markers). Hostname comparison is case-insensitive."""
+    out: list[EgressProxyRoute] = list(egress_proxy_manifest_routes(bottle))
+    claimed: set[str] = {r.host.lower() for r in out}
+    for host in DEFAULT_ALLOWLIST:
+        if host.lower() not in claimed:
+            out.append(EgressProxyRoute(host=host))
+            claimed.add(host.lower())
+    for host in bottle.egress.allowlist:
+        if host and host.lower() not in claimed:
+            out.append(EgressProxyRoute(host=host))
+            claimed.add(host.lower())
+    return tuple(out)
+
+
 def egress_proxy_token_env_map(
     routes: tuple[EgressProxyRoute, ...],
 ) -> dict[str, str]:
@@ -286,11 +332,13 @@ class EgressProxy(ABC):
 
 
 __all__ = [
+    "DEFAULT_ALLOWLIST",
     "EGRESS_PROXY_HOSTNAME",
     "EGRESS_PROXY_ROUTES_IN_CONTAINER",
     "EgressProxy",
     "EgressProxyPlan",
     "EgressProxyRoute",
+    "egress_proxy_manifest_routes",
     "egress_proxy_render_routes",
     "egress_proxy_resolve_token_values",
     "egress_proxy_routes_for_bottle",