feat(supervise): list-egress-proxy-routes MCP tool, defaults on egress-proxy

Reshape the allowlist topology so the egress-proxy is the bottle's
single allowlist surface, and replace the agent-side
routes/allowlist file mounts with a live MCP tool.

Policy change (move defaults to egress-proxy):

  - `egress_proxy_routes_for_bottle(bottle)` now folds in
    DEFAULT_ALLOWLIST (the claude-code defaults) and
    `bottle.egress.allowlist` (user adds) as bare-pass routes (no
    auth, no path filter), on top of the bottle's
    `egress_proxy.routes`. Manifest routes win on host collision.
  - `pipelock_effective_allowlist(bottle)` mirrors egress-proxy's
    effective host set when egress-proxy is in use. Pipelock is
    no longer the bottle's primary allowlist authority; it
    enforces a downstream copy as defense-in-depth + does DLP body
    scanning.
  - Split out `egress_proxy_manifest_routes(bottle)` for callers
    that want just the manifest entries (tests, internal use).
  - DEFAULT_ALLOWLIST moves from `pipelock.py` to `egress_proxy.py`
    (pipelock re-imports for the no-egress-proxy fallback path).
  - Dropped the `egress-proxy` auto-allow on pipelock's allowlist
    — the agent never dials egress-proxy via the proxy mechanism;
    pipelock only sees upstream hostnames from egress-proxy's
    CONNECTs.

Introspection endpoint (existing mitmproxy feature):

  - Egress-proxy addon recognises requests to the magic host
    `_egress-proxy.local` and synthesizes responses via
    `flow.response = http.Response.make(...)` — no upstream
    connection, no allowlist enforcement on the magic host.
  - `GET /allowlist` returns the in-memory route table as JSON
    (host + path_allowlist + auth_scheme + token_env per route;
    no token VALUES).
  - Smoke-tested end-to-end against a real egress-proxy container.

MCP tool (existing supervise plumbing):

  - New `list-egress-proxy-routes` tool (no inputs, no operator
    approval). Handler fetches via egress-proxy's introspection
    endpoint using urllib's ProxyHandler against
    `EGRESS_PROXY_FORWARD_PROXY`. Returns the JSON payload as the
    tool's text content; `isError: true` if the proxy is
    unreachable.
  - `egress-proxy-block` description now points the agent at
    `list-egress-proxy-routes` instead of a staged file path.
  - `pipelock-block` description acknowledges the mirror — agents
    should prefer `egress-proxy-block` to add hosts; pipelock-block
    stays for the rare divergence case.

Drop agent-side file mounts:

  - Supervise's `current-config` dir staging no longer writes
    routes.yaml / allowlist. Only `Dockerfile` remains
    (capability-block still reads it from
    `/etc/claude-bottle/current-config/Dockerfile`).
  - `prepare.py` stops passing `routes_content` /
    `allowlist_content` to `supervise.prepare`.
  - `Supervise.prepare` signature simplified to one
    `dockerfile_content` kwarg.

Tests: 400 unit + integration pass. Added coverage for
defaults-folding (`TestRoutesForBottleFoldsDefaults`), the new
tool definition + handler, and the updated supervise.prepare
shape.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

claude_bottle/pipelock.py

@@ -22,21 +22,14 @@ from dataclasses import dataclass
 from pathlib import Path
 from typing import cast
 
-from .egress_proxy import EGRESS_PROXY_HOSTNAME
+from .egress_proxy import (
+    DEFAULT_ALLOWLIST,
+    EGRESS_PROXY_HOSTNAME,
+    egress_proxy_routes_for_bottle,
+)
 from .supervise import SUPERVISE_HOSTNAME
 from .manifest import Bottle
 
-# Baked-in default allowlist for hosts Claude Code itself needs.
-DEFAULT_ALLOWLIST: tuple[str, ...] = (
-    "api.anthropic.com",
-    "statsig.anthropic.com",
-    "sentry.io",
-    "claude.ai",
-    "platform.claude.com",
-    "downloads.claude.ai",
-    "raw.githubusercontent.com",
-)
-
 # Hosts pipelock should NOT TLS-MITM, even when tls_interception is
 # enabled. The Claude API endpoint is an LLM provider — its request
 # bodies are user-authored conversation text that legitimately can
@@ -64,43 +57,51 @@ def pipelock_bottle_allowlist(bottle: Bottle) -> list[str]:
 
 def pipelock_route_hosts(bottle: Bottle) -> list[str]:
     """Hostnames declared in `bottle.egress_proxy.routes`. Returned
-    sorted + deduped.
-
-    Post-cutover topology (PRD 0017): the agent's HTTPS_PROXY points
-    at egress-proxy, not pipelock; egress-proxy's outbound leg sets
-    `HTTPS_PROXY=pipelock`. So pipelock no longer terminates the
-    agent's connections — it sees the egress-proxy → upstream leg
-    only. Each declared route's host still needs to be on pipelock's
-    allowlist so that leg can leave the egress network."""
+    sorted + deduped. Used by the no-egress-proxy fallback path
+    below; bottles that DO use egress-proxy include the same hosts
+    via `egress_proxy_routes_for_bottle`."""
     hosts = {r.Host for r in bottle.egress_proxy.routes if r.Host}
     return sorted(hosts)
 
 
 def pipelock_effective_allowlist(bottle: Bottle) -> list[str]:
-    """Deduplicated union of: baked-in defaults, bottle.egress.allowlist,
-    the egress-proxy route hosts (from bottle.egress_proxy.routes), the
-    egress-proxy sidecar's own hostname when any route is declared, and
-    the supervise sidecar's hostname when bottle.supervise is enabled.
-    Sorted for stability. Git upstreams declared in `bottle.git` do NOT
-    contribute here — git traffic flows through the per-agent git-gate
-    sidecar (PRD 0008), not pipelock.
+    """Hostnames pipelock allows. Sorted for stability.
 
-    The egress-proxy + supervise hostnames are auto-added because the
-    sidecars sit on the bottle's internal network alongside the agent;
-    requests that pass through pipelock for `egress-proxy:9099` or
-    `supervise:9100` (e.g. when egress-proxy uses HTTPS_PROXY=pipelock
-    on its upstream leg) would otherwise be 403'd by pipelock's
-    hostname gate."""
+    Two paths, depending on whether the bottle uses egress-proxy:
+
+    - Bottle declares `egress_proxy.routes[]` → agent's HTTPS_PROXY
+      points at egress-proxy. Egress-proxy is the bottle's primary
+      allowlist gate (DEFAULT_ALLOWLIST + bottle.egress.allowlist +
+      manifest routes all live there as bare-pass or full routes,
+      folded in by `egress_proxy_routes_for_bottle`). Pipelock's
+      allowlist is then a MIRROR of egress-proxy's hosts — same
+      set, just serving as the defense-in-depth hostname gate +
+      DLP scanner on the upstream leg.
+
+    - Bottle has no `egress_proxy.routes[]` → agent talks straight
+      to pipelock. Pipelock keeps its previous behavior: bake in
+      DEFAULT_ALLOWLIST + bottle.egress.allowlist for claude-code
+      defaults.
+
+    The supervise sidecar's hostname is auto-added when supervise
+    is enabled (sibling-sidecar traffic that flows through pipelock
+    would otherwise be 403'd). Git upstreams declared in
+    `bottle.git` do NOT contribute here — git traffic flows
+    through git-gate (PRD 0008), not pipelock."""
     seen: dict[str, None] = {}
-    for h in DEFAULT_ALLOWLIST:
-        seen.setdefault(h, None)
-    for h in pipelock_bottle_allowlist(bottle):
-        if h:
-            seen.setdefault(h, None)
-    for h in pipelock_route_hosts(bottle):
-        seen.setdefault(h, None)
     if bottle.egress_proxy.routes:
-        seen.setdefault(EGRESS_PROXY_HOSTNAME, None)
+        # Mirror egress-proxy's effective host set — same defaults
+        # and bottle.egress.allowlist entries are already folded in
+        # at the egress-proxy layer; we don't add them twice.
+        for r in egress_proxy_routes_for_bottle(bottle):
+            if r.host:
+                seen.setdefault(r.host, None)
+    else:
+        for h in DEFAULT_ALLOWLIST:
+            seen.setdefault(h, None)
+        for h in pipelock_bottle_allowlist(bottle):
+            if h:
+                seen.setdefault(h, None)
     if bottle.supervise:
         seen.setdefault(SUPERVISE_HOSTNAME, None)
     return sorted(seen.keys())