feat(supervise): list-egress-proxy-routes MCP tool, defaults on egress-proxy

Reshape the allowlist topology so the egress-proxy is the bottle's
single allowlist surface, and replace the agent-side
routes/allowlist file mounts with a live MCP tool.

Policy change (move defaults to egress-proxy):

  - `egress_proxy_routes_for_bottle(bottle)` now folds in
    DEFAULT_ALLOWLIST (the claude-code defaults) and
    `bottle.egress.allowlist` (user adds) as bare-pass routes (no
    auth, no path filter), on top of the bottle's
    `egress_proxy.routes`. Manifest routes win on host collision.
  - `pipelock_effective_allowlist(bottle)` mirrors egress-proxy's
    effective host set when egress-proxy is in use. Pipelock is
    no longer the bottle's primary allowlist authority; it
    enforces a downstream copy as defense-in-depth + does DLP body
    scanning.
  - Split out `egress_proxy_manifest_routes(bottle)` for callers
    that want just the manifest entries (tests, internal use).
  - DEFAULT_ALLOWLIST moves from `pipelock.py` to `egress_proxy.py`
    (pipelock re-imports for the no-egress-proxy fallback path).
  - Dropped the `egress-proxy` auto-allow on pipelock's allowlist
    — the agent never dials egress-proxy via the proxy mechanism;
    pipelock only sees upstream hostnames from egress-proxy's
    CONNECTs.

Introspection endpoint (existing mitmproxy feature):

  - Egress-proxy addon recognises requests to the magic host
    `_egress-proxy.local` and synthesizes responses via
    `flow.response = http.Response.make(...)` — no upstream
    connection, no allowlist enforcement on the magic host.
  - `GET /allowlist` returns the in-memory route table as JSON
    (host + path_allowlist + auth_scheme + token_env per route;
    no token VALUES).
  - Smoke-tested end-to-end against a real egress-proxy container.

MCP tool (existing supervise plumbing):

  - New `list-egress-proxy-routes` tool (no inputs, no operator
    approval). Handler fetches via egress-proxy's introspection
    endpoint using urllib's ProxyHandler against
    `EGRESS_PROXY_FORWARD_PROXY`. Returns the JSON payload as the
    tool's text content; `isError: true` if the proxy is
    unreachable.
  - `egress-proxy-block` description now points the agent at
    `list-egress-proxy-routes` instead of a staged file path.
  - `pipelock-block` description acknowledges the mirror — agents
    should prefer `egress-proxy-block` to add hosts; pipelock-block
    stays for the rare divergence case.

Drop agent-side file mounts:

  - Supervise's `current-config` dir staging no longer writes
    routes.yaml / allowlist. Only `Dockerfile` remains
    (capability-block still reads it from
    `/etc/claude-bottle/current-config/Dockerfile`).
  - `prepare.py` stops passing `routes_content` /
    `allowlist_content` to `supervise.prepare`.
  - `Supervise.prepare` signature simplified to one
    `dockerfile_content` kwarg.

Tests: 400 unit + integration pass. Added coverage for
defaults-folding (`TestRoutesForBottleFoldsDefaults`), the new
tool definition + handler, and the updated supervise.prepare
shape.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

claude_bottle/supervise.py

@@ -52,12 +52,24 @@ SUPERVISE_PORT = 9100
 TOOL_EGRESS_PROXY_BLOCK = "egress-proxy-block"
 TOOL_PIPELOCK_BLOCK = "pipelock-block"
 TOOL_CAPABILITY_BLOCK = "capability-block"
+TOOL_LIST_EGRESS_PROXY_ROUTES = "list-egress-proxy-routes"
 TOOLS: tuple[str, ...] = (
     TOOL_EGRESS_PROXY_BLOCK,
     TOOL_PIPELOCK_BLOCK,
     TOOL_CAPABILITY_BLOCK,
+    TOOL_LIST_EGRESS_PROXY_ROUTES,
 )
 
+# The supervise sidecar uses these to query egress-proxy's
+# introspection endpoint for the `list-egress-proxy-routes` MCP
+# tool. The hostname + port match egress-proxy's docker network
+# alias + listen port (see claude_bottle.egress_proxy.EGRESS_PROXY_HOSTNAME
+# and backend.docker.egress_proxy.EGRESS_PROXY_PORT — the values
+# are inlined here so the in-container supervise_server doesn't
+# need to import the egress-proxy package).
+EGRESS_PROXY_FORWARD_PROXY = "http://egress-proxy:9099"
+EGRESS_PROXY_INTROSPECT_URL = "http://_egress-proxy.local/allowlist"
+
 # capability-block has no on-disk config the operator edits in place
 # (the Dockerfile is rebuilt, not patched), so it has no audit log
 # here — those changes are captured by git history + the rebuild
@@ -422,17 +434,15 @@ def sha256_hex(content: str) -> str:
 # --- Sidecar plan + abstract lifecycle -------------------------------------
 
 
-# Filenames inside the per-bottle current-config dir. The agent reads
-# these (read-only) from CURRENT_CONFIG_DIR_IN_AGENT and proposes
-# modified versions back via the three MCP tools.
-# Filename of the staged egress-proxy routes file inside the agent's
-# read-only current-config mount. JSON content under a `.yaml`
-# extension to match the live file the egress-proxy sidecar reads
-# (`/etc/egress-proxy/routes.yaml`) — the egress-proxy-block tool
-# description points at this exact path, and the apply step writes
-# the new content to the matching live path.
-CURRENT_CONFIG_ROUTES = "routes.yaml"
-CURRENT_CONFIG_ALLOWLIST = "allowlist"
+# Filename of the staged Dockerfile inside the agent's read-only
+# current-config mount. The capability-block tool's description
+# points the agent at this exact path so it can read the current
+# Dockerfile and propose modifications.
+#
+# routes.yaml + allowlist used to live here too; PRD 0017 chunk 3
+# moved them behind the `list-egress-proxy-routes` MCP tool (live
+# state from egress-proxy's introspection endpoint) so the agent
+# always sees current data rather than a launch-time snapshot.
 CURRENT_CONFIG_DOCKERFILE = "Dockerfile"
 
 
@@ -442,12 +452,12 @@ class SupervisePlan:
 
     `queue_dir` is the host directory bind-mounted into the sidecar
     at /run/supervise/queue. `current_config_dir` is the host
-    directory bind-mounted (read-only) into the *agent* container at
-    /etc/claude-bottle/current-config, holding routes.yaml + allowlist
-    + Dockerfile so the agent can read them before composing a
-    proposal. `internal_network` is empty at prepare time; the
-    backend's launch step fills it via dataclasses.replace before
-    calling .start."""
+    directory bind-mounted (read-only) into the *agent* container
+    at /etc/claude-bottle/current-config — currently holds only the
+    Dockerfile snapshot (routes.yaml + allowlist moved to the
+    `list-egress-proxy-routes` MCP tool). `internal_network` is
+    empty at prepare time; the backend's launch step fills it via
+    dataclasses.replace before calling .start."""
 
     slug: str
     queue_dir: Path
@@ -465,8 +475,6 @@ class Supervise(ABC):
         slug: str,
         stage_dir: Path,
         *,
-        routes_content: str = "",
-        allowlist_content: str = "",
         dockerfile_content: str = "",
     ) -> SupervisePlan:
         """Stage the per-bottle queue dir on the host and the
@@ -477,17 +485,9 @@ class Supervise(ABC):
         queue_dir.mkdir(parents=True, exist_ok=True)
         current_config_dir = stage_dir / "current-config"
         current_config_dir.mkdir(parents=True, exist_ok=True)
-        (current_config_dir / CURRENT_CONFIG_ROUTES).write_text(
-            routes_content or '{"routes": []}\n'
-        )
-        (current_config_dir / CURRENT_CONFIG_ALLOWLIST).write_text(allowlist_content)
-        (current_config_dir / CURRENT_CONFIG_DOCKERFILE).write_text(dockerfile_content)
-        for name in (
-            CURRENT_CONFIG_ROUTES,
-            CURRENT_CONFIG_ALLOWLIST,
-            CURRENT_CONFIG_DOCKERFILE,
-        ):
-            (current_config_dir / name).chmod(0o644)
+        dockerfile_path = current_config_dir / CURRENT_CONFIG_DOCKERFILE
+        dockerfile_path.write_text(dockerfile_content)
+        dockerfile_path.chmod(0o644)
         return SupervisePlan(
             slug=slug,
             queue_dir=queue_dir,
@@ -554,10 +554,8 @@ __all__ = [
     "ACTION_OPERATOR_EDIT",
     "AuditEntry",
     "COMPONENT_FOR_TOOL",
-    "CURRENT_CONFIG_ALLOWLIST",
     "CURRENT_CONFIG_DIR_IN_AGENT",
     "CURRENT_CONFIG_DOCKERFILE",
-    "CURRENT_CONFIG_ROUTES",
     "DEFAULT_POLL_INTERVAL_SEC",
     "Proposal",
     "QUEUE_DIR_IN_CONTAINER",
@@ -571,8 +569,11 @@ __all__ = [
     "Supervise",
     "SupervisePlan",
     "TOOLS",
+    "EGRESS_PROXY_FORWARD_PROXY",
+    "EGRESS_PROXY_INTROSPECT_URL",
     "TOOL_CAPABILITY_BLOCK",
     "TOOL_EGRESS_PROXY_BLOCK",
+    "TOOL_LIST_EGRESS_PROXY_ROUTES",
     "TOOL_PIPELOCK_BLOCK",
     "archive_proposal",
     "audit_dir",