feat(pipelock): enforce DLP body-scan hits by default

Adds bottle.egress.dlp_action ("block" | "warn", default block) and
wires it into pipelock as request_body_scanning.action. Pipelock's
own default is "warn", which previously meant claude-bottle detected
credential patterns in outbound bodies but forwarded the request
anyway.

The matching integration test posts a manifest env var shaped like
a GitHub PAT to api.anthropic.com via plain HTTP forward proxy so
pipelock can see the body. Pipelock answers 403 from its body-scan
layer instead of forwarding to the upstream.

Behavior change: bottles without an explicit egress.dlp_action now
block on body-scan hits. Set egress.dlp_action: "warn" to restore
the prior detect-only behavior.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

claude_bottle/pipelock.py

@@ -110,6 +110,12 @@ def pipelock_build_config(bottle: Bottle) -> dict[str, object]:
     if ip_cidrs:
         cfg["ssrf"] = {"ip_allowlist": ip_cidrs}
     cfg["dlp"] = {"include_defaults": True, "scan_env": True}
+    # Body-scan enforcement is a separate pipelock section (each DLP
+    # "surface" — body, MCP, response — has its own action). Pipelock's
+    # built-in default for request_body_scanning is "warn" (forward
+    # with a log line); claude-bottle's default is "block" so a hit
+    # actually stops the request from leaving the egress network.
+    cfg["request_body_scanning"] = {"action": bottle.egress.dlp_action}
     return cfg
 
 
@@ -149,6 +155,10 @@ def pipelock_render_yaml(cfg: dict[str, object]) -> str:
     dlp = cast(dict[str, object], cfg["dlp"])
     lines.append(f"  include_defaults: {_bool(dlp['include_defaults'])}")
     lines.append(f"  scan_env: {_bool(dlp['scan_env'])}")
+    lines.append("")
+    lines.append("request_body_scanning:")
+    rbs = cast(dict[str, object], cfg["request_body_scanning"])
+    lines.append(f'  action: "{rbs["action"]}"')
     return "\n".join(lines) + "\n"