feat(pipelock): enforce DLP body-scan hits by default

Adds bottle.egress.dlp_action ("block" | "warn", default block) and
wires it into pipelock as request_body_scanning.action. Pipelock's
own default is "warn", which previously meant claude-bottle detected
credential patterns in outbound bodies but forwarded the request
anyway.

The matching integration test posts a manifest env var shaped like
a GitHub PAT to api.anthropic.com via plain HTTP forward proxy so
pipelock can see the body. Pipelock answers 403 from its body-scan
layer instead of forwarding to the upstream.

Behavior change: bottles without an explicit egress.dlp_action now
block on body-scan hits. Set egress.dlp_action: "warn" to restore
the prior detect-only behavior.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

tests/unit/test_pipelock_yaml.py

@@ -27,6 +27,10 @@ class TestBuildConfig(unittest.TestCase):
         self.assertEqual(
             {"include_defaults": True, "scan_env": True}, cfg["dlp"]
         )
+        # Default body-scan action is "block" — see BottleEgress.dlp_action.
+        self.assertEqual(
+            {"action": "block"}, cfg["request_body_scanning"]
+        )
         # Baked defaults always present.
         self.assertIn("api.anthropic.com", cast(list[str], cfg["api_allowlist"]))
         self.assertIn("raw.githubusercontent.com", cast(list[str], cfg["api_allowlist"]))
@@ -66,6 +70,7 @@ class TestRenderAndWrite(unittest.TestCase):
             "trusted_domains:",
             "ssrf:",
             "dlp:",
+            "request_body_scanning:",
         ):
             self.assertIn(required, text)