refactor(pipelock): drop bottle.ssh carve-outs

PRD 0007: SSH traffic now flows through the per-agent ssh-gate
sidecar, so pipelock should know nothing about bottle.ssh.

Removed:
- pipelock_bottle_ssh_hostnames, _trusted_domains, _ip_cidrs.
- The trusted_domains / ssrf blocks built from ssh entries.
- pipelock_proxy_host_port — its last caller (the ssh provisioner)
  is gone.
- is_ipv4_literal — only used to classify ssh hostnames into
  trusted_domains vs ssrf.ip_allowlist, both of which are gone.

api_allowlist now derives solely from baked-in defaults +
bottle.egress.allowlist. Tests updated to pin the new shape and
assert ssh hostnames do NOT leak into pipelock's config.

claude_bottle/backend/docker/pipelock.py

@@ -37,10 +37,6 @@ def pipelock_proxy_url(slug: str) -> str:
     return f"http://{pipelock_container_name(slug)}:{PIPELOCK_PORT}"
 
 
-def pipelock_proxy_host_port(slug: str) -> str:
-    return f"{pipelock_container_name(slug)}:{PIPELOCK_PORT}"
-
-
 def pipelock_tls_init(stage_dir: Path) -> tuple[Path, Path]:
     """Generate a fresh per-bottle CA via a one-shot pipelock container.