refactor(pipelock): drop bottle.ssh carve-outs

PRD 0007: SSH traffic now flows through the per-agent ssh-gate
sidecar, so pipelock should know nothing about bottle.ssh.

Removed:
- pipelock_bottle_ssh_hostnames, _trusted_domains, _ip_cidrs.
- The trusted_domains / ssrf blocks built from ssh entries.
- pipelock_proxy_host_port — its last caller (the ssh provisioner)
  is gone.
- is_ipv4_literal — only used to classify ssh hostnames into
  trusted_domains vs ssrf.ip_allowlist, both of which are gone.

api_allowlist now derives solely from baked-in defaults +
bottle.egress.allowlist. Tests updated to pin the new shape and
assert ssh hostnames do NOT leak into pipelock's config.

tests/unit/test_pipelock_yaml.py

@@ -34,23 +34,25 @@ class TestBuildConfig(unittest.TestCase):
         # Baked defaults always present.
         self.assertIn("api.anthropic.com", cast(list[str], cfg["api_allowlist"]))
         self.assertIn("raw.githubusercontent.com", cast(list[str], cfg["api_allowlist"]))
-        # No SSH entries → no trusted_domains, no ssrf.
+        # PRD 0007: pipelock has no SSH carve-outs at all — neither
+        # trusted_domains nor ssrf are ever emitted from bottle data
+        # in v1.
         self.assertNotIn("trusted_domains", cfg)
         self.assertNotIn("ssrf", cfg)
         # Without CA paths, the tls_interception block is omitted —
         # pipelock falls back to its built-in default of `enabled: false`.
         self.assertNotIn("tls_interception", cfg)
 
-    def test_ssh_shape(self):
+    def test_ssh_entries_do_not_leak_into_pipelock(self):
+        # PRD 0007: bottle.ssh routes through the ssh-gate sidecar,
+        # so pipelock's config must not reflect those hostnames or
+        # IPs in any of its blocks.
         cfg = pipelock_build_config(fixture_with_ssh().bottles["dev"])
-        self.assertIn("github.com", cast(list[str], cfg["trusted_domains"]))
-        self.assertNotIn("100.78.141.42", cast(list[str], cfg["trusted_domains"]))
-        self.assertIn(
-            "100.78.141.42/32",
-            cast(dict[str, Any], cfg["ssrf"])["ip_allowlist"],
-        )
-        # Strict mode: IPv4 host is also in the api_allowlist union.
-        self.assertIn("100.78.141.42", cast(list[str], cfg["api_allowlist"]))
+        allow = cast(list[str], cfg["api_allowlist"])
+        self.assertNotIn("github.com", allow)
+        self.assertNotIn("100.78.141.42", allow)
+        self.assertNotIn("trusted_domains", cfg)
+        self.assertNotIn("ssrf", cfg)
 
     def test_tls_interception_block_emitted_when_paths_supplied(self):
         # PRD 0006: paths flow in via DockerPipelockProxy's in-container
@@ -95,12 +97,13 @@ class TestRenderAndWrite(unittest.TestCase):
         for required in (
             "api_allowlist:",
             "forward_proxy:",
-            "trusted_domains:",
-            "ssrf:",
             "dlp:",
             "request_body_scanning:",
         ):
             self.assertIn(required, text)
+        # PRD 0007: no ssh carve-outs in the rendered yaml.
+        self.assertNotIn("trusted_domains:", text)
+        self.assertNotIn("ssrf:", text)
 
     def test_prepare_writes_file_at_mode_600(self):
         plan = DockerPipelockProxy().prepare(