refactor(docker): hand forwarded env names through the plan, not a file

Previously prepare wrote two on-disk artifacts that launch consumed:
agent.env (NAME=VALUE) and docker-args (paired -e\nNAME\n lines), with
launch parsing the second back into argv. Docker requires the literals
file on disk for --env-file, but the args-file round-trip was a pure
serialize/deserialize trip with hand-rolled line pairing logic.

Drop docker-args entirely. Pass forwarded names as a structured
tuple[str, ...] field on DockerBottlePlan; launch iterates it directly
to extend docker_args. _write_env_files becomes _write_env_file (only
the literals file remains).

claude_bottle/backend/docker/bottle_plan.py

@@ -28,8 +28,8 @@ class DockerBottlePlan(BottlePlan):
     image: str
     derived_image: str           # "" -> no derived image
     runtime_image: str           # image actually launched (derived or base)
-    env_file: Path
-    args_file: Path
+    env_file: Path               # docker --env-file: NAME=VALUE literals
+    forwarded_env: tuple[str, ...]  # docker -e <NAME>: forwarded by-name
     prompt_file: Path
     proxy_plan: PipelockProxyPlan
     allowlist_summary: str