docs: remove pipelock references from README, examples, and test docs

Pipelock was removed in PR #193. Update the five remaining places
where current documentation (README, examples/bottles/claude.md,
tests/README.md, docs/ci.md, sidecar_bundle.py comment) still
described the old pipelock + cred-proxy topology.

README.md

@@ -27,7 +27,7 @@
 
 ## Architecture
 
-A bottle is two containers per agent: an `agent` container, and a `sidecars` container that bundles pipelock + cred-proxy + git-gate + supervise behind a Python init supervisor. They share a per-agent Docker `--internal` network; the agent has no default route off-box.
+A bottle is two containers per agent: an `agent` container, and a `sidecars` container that bundles egress + git-gate + supervise behind a Python init supervisor. They share a per-agent Docker `--internal` network; the agent has no default route off-box.
 
 ```
                             host  ( ./cli.py )
@@ -36,31 +36,25 @@ A bottle is two containers per agent: an `agent` container, and a `sidecars` con
                                   ▼
    ┌─────────────────────────── bottle ──────────────────────────────────┐
    │                                                                     │
-   │   ┌──────────────────┐                   ┌──────────────┐           │
+   │   ┌──────────────────┐                   ┌──────────────────────┐   │
-   │   │ agent image      │   HTTP(S) proxy   │ cred-proxy   │           │
+   │   │ agent image      │   HTTP(S) proxy   │ egress image         │   │
-   │   │ (claude-code,    │ ─────────────────►│ (strips/inj  │           │
+   │   │ (claude-code,    │ ─────────────────►│ (mitmproxy; TLS bump │   │  HTTPS to
-   │   │  codex, etc)     │                   │  Authoriz.)  │           │
+   │   │  codex, etc)     │                   │  DLP scan, path      │───┼──►  allowlisted
-   │   │                  │                   └──────┬───────┘           │
+   │   │                  │                   │  matching, auth      │   │     hosts
-   │   │ environ: URLs    │                          │                   │
+   │   │ environ: proxy   │                   │  injection)          │   │
-   │   │ only, no real    │                          ▼                   │
+   │   │ URLs only, no    │                   └──────────────────────┘   │
-   │   │ tokens           │                  ┌────────────────┐          │  HTTPS to
+   │   │ real tokens      │                                              │
-   │   │                  │                  │ pipelock image │──────────┼──►  allowlisted
-   │   │                  │                  │ (TLS bump, DLP │          │     hosts (incl.
-   │   │                  │                  │  body scan,    │          │      cred-proxy
-   │   │                  │                  │  allowlist)    │          │      upstreams)
-   │   │                  │                  └────────────────┘          │
-   │   │                  │                                              │
    │   │                  │    git proxy     ┌────────────────┐          │  SSH push/fetch
    │   │                  │ ────────────────►│ git-gate image │──────────┼──►  to bottle.git
    │   │                  │                  │ (gitleaks +    │          │      upstreams
    │   └──────────────────┘                  │  git daemon)   │          │     (direct — not
-   │                                         └────────────────┘          │      via pipelock)
+   │                                         └────────────────┘          │      via egress)
    │                                                                     │
-   │   agent on internal network (no default route); pipelock,           │
+   │   agent on internal network (no default route); egress and          │
-   │   cred-proxy, and git-gate straddle internal + egress networks.     │
+   │   git-gate straddle internal + egress networks.                     │
-   │   pipelock is the single HTTP/HTTPS chokepoint — cred-proxy's       │
+   │   egress is the single HTTP/HTTPS chokepoint — all agent HTTP/HTTPS │
-   │   outbound traverses it too. git-gate's SSH egress is direct        │
+   │   traffic flows through it. git-gate's SSH egress is direct         │
-   │   because pipelock is HTTP-only.                                    │
+   │   because egress is HTTP-only.                                      │
    └─────────────────────────────────────────────────────────────────────┘
 ```
 
@@ -104,8 +98,6 @@ egress:
       auth:
         scheme: token
         token_ref: BOT_BOTTLE_GITEA_TOKEN
-      pipelock:
-        ssrf_ip_allowlist: [100.78.141.42/32]
 ---
 
 The `gitea-dev` bottle. Provider auth via the inherited Claude route;

bot_bottle/backend/docker/sidecar_bundle.py

@@ -14,8 +14,7 @@ import os
 
 # Bundle image. Defaults to a built-locally tag (built from the
 # repo's Dockerfile.sidecars via compose `build:`). Operators
-# pinning to a published digest can override via env, matching
+# pinning to a published digest can override via env.
-# the existing `BOT_BOTTLE_PIPELOCK_IMAGE` shape.
 SIDECAR_BUNDLE_IMAGE = os.environ.get(
     "BOT_BOTTLE_SIDECAR_IMAGE",
     "bot-bottle-sidecars:latest",

docs/ci.md

@@ -22,7 +22,9 @@ mounted in. That topology breaks two assumptions those tests make:
   `http://127.0.0.1:<host_port>` from inside the job time out.
 
 The affected tests (`test_orphan_cleanup.test_create_and_remove`,
-`test_pipelock_sidecar_smoke.test_smoke`) still run locally where the
+`test_sidecar_bundle_image.TestSidecarBundleImage`,
-test process and Docker daemon share a host. Making them work in CI
+`test_sidecar_bundle_compose.TestSidecarBundleCompose`) still run
-is a follow-up: either re-write them to discover container IPs via
+locally where the test process and Docker daemon share a host.
-`docker inspect`, or reconfigure the runner with host networking.
+Making them work in CI is a follow-up: either re-write them to
+discover container IPs via `docker inspect`, or reconfigure the
+runner with host networking.

examples/bottles/claude.md

@@ -9,8 +9,6 @@ egress:
       auth:
         scheme: Bearer
         token_ref: BOT_BOTTLE_CLAUDE_OAUTH_TOKEN
-      pipelock:
-        tls_passthrough: true
 ---
 
 Common Claude provider boundary. Drop this file into

tests/README.md

@@ -11,16 +11,19 @@ tests/
   fixtures.py                       # JSON manifest builders (shared)
   _docker.py                        # docker-availability skip helper (shared)
   unit/
-    test_pipelock_classify.py
+    test_egress.py
-    test_pipelock_allowlist.py
+    test_egress_addon_core.py
-    test_pipelock_yaml.py
+    test_manifest_egress.py
+    test_dlp_detectors.py
     test_manifest_runtime.py
+    ...                             # many others; see unit/ directory
   integration/
-    test_pipelock_sidecar_smoke.py
+    test_sidecar_bundle_image.py
+    test_sidecar_bundle_compose.py
     test_dry_run_plan.py
     test_orphan_cleanup.py
-  canaries/
+    ...
-    test_pipelock_image.py          # opt-in; see below
+  canaries/                         # opt-in; see below (currently empty)
 ```
 
 Classification falls out of the directory — no hand-maintained list to
@@ -32,7 +35,7 @@ keep in sync.
 python -m unittest discover -t . -s tests/unit -v         # unit only
 python -m unittest discover -t . -s tests/integration -v  # integration only
 python -m unittest discover -t . -s tests -v              # both (recursive)
-python -m unittest tests.unit.test_pipelock_yaml          # one file
+python -m unittest tests.unit.test_manifest_egress        # one file
 ```
 
 Discovery is invoked with `-t .` (top-level dir = repo root) so the
@@ -46,18 +49,18 @@ Discovery is invoked with `-t .` (top-level dir = repo root) so the
 - `test_orphan_cleanup.py` — `network_remove` is idempotent against
   missing resources, so the EXIT trap can call it unconditionally.
 - `test_sidecar_bundle_image.py` — builds Dockerfile.sidecars and
-  probes that pipelock / gitleaks / mitmdump / supervise are all
+  probes that gitleaks / mitmdump / supervise are all reachable
-  reachable inside the bundle.
+  inside the bundle.
 - `test_sidecar_bundle_compose.py` — end-to-end compose-up of an
   agent + bundle pair; verifies the agent reaches the bundle via
   the legacy network aliases.
 
 ## Canaries
 
-`tests/canaries/` holds upstream-regression checks (e.g. the pinned
+`tests/canaries/` holds upstream-regression checks gated on
-pipelock digest's binary still runs). These are gated on
 `BOT_BOTTLE_RUN_CANARIES=1` and not part of the per-push suite.
-They're invoked by the scheduled `canaries` workflow.
+They're invoked by the scheduled `canaries` workflow. Currently
+no canaries are defined.
 
 ```bash
 BOT_BOTTLE_RUN_CANARIES=1 python -m unittest discover -t . -s tests/canaries -v
@@ -67,7 +70,7 @@ BOT_BOTTLE_RUN_CANARIES=1 python -m unittest discover -t . -s tests/canaries -v
 
 - `bot_bottle/ssh.py` end-to-end (would need a fake SSH host inside
   the container).
-- A live SSH-through-pipelock tunnel against a real Tailscale-style IP.
+- A live SSH-through-git-gate tunnel against a real Tailscale-style IP.
 - DLP false-positive measurements.
 - TLS handling / cert pinning behavior.