refactor(manifest): drop bottle.egress field, egress_proxy is the only allowlist

Goal: one allowlist surface (egress_proxy.routes), no second
free-form `egress:` knob. Anything that used to live there now
goes in `egress_proxy.routes` as a bare-pass entry
(`- host: <name>`).

Removed:
  - `BottleEgress` dataclass + DLP_ACTIONS constant + bottle.egress
    field on `Bottle`.
  - `pipelock_bottle_allowlist` helper.
  - `pipelock_allowlist_summary` helper (the compact preflight
    summary stopped using it after PR #31).
  - `allowlist_summary` field on `DockerBottlePlan`.
  - `bottle.egress.allowlist` folding in
    `egress_proxy_routes_for_bottle` — only DEFAULT_ALLOWLIST
    auto-folds now.
  - The two-branch logic in `pipelock_effective_allowlist`
    (egress-proxy-present vs not) — pipelock now just mirrors
    `egress_proxy_routes_for_bottle` unconditionally.

Hard-coded:
  - `request_body_scanning.action = "block"` in
    `pipelock_build_config` (was driven by
    `bottle.egress.dlp_action`). The previous default was already
    "block" — the knob to switch to "warn" was a foot-gun in a
    sandboxed agent context, so it's gone.

Tests:
  - `test_pipelock_allowlist.py` rewritten to assert the
    mirrored-from-egress-proxy semantics directly.
  - `test_manifest_md_load.py`, `test_pipelock_yaml.py`,
    `test_egress_proxy.py` fixtures migrated to put hosts in
    `egress_proxy.routes` instead of `egress.allowlist`.

Local bottle migrated too: `~/.claude-bottle/bottles/dev.md`
loses the `egress: { allowlist: [example.com] }` block, picks up
a bare-pass `- host: example.com` route.

409 unit + integration tests pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

tests/unit/test_manifest_md_load.py

@@ -28,9 +28,7 @@ _BOTTLE_DEV = """
           auth:
             scheme: Bearer
             token_ref: CLAUDE_CODE_OAUTH_TOKEN
-    egress:
-      allowlist:
-        - example.com
+        - host: example.com
     ---
 
     The dev bottle. Anthropic OAuth via egress-proxy.
@@ -88,11 +86,11 @@ class TestBottleFileParses(_ResolveCase):
         m = self.resolve()
         self.assertIn("dev", m.bottles)
         routes = m.bottles["dev"].egress_proxy.routes
-        self.assertEqual(1, len(routes))
+        self.assertEqual(2, len(routes))
         self.assertEqual("api.anthropic.com", routes[0].Host)
         self.assertEqual("Bearer", routes[0].AuthScheme)
         self.assertEqual("CLAUDE_CODE_OAUTH_TOKEN", routes[0].TokenRef)
-        self.assertEqual(["example.com"], list(m.bottles["dev"].egress.allowlist))
+        self.assertEqual("example.com", routes[1].Host)
 
 
 class TestAgentFileParses(_ResolveCase):
@@ -134,7 +132,7 @@ class TestCwdAgentOverridesHome(_ResolveCase):
         m = self.resolve()
         self.assertIn("CWD-OVERRIDE-PROMPT", m.agents["implementer"].prompt)
         # Home bottle still present
-        self.assertEqual(1, len(m.bottles["dev"].egress_proxy.routes))
+        self.assertEqual(2, len(m.bottles["dev"].egress_proxy.routes))
 
 
 class TestCwdBottlesIgnored(_ResolveCase):