revert(egress-proxy): drop wildcard host support entirely

The apex-vs-subdomain question, the cert/SNI mismatch when
pipelock-passthrough hosts have wildcard certs, and the
mirror-divergence corner cases stacked up faster than the feature
earned its keep. Going back to exact-host match only.

Addon (`match_route`): single pass, case-insensitive exact match.
`*.foo.com` in a route table is now a literal string that won't
match anything — operators that want subdomains declare them
individually.

Pipelock mirror (`_pipelock_safe_hosts`): silently drops hosts
that don't fit pipelock's `[A-Za-z0-9_.-]+` charset (wildcards,
IPv6 literals, stray chars). Previously normalised wildcards to
their suffix; now just drops them, which matches egress-proxy's
behavior of not matching them either.

8 wildcard test cases removed; 2 lightweight "wildcards are not
supported" assertions retained as documentation. 386 unit pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

tests/unit/test_egress_proxy_apply.py

@@ -197,45 +197,30 @@ class TestPipelockSafeHosts(unittest.TestCase):
             _pipelock_safe_hosts(["api.github.com", "registry.npmjs.org"]),
         )
 
-    def test_strips_wildcard_prefix(self):
-        # `*.example.com` becomes `example.com` — pipelock pins the
-        # suffix, egress-proxy keeps the wildcard on its side.
+    def test_drops_wildcards(self):
+        # Wildcard host matching was removed from egress-proxy too,
+        # so a `*.foo.com` route is dead weight anyway; we drop it
+        # entirely from the pipelock mirror so the apply doesn't
+        # fail parse.
         self.assertEqual(
-            ["example.com", "api.github.com"],
+            ["api.github.com"],
             _pipelock_safe_hosts(["*.example.com", "api.github.com"]),
         )
 
-    def test_wildcard_strips_one_label_not_recursive(self):
-        # `*.foo.bar.com` → `foo.bar.com` (one strip of `*.`).
-        self.assertEqual(
-            ["foo.bar.com"],
-            _pipelock_safe_hosts(["*.foo.bar.com"]),
-        )
-
     def test_drops_bare_wildcard(self):
-        # `*` alone would normalise to empty; nothing useful to send
-        # to pipelock.
         self.assertEqual([], _pipelock_safe_hosts(["*"]))
 
-    def test_strips_ipv6_literals(self):
-        # Brackets aren't in pipelock's allowed charset either.
+    def test_drops_ipv6_literals(self):
         self.assertEqual(
             ["api.example.com"],
             _pipelock_safe_hosts(["[::1]", "api.example.com"]),
         )
 
-    def test_dedupes_after_normalisation(self):
-        # `*.example.com` + `example.com` both yield `example.com`.
-        self.assertEqual(
-            ["example.com"],
-            _pipelock_safe_hosts(["*.example.com", "example.com"]),
-        )
-
     def test_preserves_order(self):
         self.assertEqual(
             ["a.example", "b.example", "c.example"],
             _pipelock_safe_hosts([
-                "a.example", "weird host", "b.example", "*", "c.example",
+                "a.example", "*.junk", "b.example", "weird host", "c.example",
             ]),
         )