feat(egress-proxy): cutover from cred-proxy (PRD 0017 chunk 2)

Hard cutover. cred-proxy is deleted; egress-proxy is now the agent's
HTTP_PROXY (when routes are declared) with pipelock on its outbound
leg. Two per-bottle CAs are minted: egress-proxy's (agent trust
store) and pipelock's (egress-proxy's outbound trust store).

Manifest:
  - `bottle.cred_proxy` → hard error with a migration recipe.
  - `bottle.egress_proxy` is the new shape (PRD 0017 chunk 1).
  - CredProxy* types + role validators removed.

Wiring:
  - launch.py: `egress_proxy_tls_init` mints the egress-proxy CA
    (cert+key concat for mitmproxy + cert-only for agent trust);
    `DockerEgressProxy.start` docker-cps both CAs in, sets
    `HTTPS_PROXY=pipelock` + `EGRESS_PROXY_UPSTREAM_CA` so mitmdump
    trusts pipelock's MITM. Agent's HTTP_PROXY points at
    egress-proxy when routes exist, else falls back to pipelock
    (no-routes bottles unchanged).
  - prepare.py / backend.py: `cred_proxy` arg → `egress_proxy`;
    sidecar-orphan probe + plan field + dashboard view all
    renamed.
  - provision_ca: selects the egress-proxy CA when present, else
    pipelock's (filename renamed to claude-bottle-mitm-ca.crt).
  - bottle.provision: cred-proxy dotfile rewrites (~/.npmrc,
    ~/.gitconfig insteadOf, tea config) are gone — HTTP_PROXY
    catches everything respecting it.

Pipelock helpers:
  - `pipelock_token_hosts` → `pipelock_route_hosts` (now reading
    egress_proxy.routes).
  - cred-proxy hostname auto-allow → egress-proxy hostname
    auto-allow.
  - Anthropic seed-phrase workaround now triggers when an
    egress_proxy route targets api.anthropic.com (was based on the
    cred-proxy `anthropic-base-url` role).

Dockerfile.egress-proxy:
  - Entrypoint conditionally passes
    `--set ssl_verify_upstream_trusted_ca=$EGRESS_PROXY_UPSTREAM_CA`
    (via the `${VAR:+...}` shell expansion) so standalone runs without
    a mounted pipelock CA still boot.
  - mkdirs `/home/mitmproxy/.mitmproxy` ahead of `docker cp`.

Deleted: claude_bottle/{cred_proxy,cred_proxy_server}.py,
backend/docker/{cred_proxy,provision/cred_proxy}.py,
Dockerfile.cred-proxy, plus the corresponding unit + integration
tests. backend/docker/cred_proxy_apply.py stays as a stub for
chunk 3 to rewrite (its container-name + routes-path constants
are inlined so it survives without the deleted module).

Test changes:
  - test_pipelock_allowlist rewritten against egress-proxy routes
    + the new `pipelock_route_hosts`.
  - test_manifest_md_load + test_pipelock_yaml + test_yaml_subset
    fixtures migrated to the `egress_proxy: { routes: [...] }`
    shape.
  - test_supervise_sidecar's round-trip test switched from
    `dashboard.approve` to `dashboard.reject`: the approval-apply
    path on cred-proxy-block proposals hits a deleted sidecar in
    chunk 2's transitional state. Chunk 3 restores the approval
    test once the remediation flow is retargeted at egress-proxy.

376 tests pass (was 427; net delta is removed cred-proxy tests).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

claude_bottle/backend/docker/bottle_plan.py

@@ -11,7 +11,7 @@ import sys
 from dataclasses import dataclass, field
 from pathlib import Path
 
-from ...cred_proxy import CredProxyPlan
+from ...egress_proxy import EgressProxyPlan
 from ...git_gate import GitGatePlan
 from ...log import info
 from ...manifest import Agent, Bottle
@@ -58,7 +58,7 @@ class DockerBottlePlan(BottlePlan):
     prompt_file: Path
     proxy_plan: PipelockProxyPlan
     git_gate_plan: GitGatePlan
-    cred_proxy_plan: CredProxyPlan
+    egress_proxy_plan: EgressProxyPlan
     # None when bottle.supervise is False. PRD 0013 supervise sidecar
     # is opt-in via the manifest's bottle.supervise field.
     supervise_plan: SupervisePlan | None
@@ -72,10 +72,11 @@ class DockerBottlePlan(BottlePlan):
         bottle = manifest.bottle_for(spec.agent_name)
         # The agent sees the union of literal env names (rendered into
         # --env-file) and forwarded env names (`-e NAME` with the value
-        # arriving via subprocess env). The forwarded set already
-        # reflects PRD 0010's switch — when cred-proxy holds the
-        # anthropic token, CLAUDE_CODE_OAUTH_TOKEN is absent and
-        # ANTHROPIC_BASE_URL is present.
+        # arriving via subprocess env). The forwarded set holds the
+        # OAuth token (CLAUDE_CODE_OAUTH_TOKEN) and any host-env
+        # interpolations from the manifest; egress-proxy holds upstream
+        # tokens in its own environ, so no token forwarding from the
+        # agent to the proxy is needed.
         env_names = sorted(set(bottle.env.keys()) | set(self.forwarded_env.keys()))
         return _PlanView(
             agent=agent,
@@ -120,16 +121,25 @@ class DockerBottlePlan(BottlePlan):
             info(f"  git gate      : {'; '.join(git_lines)}")
         else:
             info("  git remotes   : (none)")
-        if self.cred_proxy_plan.routes:
-            lines = [f"{r.path}→{r.upstream}" for r in self.cred_proxy_plan.routes]
-            refs = sorted({r.token_ref for r in self.cred_proxy_plan.routes})
-            info(f"  cred-proxy    : {len(lines)} route(s); tokens: {', '.join(refs)}")
+        if self.egress_proxy_plan.routes:
+            lines = []
+            for r in self.egress_proxy_plan.routes:
+                paths = (
+                    " " + ",".join(r.path_allowlist) if r.path_allowlist else ""
+                )
+                auth = f" [auth:{r.auth_scheme}]" if r.auth_scheme else ""
+                lines.append(f"{r.host}{auth}{paths}")
+            refs = sorted({r.token_ref for r in self.egress_proxy_plan.routes if r.token_ref})
+            tokens_part = (
+                f"; tokens: {', '.join(refs)}" if refs else ""
+            )
+            info(f"  egress-proxy  : {len(lines)} route(s){tokens_part}")
             for line in lines:
                 info(f"                  {line}")
         else:
-            info("  cred-proxy    : (none)")
+            info("  egress-proxy  : (none)")
         info(f"  egress        : {self.allowlist_summary}")
-        info("  tls intercept : pipelock (per-bottle ephemeral CA, generated at launch)")
+        info("  tls intercept : egress-proxy (per-bottle ephemeral CA, generated at launch)")
         if self.supervise_plan is not None:
             info(
                 f"  supervise     : enabled; queue at {self.supervise_plan.queue_dir}"
@@ -166,23 +176,22 @@ class DockerBottlePlan(BottlePlan):
                 }
                 for u in self.git_gate_plan.upstreams
             ],
-            "cred_proxy": [
+            "egress_proxy": [
                 {
-                    "path": r.path,
-                    "upstream": r.upstream,
+                    "host": r.host,
+                    "path_allowlist": list(r.path_allowlist),
                     "auth_scheme": r.auth_scheme,
                     "token_ref": r.token_ref,
-                    "roles": list(r.roles),
                 }
-                for r in self.cred_proxy_plan.routes
+                for r in self.egress_proxy_plan.routes
             ],
             "egress": {
                 "host_count": len(hosts),
                 "hosts": hosts,
-                # PRD 0006: pipelock's `tls_interception` block is on
-                # for every launched bottle. ca_fingerprint is always
-                # null at dry-run because the CA doesn't exist yet —
-                # real launches print the fingerprint to stderr from
+                # PRD 0017: TLS interception moved from pipelock to
+                # egress-proxy. ca_fingerprint is always null at
+                # dry-run because the CA doesn't exist yet — real
+                # launches print the fingerprint to stderr from
                 # provision_ca. Reserved field for forward-compat.
                 "tls_interception": {
                     "enabled": True,