feat(egress-proxy): cutover from cred-proxy (PRD 0017 chunk 2)

Hard cutover. cred-proxy is deleted; egress-proxy is now the agent's
HTTP_PROXY (when routes are declared) with pipelock on its outbound
leg. Two per-bottle CAs are minted: egress-proxy's (agent trust
store) and pipelock's (egress-proxy's outbound trust store).

Manifest:
  - `bottle.cred_proxy` → hard error with a migration recipe.
  - `bottle.egress_proxy` is the new shape (PRD 0017 chunk 1).
  - CredProxy* types + role validators removed.

Wiring:
  - launch.py: `egress_proxy_tls_init` mints the egress-proxy CA
    (cert+key concat for mitmproxy + cert-only for agent trust);
    `DockerEgressProxy.start` docker-cps both CAs in, sets
    `HTTPS_PROXY=pipelock` + `EGRESS_PROXY_UPSTREAM_CA` so mitmdump
    trusts pipelock's MITM. Agent's HTTP_PROXY points at
    egress-proxy when routes exist, else falls back to pipelock
    (no-routes bottles unchanged).
  - prepare.py / backend.py: `cred_proxy` arg → `egress_proxy`;
    sidecar-orphan probe + plan field + dashboard view all
    renamed.
  - provision_ca: selects the egress-proxy CA when present, else
    pipelock's (filename renamed to claude-bottle-mitm-ca.crt).
  - bottle.provision: cred-proxy dotfile rewrites (~/.npmrc,
    ~/.gitconfig insteadOf, tea config) are gone — HTTP_PROXY
    catches everything respecting it.

Pipelock helpers:
  - `pipelock_token_hosts` → `pipelock_route_hosts` (now reading
    egress_proxy.routes).
  - cred-proxy hostname auto-allow → egress-proxy hostname
    auto-allow.
  - Anthropic seed-phrase workaround now triggers when an
    egress_proxy route targets api.anthropic.com (was based on the
    cred-proxy `anthropic-base-url` role).

Dockerfile.egress-proxy:
  - Entrypoint conditionally passes
    `--set ssl_verify_upstream_trusted_ca=$EGRESS_PROXY_UPSTREAM_CA`
    (via the `${VAR:+...}` shell expansion) so standalone runs without
    a mounted pipelock CA still boot.
  - mkdirs `/home/mitmproxy/.mitmproxy` ahead of `docker cp`.

Deleted: claude_bottle/{cred_proxy,cred_proxy_server}.py,
backend/docker/{cred_proxy,provision/cred_proxy}.py,
Dockerfile.cred-proxy, plus the corresponding unit + integration
tests. backend/docker/cred_proxy_apply.py stays as a stub for
chunk 3 to rewrite (its container-name + routes-path constants
are inlined so it survives without the deleted module).

Test changes:
  - test_pipelock_allowlist rewritten against egress-proxy routes
    + the new `pipelock_route_hosts`.
  - test_manifest_md_load + test_pipelock_yaml + test_yaml_subset
    fixtures migrated to the `egress_proxy: { routes: [...] }`
    shape.
  - test_supervise_sidecar's round-trip test switched from
    `dashboard.approve` to `dashboard.reject`: the approval-apply
    path on cred-proxy-block proposals hits a deleted sidecar in
    chunk 2's transitional state. Chunk 3 restores the approval
    test once the remediation flow is retargeted at egress-proxy.

376 tests pass (was 427; net delta is removed cred-proxy tests).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

claude_bottle/backend/docker/prepare.py

@@ -15,17 +15,13 @@ from datetime import datetime, timezone
 from pathlib import Path
 
 from ... import pipelock
-from ...cred_proxy import cred_proxy_render_routes
+from ...egress_proxy import egress_proxy_render_routes
 from ...env import ResolvedEnv, resolve_env
 from ...log import die
 from .. import BottleSpec
 from . import util as docker_mod
 from .bottle_plan import DockerBottlePlan
-from .cred_proxy import (
-    DockerCredProxy,
-    cred_proxy_container_name,
-    cred_proxy_url,
-)
+from .egress_proxy import DockerEgressProxy, egress_proxy_container_name
 from .git_gate import DockerGitGate, git_gate_container_name
 from .bottle_state import (
     BottleMetadata,
@@ -46,7 +42,7 @@ def resolve_plan(
     stage_dir: Path,
     proxy: DockerPipelockProxy,
     git_gate: DockerGitGate,
-    cred_proxy: DockerCredProxy,
+    egress_proxy: DockerEgressProxy,
     supervise: DockerSupervise,
 ) -> DockerBottlePlan:
     """Resolve Docker-specific names and write scratch files. Trusts
@@ -127,15 +123,15 @@ def resolve_plan(
     # surface as a docker-create conflict deep inside launch() with no
     # actionable hint. Fail fast here with a cleanup pointer instead.
     # Only probe sidecars this launch will actually try to create:
-    # pipelock always; git-gate when bottle.git is non-empty; cred-proxy
-    # when bottle.cred_proxy.routes is non-empty.
+    # pipelock always; git-gate when bottle.git is non-empty;
+    # egress-proxy when bottle.egress_proxy.routes is non-empty.
     sidecar_probes: list[tuple[str, str]] = [
         ("pipelock", pipelock_container_name(slug)),
     ]
     if bottle.git:
         sidecar_probes.append(("git-gate", git_gate_container_name(slug)))
-    if bottle.cred_proxy.routes:
-        sidecar_probes.append(("cred-proxy", cred_proxy_container_name(slug)))
+    if bottle.egress_proxy.routes:
+        sidecar_probes.append(("egress-proxy", egress_proxy_container_name(slug)))
     if bottle.supervise:
         sidecar_probes.append(("supervise", supervise_container_name(slug)))
     for label, sidecar_name in sidecar_probes:
@@ -154,10 +150,13 @@ def resolve_plan(
 
     proxy_plan = proxy.prepare(bottle, slug, stage_dir)
     git_gate_plan = git_gate.prepare(bottle, slug, stage_dir)
-    cred_proxy_plan = cred_proxy.prepare(bottle, slug, stage_dir)
+    egress_proxy_plan = egress_proxy.prepare(bottle, slug, stage_dir)
     supervise_plan = None
     if bottle.supervise:
-        routes_content = cred_proxy_render_routes(cred_proxy_plan.routes) if cred_proxy_plan.routes else ""
+        routes_content = (
+            egress_proxy_render_routes(egress_proxy_plan.routes)
+            if egress_proxy_plan.routes else ""
+        )
         allowlist_content = "\n".join(pipelock.pipelock_effective_allowlist(bottle)) + "\n"
         # Current Dockerfile for the agent image. Read from the repo
         # root; for `--cwd` derived images the base Dockerfile is what
@@ -176,36 +175,21 @@ def resolve_plan(
     # never lands on argv or in env_file) goes into one dict. Nothing
     # mutates the host os.environ.
     forwarded_env: dict[str, str] = dict(resolved.forwarded)
-    # Find the (at most one) cred-proxy route claiming the
-    # anthropic-base-url role. Manifest validation enforces the
-    # singleton constraint. cred-proxy is the only path the Anthropic
-    # OAuth token reaches the bottle — there is no fallback that
-    # forwards it into the agent's environ directly. Bottles that
-    # need claude-code to authenticate must declare an
-    # anthropic-base-url route.
-    anthropic_route = next(
-        (r for r in cred_proxy_plan.routes if "anthropic-base-url" in r.roles),
-        None,
+    # When the bottle declares an egress-proxy route for the Anthropic
+    # OAuth flow, claude-code's outbound Authorization gets stripped +
+    # re-injected by egress-proxy. The agent's environ still needs
+    # *something* claude-code recognises as a credential or it refuses
+    # to start; ship a non-secret placeholder. The placeholder is not
+    # any real `auth.token_ref` value, so leaking it would tell an
+    # attacker only that egress-proxy is in front.
+    has_anthropic_auth = any(
+        r.token_ref == "CLAUDE_CODE_OAUTH_TOKEN"
+        for r in egress_proxy_plan.routes
     )
-    if anthropic_route is not None:
-        # Point claude-code at the cred-proxy. The sidecar holds the
-        # OAuth token; the agent's environ does not. Strip the
-        # trailing slash so claude-code's path-join produces e.g.
-        # http://cred-proxy:9099/anthropic/v1/messages.
-        forwarded_env["ANTHROPIC_BASE_URL"] = (
-            f"{cred_proxy_url()}{anthropic_route.path}".rstrip("/")
-        )
-        # claude-code refuses to start without *some* credential in
-        # its env. The proxy strips inbound Authorization on every
-        # request and injects the real one — so a non-secret
-        # placeholder is sufficient and the SC1 test still holds
-        # (the placeholder is not a `cred_proxy.routes[].TokenRef`
-        # value). The agent cannot exfiltrate this string because
-        # it carries no meaning to api.anthropic.com.
-        forwarded_env["CLAUDE_CODE_OAUTH_TOKEN"] = "cred-proxy-placeholder"
-        # Belt-and-braces: turn off telemetry endpoints that don't
-        # route through ANTHROPIC_BASE_URL (statsig, error reporting).
-        # PRD 0010 open question default.
+    if has_anthropic_auth:
+        forwarded_env["CLAUDE_CODE_OAUTH_TOKEN"] = "egress-proxy-placeholder"
+        # Belt-and-braces: turn off telemetry endpoints (statsig,
+        # error reporting) that egress-proxy can't gate by auth.
         forwarded_env.setdefault("CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC", "1")
         forwarded_env.setdefault("DISABLE_ERROR_REPORTING", "1")
     _write_env_file(resolved, env_file)
@@ -229,7 +213,7 @@ def resolve_plan(
         prompt_file=prompt_file,
         proxy_plan=proxy_plan,
         git_gate_plan=git_gate_plan,
-        cred_proxy_plan=cred_proxy_plan,
+        egress_proxy_plan=egress_proxy_plan,
         supervise_plan=supervise_plan,
         allowlist_summary=allowlist_summary,
         use_runsc=use_runsc,