refactor(docker): drop legacy per-sidecar container_name functions

Same line of cleanup as the supervise rename: the per-sidecar
container names (`claude-bottle-pipelock-<slug>`,
`claude-bottle-egress-<slug>`, `claude-bottle-git-gate-<slug>`)
were docker-network aliases pointing at the bundle, kept so legacy
URLs would keep resolving. Replaces them with short hostnames
(`pipelock`, `egress`, `git-gate`) matching the existing
`EGRESS_HOSTNAME` pattern, and inlines the bundle-loopback URL
(`http://127.0.0.1:8888`) for the in-bundle egress→pipelock hop —
matching what smolmachines already does.

Drops the three `*_container_name` functions, `pipelock_proxy_url`,
and `git_gate_host`. Their callers move to the new constants:
- `PIPELOCK_HOSTNAME = "pipelock"` (claude_bottle/pipelock.py)
- `GIT_GATE_HOSTNAME = "git-gate"` (claude_bottle/git_gate.py)
- `BUNDLE_LOCAL_PIPELOCK_URL` (backend/docker/pipelock.py)

The agent's HTTP_PROXY now reads `http://pipelock:8888` (vs the
old `http://claude-bottle-pipelock-<slug>:8888`); the gitconfig
insteadOf rewrites become `git://git-gate/<repo>.git`. The prepare-
time orphan probe is collapsed onto the bundle container name
(`claude-bottle-sidecars-<slug>`) instead of the four legacy
per-sidecar names that no backend creates anymore.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

tests/integration/test_sandbox_escape.py

@@ -402,7 +402,7 @@ class TestSandboxEscape(unittest.TestCase):
             ("aws",       "TEST_SECRET_AWS"),
             ("generic",   "TEST_SECRET_GENERIC"),
         ]
-        gate_host = f"claude-bottle-git-gate-{self._identity}"
+        gate_host = "git-gate"
 
         for name, var in shapes:
             with self.subTest(secret=name):

tests/unit/test_compose.py

@@ -112,7 +112,7 @@ def _egress_plan(routes: tuple[EgressRoute, ...] = ()) -> EgressPlan:
         mitmproxy_ca_host_path=STATE / "egress-ca" / "mitmproxy-ca.pem",
         mitmproxy_ca_cert_only_host_path=STATE / "egress-ca" / "ca.pem",
         pipelock_ca_host_path=STATE / "pipelock-ca" / "ca.pem",
-        pipelock_proxy_url=f"http://claude-bottle-pipelock-{SLUG}:8888",
+        pipelock_proxy_url="http://127.0.0.1:8888",
     )
 
 
@@ -221,7 +221,7 @@ class TestAgentAlwaysPresent(unittest.TestCase):
         proxy_lines = [e for e in env if e.startswith("HTTPS_PROXY=")]
         self.assertEqual(1, len(proxy_lines))
         self.assertEqual(
-            f"HTTPS_PROXY=http://claude-bottle-pipelock-{SLUG}:8888",
+            "HTTPS_PROXY=http://pipelock:8888",
             proxy_lines[0],
         )
 
@@ -304,12 +304,11 @@ class TestSidecarBundleShape(unittest.TestCase):
 
     def test_internal_aliases_cover_pipelock_and_egress_shortnames(self):
         # The agent's HTTPS_PROXY url references either `egress` or
-        # `pipelock` (long form). Both must resolve to the bundle.
+        # `pipelock`. Both must resolve to the bundle.
         sc = self._render()["services"]["sidecars"]
         aliases = set(sc["networks"]["internal"]["aliases"])
         self.assertIn("egress", aliases)
-        self.assertIn(f"claude-bottle-pipelock-{SLUG}", aliases)
-        self.assertIn(f"claude-bottle-egress-{SLUG}", aliases)
+        self.assertIn("pipelock", aliases)
 
     def test_internal_aliases_omit_inactive_sidecars(self):
         # With no git-gate / supervise, those names are NOT aliased
@@ -317,13 +316,13 @@ class TestSidecarBundleShape(unittest.TestCase):
         # listening inside the bundle.
         sc = self._render()["services"]["sidecars"]
         aliases = set(sc["networks"]["internal"]["aliases"])
-        self.assertNotIn(f"claude-bottle-git-gate-{SLUG}", aliases)
+        self.assertNotIn("git-gate", aliases)
         self.assertNotIn("supervise", aliases)
 
     def test_internal_aliases_include_active_sidecars(self):
         sc = self._render(with_git=True, supervise=True)["services"]["sidecars"]
         aliases = set(sc["networks"]["internal"]["aliases"])
-        self.assertIn(f"claude-bottle-git-gate-{SLUG}", aliases)
+        self.assertIn("git-gate", aliases)
         self.assertIn("supervise", aliases)
 
     def test_daemons_csv_lists_only_active(self):

tests/unit/test_provision_git.py

@@ -9,15 +9,15 @@ from tests.fixtures import fixture_minimal, fixture_with_git
 class TestGitGateGitconfigRender(unittest.TestCase):
     def test_empty_entries_renders_nothing(self):
         bottle = fixture_minimal().bottles["dev"]
-        self.assertEqual("", render_git_gate_gitconfig("demo", bottle.git))
+        self.assertEqual("", render_git_gate_gitconfig(bottle.git))
 
     def test_one_block_per_entry(self):
         bottle = fixture_with_git().bottles["dev"]
-        out = render_git_gate_gitconfig("demo", bottle.git)
+        out = render_git_gate_gitconfig(bottle.git)
         # Both entries map to a [url ...] block keyed on the gate's
-        # container hostname (claude-bottle-git-gate-<slug>).
+        # short network alias (`git-gate`) inside the sidecar bundle.
         self.assertIn(
-            '[url "git://claude-bottle-git-gate-demo/claude-bottle.git"]',
+            '[url "git://git-gate/claude-bottle.git"]',
             out,
         )
         self.assertIn(
@@ -25,7 +25,7 @@ class TestGitGateGitconfigRender(unittest.TestCase):
             "ssh://git@gitea.dideric.is:30009/didericis/claude-bottle.git",
             out,
         )
-        self.assertIn('[url "git://claude-bottle-git-gate-demo/foo.git"]', out)
+        self.assertIn('[url "git://git-gate/foo.git"]', out)
         self.assertIn(
             "\tinsteadOf = ssh://git@github.com/didericis/foo.git",
             out,
@@ -37,7 +37,7 @@ class TestGitGateGitconfigRender(unittest.TestCase):
         # gate push and leave fetch on the original URL — exactly the
         # v1 design we've moved past.
         bottle = fixture_with_git().bottles["dev"]
-        out = render_git_gate_gitconfig("demo", bottle.git)
+        out = render_git_gate_gitconfig(bottle.git)
         self.assertIn("\tinsteadOf", out)
         self.assertNotIn("pushInsteadOf", out)