fix(ssh): tunnel ssh through pipelock so agents on --internal can reach git remotes

The agent container is on an --internal Docker network with no default
route — only the pipelock sidecar is reachable. HTTPS_PROXY routes
HTTP through pipelock, but raw TCP (e.g. SSH on port 30009) had no
egress path, so `git fetch` against any bottle.ssh entry failed with
"Network is unreachable".

Fix: tunnel SSH through pipelock's HTTP CONNECT proxy.
- lib/ssh.sh injects `ProxyCommand socat - PROXY:<pipelock>:%h:%p,proxyport=<n>`
  into each Host block in the in-container ~/.ssh/config. socat is
  already in the image (apt-installed for the ssh-agent forwarder).
- lib/pipelock.sh auto-adds each bottle.ssh[].Hostname to the effective
  allowlist so pipelock permits the CONNECT.
- cli.sh threads the pipelock host:port into ssh_setup.

Note: works for SSH hosts pipelock's SSRF layer doesn't block. CGNAT
(100.64.0.0/10) and other non-RFC1918 ranges should pass; if a future
host gets blocked, expose pipelock's trusted_domains as a follow-up.

Assisted-by: Claude Code

cli.sh

@@ -650,7 +650,9 @@ cmd_start() {
 
   # Set up SSH keys and config.
   if [ "${#SSH_ENTRIES[@]}" -gt 0 ]; then
-    ssh_setup "$CONTAINER" "$STAGE_DIR" "${SSH_ENTRIES[@]}"
+    local PIPELOCK_PROXY_HOST_PORT
+    PIPELOCK_PROXY_HOST_PORT="$(pipelock_proxy_host_port "$SLUG")"
+    ssh_setup "$CONTAINER" "$STAGE_DIR" "$PIPELOCK_PROXY_HOST_PORT" "${SSH_ENTRIES[@]}"
   fi
 
   # When --cwd is on, ship the host repo's .git directory in via `docker cp`