feat(git-gate): remove git remote host override plumbing

bot_bottle/manifest.py

@@ -71,13 +71,6 @@ class GitEntry:
     upstream after gitleaks passes. The agent itself never holds the
     upstream credential.
 
-    `ExtraHosts` is an optional `{hostname: ip}` map injected into the
-    gate container's `/etc/hosts` via `--add-host`. Use it when the
-    Upstream's hostname isn't resolvable from the gate (e.g. a
-    Tailscale-only host whose public DNS A record points elsewhere):
-    the agent's `insteadOf` rewrite still matches the original
-    hostname, but the gate routes to the right IP.
-
     The Upstream URL is parsed once at construction and the pieces are
     stashed in the `Upstream*` fields so the git-gate render step
     doesn't have to re-parse."""
@@ -86,7 +79,6 @@ class GitEntry:
     Upstream: str
     IdentityFile: str
     KnownHostKey: str = ""
-    ExtraHosts: Mapping[str, str] = field(default_factory=_empty_str_dict)
     RemoteKey: str = ""
     UpstreamUser: str = ""
     UpstreamHost: str = ""
@@ -139,10 +131,6 @@ class GitEntry:
             d.get("KnownHostKey"),
             f"bottle '{bottle_name}' {label} '{name}' KnownHostKey",
         )
-        extra_hosts = _opt_extra_hosts(
-            d.get("ExtraHosts"),
-            f"bottle '{bottle_name}' {label} '{name}' ExtraHosts",
-        )
         user, host, port, path = _parse_git_upstream(
             upstream, f"bottle '{bottle_name}' {label} '{name}' Upstream"
         )
@@ -160,7 +148,6 @@ class GitEntry:
             Upstream=upstream,
             IdentityFile=ident,
             KnownHostKey=khk,
-            ExtraHosts=extra_hosts,
             RemoteKey=host_key or host,
             UpstreamUser=user,
             UpstreamHost=host,
@@ -978,26 +965,6 @@ def _opt_str(value: object, label: str) -> str:
     return value
 
 
-def _opt_extra_hosts(value: object, label: str) -> dict[str, str]:
-    """Validate a `{hostname: ip}` object and return a plain dict. None
-    yields an empty dict so callers can treat ExtraHosts as always
-    present. IP format is not checked here; docker validates at
-    `--add-host` time."""
-    if value is None:
-        return {}
-    obj = _as_json_object(value, label)
-    out: dict[str, str] = {}
-    for host, ip in obj.items():
-        if not host:
-            raise ManifestError(f"{label} contains an empty hostname key")
-        if not isinstance(ip, str):
-            raise ManifestError(f"{label}['{host}'] must be a string (was {type(ip).__name__})")
-        if not ip:
-            raise ManifestError(f"{label}['{host}'] must be a non-empty string")
-        out[host] = ip
-    return out
-
-
 def _parse_git_upstream(url: str, label: str) -> tuple[str, str, str, str]:
     """Parse `ssh://user@host[:port]/path` into (user, host, port, path).
     Dies if `url` doesn't match the ssh:// shape v1 supports. Default