refactor(agent): move placeholder env injection into agent_provision_plan

The has_provider_auth check and egress-placeholder injection were
duplicated in both backends. Move them into agent_provision_plan so
the provisioner owns that decision entirely:

- Replace has_provider_auth: bool param with manifest_egress_routes,
  compute has_provider_auth internally from the route roles.
- Inject CLAUDE_CODE_OAUTH_TOKEN=egress-placeholder inside the plan
  when has_provider_auth, alongside the existing nonessential-traffic
  vars. Backends no longer touch the placeholder env.
- Remove placeholder_env from AgentProviderRuntime; expose
  placeholder_env_for() for print_util's hide-from-summary logic.

Assisted-by: Claude Code

bot_bottle/backend/docker/prepare.py

@@ -168,19 +168,6 @@ def resolve_plan(
     # never lands on argv or in env_file) goes into one dict. Nothing
     # mutates the host os.environ.
     forwarded_env: dict[str, str] = dict(resolved.forwarded)
-    # Some provider CLIs refuse to start without *some* credential
-    # env var even when egress will strip + re-inject the real
-    # Authorization header. For those providers, auth_role names the
-    # route marker that enables a non-secret placeholder env. Codex is
-    # intentionally absent here: it should use its device/ChatGPT login
-    # state, and an OPENAI_API_KEY placeholder would force API-key auth.
-    has_provider_auth = any(
-        provider_runtime.auth_role
-        and provider_runtime.auth_role in r.roles
-        for r in egress_manifest_routes(bottle)
-    )
-    if has_provider_auth and provider_runtime.placeholder_env:
-        forwarded_env[provider_runtime.placeholder_env] = "egress-placeholder"
     _write_env_file(resolved, env_file)
     prompt_file.write_text(agent.prompt)
 
@@ -191,7 +178,7 @@ def resolve_plan(
         state_dir=agent_dir,
         guest_home=os.environ.get("BOT_BOTTLE_CONTAINER_HOME", "/home/node"),
         forward_host_credentials=provider.forward_host_credentials,
-        has_provider_auth=has_provider_auth,
+        manifest_egress_routes=egress_manifest_routes(bottle),
         host_env=dict(os.environ),
     )
     guest_env = dict(agent_provision.guest_env)

bot_bottle/backend/print_util.py

@@ -9,7 +9,7 @@ from __future__ import annotations
 
 from typing import Sequence
 
-from ..agent_provider import runtime_for
+from ..agent_provider import placeholder_env_for
 from ..log import info
 
 
@@ -41,5 +41,5 @@ def visible_agent_env_names(
     think a real key is entering the agent, so hide only the active
     provider-owned placeholder.
     """
-    hidden = {runtime_for(agent_provider_template).placeholder_env}
+    hidden = {placeholder_env_for(agent_provider_template)}
     return sorted({name for name in env_names if name and name not in hidden})

bot_bottle/backend/smolmachines/prepare.py

@@ -100,20 +100,6 @@ def resolve_plan(
     git_gate_dir.mkdir(parents=True, exist_ok=True)
     git_gate_plan = GitGate().prepare(bottle, slug, git_gate_dir)
 
-    # Some provider CLIs refuse to start without *some* credential
-    # env var even when egress will strip + re-inject the real
-    # Authorization header. For those providers, auth_role names the
-    # route marker that enables a non-secret placeholder env. Codex is
-    # intentionally absent here: it should use its device/ChatGPT login
-    # state, and an OPENAI_API_KEY placeholder would force API-key auth.
-    has_provider_auth = any(
-        provider_runtime.auth_role
-        and provider_runtime.auth_role in r.roles
-        for r in egress_manifest_routes(bottle)
-    )
-    if has_provider_auth and provider_runtime.placeholder_env:
-        guest_env[provider_runtime.placeholder_env] = "egress-placeholder"
-
     # Prompt file is always written (mode 0o600) so the in-VM
     # path always exists. Content is the agent's `prompt`
     # field (markdown body) — empty for agents with no prompt.
@@ -148,7 +134,7 @@ def resolve_plan(
         guest_home=os.environ.get("BOT_BOTTLE_GUEST_HOME", "/home/node"),
         guest_env=guest_env,
         forward_host_credentials=provider.forward_host_credentials,
-        has_provider_auth=has_provider_auth,
+        manifest_egress_routes=egress_manifest_routes(bottle),
         host_env=dict(os.environ),
     )
     merged_guest_env = dict(agent_provision.guest_env)