feat(egress-proxy): retarget remediation at egress-proxy (PRD 0017 chunk 3)

Finishes PRD 0017. The `cred-proxy-block` MCP tool is renamed and
its remediation apply path is repointed at egress-proxy.

  - `claude_bottle/supervise.py` — `TOOL_CRED_PROXY_BLOCK` →
    `TOOL_EGRESS_PROXY_BLOCK`; `COMPONENT_FOR_TOOL` maps the new
    tool ID to `egress-proxy` for audit-log routing.

  - `claude_bottle/supervise_server.py` — tool definition renamed
    + description rewritten: "Call when egress-proxy refused your
    HTTPS request ... Read the current routes.yaml from /etc/
    claude-bottle/current-config/routes.yaml, compose a modified
    version, pass the full new file plus a justification." The
    syntactic validator dispatches on the new tool ID.

  - `claude_bottle/backend/docker/egress_proxy_apply.py` — renamed
    from `cred_proxy_apply.py`. Reads routes.yaml from
    /etc/egress-proxy/routes.yaml via `docker exec cat`; validates
    via `egress_proxy_addon_core.load_routes` (so both sides use
    the same parser); writes via `docker cp`; SIGHUPs egress-proxy
    with `docker kill --signal HUP`. `EgressProxyApplyError`
    replaces `CredProxyApplyError`.

  - `claude_bottle/cli/dashboard.py` — wires the new apply +
    `discover_egress_proxy_slugs` helper; the operator-initiated
    `routes edit <bottle>` verb now writes to egress-proxy with
    `.yaml` suffix. Stale follow-up comment about path-aware
    filtering removed — PRD 0017 settled that question.

  - `tests/integration/test_supervise_sidecar.py` — restores the
    approval round-trip test (chunk 2 had switched it to a reject
    path because no cred-proxy existed). Approval stubs
    `apply_routes_change` so the test focuses on the supervise
    queue/response plumbing rather than docker-exec into a real
    egress-proxy sidecar (that's covered separately).

  - `tests/unit/test_egress_proxy_apply.py` — rewritten against
    the new validator; covers JSON shape, missing routes key,
    partial-auth-pair rejection (the addon-core parser catches
    these before SIGHUP).

  - PRDs 0010 + 0014 — status headers updated to
    Superseded / Retargeted with a callout block pointing at PRD
    0017's migration section. Historical text preserved.

384 unit + integration tests pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

claude_bottle/supervise_server.py

@@ -1,6 +1,6 @@
 """Supervise sidecar HTTP server (PRD 0013).
 
-Per-bottle MCP server exposing three tools — `cred-proxy-block`,
+Per-bottle MCP server exposing three tools — `egress-proxy-block`,
 `pipelock-block`, `capability-block` — that the agent calls to
 propose config changes when stuck. Each tool call:
 
@@ -128,26 +128,27 @@ def jsonrpc_error(request_id: object, code: int, message: str) -> bytes:
 
 TOOL_DEFINITIONS: list[dict[str, object]] = [
     {
-        "name": _sv.TOOL_CRED_PROXY_BLOCK,
+        "name": _sv.TOOL_EGRESS_PROXY_BLOCK,
         "description": (
-            "Call when cred-proxy refused your HTTPS request — missing "
-            "route, expired token, wrong scope (typically a 403 or a "
-            "404 from `http://cred-proxy:<port>/<path>/`). Read the "
-            "current routes.json from "
-            "/etc/claude-bottle/current-config/routes.json, compose a "
-            "modified version with the route you need, and pass the "
-            "full new file plus a justification. The operator approves "
-            "or rejects in the supervise TUI. On approval the supervisor "
-            "writes the new routes.json on the host and SIGHUPs cred-proxy "
-            "(wired in PRD 0014; in the v1 supervise foundation the "
-            "approval is acknowledged but no config change runs)."
+            "Call when egress-proxy refused your HTTPS request — host "
+            "without a matching route, or a path outside the route's "
+            "path_allowlist (typically a 403 from the proxy). Read "
+            "the current routes.yaml from "
+            "/etc/claude-bottle/current-config/routes.yaml, compose "
+            "a modified version that adds or relaxes the route you "
+            "need, and pass the full new file plus a justification. "
+            "The operator approves or rejects in the supervise TUI. "
+            "On approval the supervisor writes the new routes.yaml "
+            "on the host and SIGHUPs egress-proxy (the addon's reload "
+            "swaps the route table atomically without dropping "
+            "in-flight connections)."
         ),
         "inputSchema": {
             "type": "object",
             "properties": {
                 "routes": {
                     "type": "string",
-                    "description": "Full proposed routes.json file content (JSON text).",
+                    "description": "Full proposed routes.yaml file content (JSON text — every JSON document is valid YAML).",
                 },
                 "justification": {
                     "type": "string",
@@ -226,15 +227,15 @@ TOOL_DEFINITIONS: list[dict[str, object]] = [
 # tool-specific payload (stored in Proposal.proposed_file as
 # free-form text the apply path interprets per tool).
 #
-#   cred-proxy-block: full proposed routes.json
-#   pipelock-block:   the full failed URL (scheme + host + path) —
-#                     supervisor extracts the host, merges into the
-#                     bottle's current allowlist; the path is shown
-#                     to the operator for context (pipelock doesn't
-#                     do path-level matching).
-#   capability-block: full proposed Dockerfile
+#   egress-proxy-block: full proposed routes.yaml
+#   pipelock-block:     the full failed URL (scheme + host + path) —
+#                       supervisor extracts the host, merges into the
+#                       bottle's current allowlist; the path is shown
+#                       to the operator for context (pipelock doesn't
+#                       do path-level matching).
+#   capability-block:   full proposed Dockerfile
 PROPOSED_FILE_FIELD: dict[str, str] = {
-    _sv.TOOL_CRED_PROXY_BLOCK: "routes",
+    _sv.TOOL_EGRESS_PROXY_BLOCK: "routes",
     _sv.TOOL_PIPELOCK_BLOCK: "failed_url",
     _sv.TOOL_CAPABILITY_BLOCK: "dockerfile",
 }
@@ -249,18 +250,18 @@ def validate_proposed_file(tool: str, content: str) -> None:
     enter the queue."""
     if not content.strip():
         raise _RpcError(ERR_INVALID_PARAMS, f"{tool}: proposed file is empty")
-    if tool == _sv.TOOL_CRED_PROXY_BLOCK:
+    if tool == _sv.TOOL_EGRESS_PROXY_BLOCK:
         try:
             parsed = json.loads(content)
         except json.JSONDecodeError as e:
             raise _RpcError(
                 ERR_INVALID_PARAMS,
-                f"{tool}: proposed routes.json is not valid JSON: {e}",
+                f"{tool}: proposed routes.yaml is not valid JSON: {e}",
             ) from e
         if not isinstance(parsed, dict) or not isinstance(parsed.get("routes"), list):
             raise _RpcError(
                 ERR_INVALID_PARAMS,
-                f"{tool}: proposed routes.json must be an object with a 'routes' array",
+                f"{tool}: proposed routes.yaml must be an object with a 'routes' array",
             )
     elif tool == _sv.TOOL_PIPELOCK_BLOCK:
         # `content` is the full failed URL. Require scheme + host so
@@ -505,7 +506,7 @@ def serve(
 
 
 def main(argv: list[str]) -> int:
-    del argv  # config is env-only, matches cred_proxy_server pattern
+    del argv  # config is env-only, no CLI flags
     bottle_slug = os.environ.get("SUPERVISE_BOTTLE_SLUG", "")
     if not bottle_slug:
         sys.stderr.write("supervise: SUPERVISE_BOTTLE_SLUG env is unset\n")