chore: remove all pipelock references from tests, docs, and non-pipelock source

- Strip pipelock from all unit and integration test fixtures:
  proxy_plan fields removed from DockerBottlePlan/SmolmachinesBottlePlan
  constructors; pipelock-specific test classes deleted or renamed
- Update test_sidecar_init: remove test_pipelock_loses_egress_tokens,
  rename "pipelock" daemon fixtures to "git-gate" throughout
- Remove test_pipelock_binary_present_and_versioned from integration test
- Remove test_pipelock_answers_on_bundle_ip from smolmachines launch test
- Update _SANDBOX_BLOCK_MARKERS: remove "pipelock" marker (egress blocks)
- Dockerfile.sidecars: remove pipelock build stage and COPY; update layout
  comments and port table
- egress_entrypoint.sh: update comments now that egress is sole proxy
- Clean up pipelock references in comments/docstrings across backend,
  network, manifest, supervise, git_gate, yaml_subset, agent_provider,
  sidecar_bundle, sidecar_init, egress_addon_core modules

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

bot_bottle/agent_provider.py

@@ -84,9 +84,9 @@ class AgentProvisionPlan:
     return the same shape without adding backend-plan fields.
 
     `egress_routes` are provider-declared EgressRoutes that backends
-    pass to `Egress.prepare` and `PipelockProxy.prepare`. This keeps
-    provider logic out of the egress and pipelock modules — they merge
-    provider routes generically without knowing the provider type.
+    pass to `Egress.prepare`. This keeps provider logic out of the
+    egress module — it merges provider routes generically without
+    knowing the provider type.
 
     `hidden_env_names` is the set of env var names the provider injected
     as non-secret placeholders. `print_util.visible_agent_env_names` uses

bot_bottle/backend/__init__.py

@@ -163,8 +163,8 @@ class ActiveAgent:
     bottle is the container, the agent is what runs in it.)
 
     Fields are deliberately backend-neutral. `services` is the set
-    of sidecar daemons currently up for this bottle (`pipelock`,
-    `egress`, `git-gate`, `supervise`); the dashboard uses it to
+    of sidecar daemons currently up for this bottle (`egress`,
+    `git-gate`, `supervise`); the dashboard uses it to
     gate edit verbs. `backend_name` is the matching key in
     `_BACKENDS` (`docker` / `smolmachines`) — used by the active-
     list rendering to disambiguate and by the dashboard's
@@ -213,7 +213,7 @@ class Bottle(ABC):
         `user` (default `node`, matching the agent image's USER
         directive) and return the captured stdout/stderr/returncode.
         The bottle's environment (including HTTPS_PROXY pointing at
-        the pipelock sidecar) is inherited by the child. Non-zero
+        the egress sidecar) is inherited by the child. Non-zero
         exit does not raise — callers inspect `returncode`
         themselves.
 
@@ -352,8 +352,8 @@ class BottleBackend(ABC, Generic[PlanT, CleanupT]):
 
     def provision_ca(self, plan: PlanT, bottle: "Bottle") -> None:
         """Install the per-bottle CA into the agent's trust store so
-        the agent trusts the bumped CONNECT cert egress (was
-        pipelock, pre-PRD-0017) presents. Default impl is a no-op so
+        the agent trusts the bumped CONNECT cert egress presents.
+        Default impl is a no-op so
         backends that don't yet support TLS interception (every backend
         except Docker today) aren't forced to implement it. The Docker
         backend overrides to docker-cp the cert in and run

bot_bottle/backend/docker/__init__.py

@@ -4,7 +4,6 @@ The bulk of the implementation lives in sibling modules:
 
   - util:                 thin Docker subprocess wrappers
   - network:              Docker network plumbing
-  - pipelock:             DockerPipelockProxy lifecycle
   - bottle_plan:          DockerBottlePlan
   - bottle_cleanup_plan:  DockerBottleCleanupPlan
   - bottle:               DockerBottle handle

bot_bottle/backend/docker/bottle_state.py

@@ -56,8 +56,8 @@ _AGENT_SUBDIR = "agent"
 _METADATA_NAME = "metadata.json"
 # Live-config dir bind-mounted into the supervise sidecar (read-only).
 # Host's apply paths keep these files fresh so supervise's
-# `list-pipelock-allowlist` / `list-egress-routes` MCP tools
-# return the current state — not a snapshot from launch time.
+# `list-egress-routes` MCP tool returns the current state —
+# not a snapshot from launch time.
 _LIVE_CONFIG_SUBDIR = "live-config"
 LIVE_CONFIG_ROUTES_NAME = "routes.yaml"
 LIVE_CONFIG_ALLOWLIST_NAME = "allowlist"

bot_bottle/backend/docker/compose.py

@@ -50,6 +50,7 @@ from .git_gate import (
     GIT_GATE_ENTRYPOINT_IN_CONTAINER,
     GIT_GATE_HOOK_IN_CONTAINER,
 )
+from . import network as network_mod
 from .sidecar_bundle import (
     SIDECAR_BUNDLE_DOCKERFILE,
     SIDECAR_BUNDLE_IMAGE,
@@ -91,11 +92,11 @@ def _networks(plan: DockerBottlePlan) -> dict[str, Any]:
     bridge."""
     return {
         "internal": {
-            "name": plan.proxy_plan.internal_network,
+            "name": network_mod.network_name_for_slug(plan.slug),
             "internal": True,
         },
         "egress": {
-            "name": plan.proxy_plan.egress_network,
+            "name": network_mod.network_egress_name_for_slug(plan.slug),
         },
     }
 
@@ -131,11 +132,9 @@ def _sidecar_bundle_service(plan: DockerBottlePlan) -> dict[str, Any]:
 
     # --- egress -------------------------------------------------------
     ep = plan.egress_plan
+    volumes.append(_bind(ep.mitmproxy_ca_host_path, EGRESS_CA_IN_CONTAINER))
     if ep.routes:
-        volumes += [
-            _bind(ep.routes_path, EGRESS_ROUTES_IN_CONTAINER),
-            _bind(ep.mitmproxy_ca_host_path, EGRESS_CA_IN_CONTAINER),
-        ]
+        volumes.append(_bind(ep.routes_path, EGRESS_ROUTES_IN_CONTAINER))
         for token_env in sorted(ep.token_env_map.keys()):
             env.append(token_env)
 

bot_bottle/backend/docker/launch.py

@@ -116,15 +116,13 @@ def launch(
                 internal_network=internal_network,
                 egress_network=egress_network,
             )
-        egress_plan = plan.egress_plan
-        if egress_plan.routes:
-            egress_plan = dataclasses.replace(
-                egress_plan,
-                internal_network=internal_network,
-                egress_network=egress_network,
-                mitmproxy_ca_host_path=egress_ca_host,
-                mitmproxy_ca_cert_only_host_path=egress_ca_cert_only,
-            )
+        egress_plan = dataclasses.replace(
+            plan.egress_plan,
+            internal_network=internal_network,
+            egress_network=egress_network,
+            mitmproxy_ca_host_path=egress_ca_host,
+            mitmproxy_ca_cert_only_host_path=egress_ca_cert_only,
+        )
         supervise_plan = plan.supervise_plan
         if supervise_plan is not None:
             supervise_plan = dataclasses.replace(

bot_bottle/backend/docker/network.py

@@ -1,11 +1,10 @@
 """Docker network plumbing for the per-agent egress topology.
 
 The agent container sits on a Docker `--internal` network (no default
-gateway). Pipelock straddles that network and a per-agent user-defined
-bridge for upstream egress. We deliberately do NOT use Docker's legacy
+gateway). Egress straddles that network and a per-agent user-defined
+bridge for upstream traffic. We deliberately do NOT use Docker's legacy
 `bridge` network because only user-defined bridges run Docker's
-embedded DNS resolver, which pipelock needs to resolve api.anthropic.com
-and similar upstream hostnames.
+embedded DNS resolver, which egress needs to resolve upstream hostnames.
 
 Naming: bot-bottle-net-<slug> (internal),
 bot-bottle-egress-<slug> (egress). Numeric suffix on conflict
@@ -77,20 +76,12 @@ def network_create_internal(slug: str) -> str:
 
 def network_create_egress(slug: str) -> str:
     """Create a per-agent user-defined bridge (NOT the legacy `bridge`)
-    so the pipelock sidecar has working DNS for upstream hostnames."""
+    so the egress sidecar has working DNS for upstream hostnames."""
     return _network_create_with_prefix(network_egress_name_for_slug(slug), internal=False)
 
 
 def network_inspect_cidr(name: str) -> str:
-    """Return the IPv4 CIDR Docker assigned to a user-defined network.
-
-    Used by pipelock's SSRF guard exception: the bottle's internal
-    network sits in RFC1918 space, so pipelock's `internal:` list
-    would block any agent request whose destination resolves there
-    — including the cred-proxy sidecar's address. Adding the
-    network's CIDR to pipelock's `ssrf.ip_allowlist` lets traffic
-    targeted at the bottle's own sidecars through while pipelock
-    still body-scans and api_allowlist-gates as usual."""
+    """Return the IPv4 CIDR Docker assigned to a user-defined network."""
     result = subprocess.run(
         ["docker", "network", "inspect",
          "--format", "{{range .IPAM.Config}}{{.Subnet}}{{end}}", name],

bot_bottle/backend/docker/prepare.py

@@ -200,10 +200,9 @@ def resolve_plan(
         # root; for `--cwd` derived images the base Dockerfile is what
         # the agent should propose changes against (the derived layer
         # is just a workspace copy).
-        # (routes.yaml + pipelock allowlist used to land here too but
-        # PRD 0017 chunk 3 moved them behind the
-        # `list-egress-routes` MCP tool so the agent gets live
-        # state rather than a launch-time snapshot.)
+        # (routes.yaml used to land here too but PRD 0017 chunk 3
+        # moved it behind the `list-egress-routes` MCP tool so the
+        # agent gets live state rather than a launch-time snapshot.)
         supervise_dockerfile_path = (
             Path(dockerfile_path)
             if dockerfile_path

bot_bottle/backend/docker/provision/ca.py

@@ -1,19 +1,8 @@
-"""Install the per-bottle MITM CA into the agent container's trust
-store.
+"""Install the per-bottle egress MITM CA into the agent container's
+trust store.
 
-Post-PRD-0017 the CA depends on the agent's HTTP_PROXY target:
-
-  - Bottle declares `egress.routes[]` → agent's HTTP_PROXY
-    points at egress; the cert the agent must trust is the
-    one egress mints leaf certs with (the egress CA).
-  - No egress routes → agent's HTTP_PROXY points straight at
-    pipelock; the cert the agent must trust is pipelock's CA (the
-    pre-cutover behavior).
-
-By the time this provisioner runs, the corresponding `tls_init`
-helper has generated the chosen CA under `plan.stage_dir`, and the
-sidecar (pipelock or egress) is up referencing the
-in-container CA paths.
+By the time this provisioner runs, `egress_tls_init` has generated
+the egress CA and the path is re-bound into `plan.egress_plan`.
 
 Cert lands on Debian's standard source path
 (`/usr/local/share/ca-certificates/`); `update-ca-certificates`
@@ -40,7 +29,7 @@ def provision_ca(plan: DockerBottlePlan, bottle: Bottle) -> None:
     """Copy the agent-facing CA cert into the agent, rebuild the
     trust bundle, emit a one-line fingerprint log. Called from
     `BottleBackend.provision` after the agent container is up."""
-    cert_host_path, label = select_ca_cert(plan.egress_plan, plan.proxy_plan)
+    cert_host_path, label = select_ca_cert(plan.egress_plan)
 
     bottle.cp_in(str(cert_host_path), AGENT_CA_PATH)
     bottle.exec(

bot_bottle/backend/docker/sidecar_bundle.py

@@ -2,10 +2,10 @@
 (PRD 0024).
 
 The bundle image (built by Dockerfile.sidecars, PRD 0024 chunk 1)
-runs pipelock + egress + git-gate + supervise as one container
-per bottle under a small Python init supervisor. As of chunk 5
-the bundle is the only shape — the legacy four-sidecar topology
-and its `BOT_BOTTLE_SIDECAR_BUNDLE` feature flag are gone."""
+runs egress + git-gate + supervise as one container per bottle
+under a small Python init supervisor. As of chunk 5 the bundle
+is the only shape — the legacy four-sidecar topology and its
+`BOT_BOTTLE_SIDECAR_BUNDLE` feature flag are gone."""
 
 from __future__ import annotations
 

bot_bottle/backend/smolmachines/bottle_plan.py

@@ -12,7 +12,6 @@ from dataclasses import dataclass
 from pathlib import Path
 
 from ...agent_provider import PromptMode
-from ...pipelock import PipelockProxyPlan
 from .. import BottlePlan
 
 
@@ -71,7 +70,6 @@ class SmolmachinesBottlePlan(BottlePlan):
     # docker's `--internal` + egress bridge topology; it's on a
     # per-bottle bridge with a pinned IP. The unused fields stay
     # at their dataclass defaults.
-    proxy_plan: PipelockProxyPlan
     # Agent-side endpoints. On Docker Desktop the docker bridge
     # IPs aren't reachable from the smolvm guest (TSI uses macOS
     # networking; docker container IPs live in the daemon's VM),

bot_bottle/backend/smolmachines/enumerate.py

@@ -69,8 +69,8 @@ def enumerate_active() -> list[ActiveAgent]:
 
 
 def _query_bundle_services() -> dict[str, tuple[str, ...]]:
-    """`{slug: ('egress', 'pipelock', ...)}` from each running
-    bundle container's `BOT_BOTTLE_SIDECAR_DAEMONS` env var.
+    """`{slug: ('egress', ...)}` from each running bundle container's
+    `BOT_BOTTLE_SIDECAR_DAEMONS` env var.
     Smolmachines bundles all run the PRD-0024 image with the
     same daemon set declared via env, so one inspect per bundle
     gets us the picture without exec'ing into the container.

bot_bottle/backend/smolmachines/launch.py

@@ -9,13 +9,9 @@ guest pointed at the bundle's pinned IP via TSI's
 exit.
 
 The bundle's daemons consume the inner Plans the docker backend
-already produces: pipelock reads its yaml + CA from the
-PipelockProxyPlan; egress reads routes + CAs from the EgressPlan
-+ EGRESS_UPSTREAM_PROXY pointing at `127.0.0.1:8888` (bundle
-local), since the agent dials pipelock first (not egress) on the
-smolmachines path. Git-gate + supervise plumb through the same
-plans the docker backend uses, minus the docker-network fields
-that don't apply here."""
+already produces: egress reads routes + CAs from the EgressPlan.
+Git-gate + supervise plumb through the same plans the docker
+backend uses, minus the docker-network fields that don't apply here."""
 
 from __future__ import annotations
 
@@ -29,16 +25,11 @@ from ...egress import (
     EGRESS_ROUTES_IN_CONTAINER,
     egress_resolve_token_values,
 )
-from ...pipelock import (
-    PIPELOCK_CA_CERT_IN_CONTAINER,
-    PIPELOCK_CA_KEY_IN_CONTAINER,
-)
 from ...supervise import QUEUE_DIR_IN_CONTAINER, SUPERVISE_PORT
 from ...util import expand_tilde
 from ..docker import util as docker_mod
 from ..docker.egress import (
     EGRESS_CA_IN_CONTAINER,
-    EGRESS_PIPELOCK_CA_IN_CONTAINER,
     EGRESS_PORT as _EGRESS_PORT,
     egress_tls_init,
 )
@@ -48,14 +39,9 @@ from ..docker.git_gate import (
     GIT_GATE_ENTRYPOINT_IN_CONTAINER,
     GIT_GATE_HOOK_IN_CONTAINER,
 )
-from ..docker.pipelock import (
-    BUNDLE_LOCAL_PIPELOCK_URL,
-    PIPELOCK_PORT as _PIPELOCK_PORT_STR,
-    pipelock_tls_init,
-)
 from ...git_gate import revoke_git_gate_provisioned_keys
 from ...log import warn
-from ..docker.bottle_state import git_gate_state_dir
+from ..docker.bottle_state import egress_state_dir, git_gate_state_dir
 from . import loopback_alias as _loopback
 from . import sidecar_bundle as _bundle
 from . import smolvm as _smolvm
@@ -78,9 +64,7 @@ _SMOLMACHINE_CACHE_DIR = Path.home() / ".cache" / "bot-bottle" / "smolmachines"
 # Container-internal listening ports for each bundle daemon. The
 # bundle publishes each one on a random host loopback port (see
 # `_bundle.start_bundle`), and `_bundle.bundle_host_port` looks
-# them up post-start. Pipelock's port is an env-overridable string
-# in docker.pipelock; coerce to int here.
-_PIPELOCK_PORT = int(_PIPELOCK_PORT_STR)
+# them up post-start.
 _GIT_HTTP_PORT = 9420
 _SUPERVISE_PORT = SUPERVISE_PORT
 
@@ -167,33 +151,16 @@ def _allocate_resources(
 
 
 def _mint_certs(plan: SmolmachinesBottlePlan) -> SmolmachinesBottlePlan:
-    """Mint per-bottle CAs and return the plan with CA paths filled.
-
-    Pipelock always runs in the bundle. Egress's CA is only minted
-    when the bottle declares routes — otherwise egress runs idle
-    without MITM and the CA files would be unused."""
-    ca_cert_host, ca_key_host = pipelock_tls_init(plan.proxy_plan.yaml_path.parent)
-    proxy_plan = dataclasses.replace(
-        plan.proxy_plan,
-        ca_cert_host_path=ca_cert_host,
-        ca_key_host_path=ca_key_host,
+    """Mint the egress MITM CA and return the plan with CA paths filled."""
+    egress_ca_host, egress_ca_cert_only = egress_tls_init(
+        egress_state_dir(plan.slug),
     )
-    egress_plan = plan.egress_plan
-    if egress_plan.routes:
-        egress_ca_host, egress_ca_cert_only = egress_tls_init(
-            plan.egress_plan.routes_path.parent,
-        )
-        egress_plan = dataclasses.replace(
-            egress_plan,
-            mitmproxy_ca_host_path=egress_ca_host,
-            mitmproxy_ca_cert_only_host_path=egress_ca_cert_only,
-            pipelock_ca_host_path=ca_cert_host,
-            # On smolmachines, egress's upstream is pipelock on the
-            # bundle's localhost — they're in the same container's
-            # network namespace.
-            pipelock_proxy_url=BUNDLE_LOCAL_PIPELOCK_URL,
-        )
-    return dataclasses.replace(plan, proxy_plan=proxy_plan, egress_plan=egress_plan)
+    egress_plan = dataclasses.replace(
+        plan.egress_plan,
+        mitmproxy_ca_host_path=egress_ca_host,
+        mitmproxy_ca_cert_only_host_path=egress_ca_cert_only,
+    )
+    return dataclasses.replace(plan, egress_plan=egress_plan)
 
 
 def _start_bundle(
@@ -224,17 +191,10 @@ def _discover_urls(
     macOS networking, and macOS sees the daemon's bridge via the
     published-port loopback forward only.
 
-    Proxy hop order: when the bottle declares egress routes, the
-    agent's first hop is egress (for token injection), then
-    pipelock. Without routes, the agent dials pipelock directly.
     NO_PROXY includes the per-bottle loopback alias so the
     supervise + git-gate URLs bypass HTTPS_PROXY."""
-    if plan.egress_plan.routes:
-        agent_facing_port = _EGRESS_PORT
-    else:
-        agent_facing_port = _PIPELOCK_PORT
     agent_facing_host_port = _bundle.bundle_host_port(
-        plan.slug, agent_facing_port, host_ip=loopback_ip,
+        plan.slug, _EGRESS_PORT, host_ip=loopback_ip,
     )
     agent_proxy_url = f"http://{loopback_ip}:{agent_facing_host_port}"
 
@@ -328,8 +288,7 @@ def _bundle_launch_spec(
     """Build a BundleLaunchSpec from the resolved inner Plans.
 
     Daemons in the CSV:
-      - egress + pipelock are always present (pipelock is the
-        agent's first hop; egress is its upstream).
+      - egress is always present.
       - git-gate + git-http are conditional on plan.git_gate_plan.upstreams.
       - supervise is conditional on plan.supervise_plan.
 
@@ -337,36 +296,15 @@ def _bundle_launch_spec(
     daemon-private values only (HTTPS_PROXY is scoped to the
     egress process by egress_entrypoint.sh — see PRD 0024's bundle
     bind-address PR)."""
-    daemons: list[str] = ["egress", "pipelock"]
+    daemons: list[str] = ["egress"]
     env: list[str] = []
     volumes: list[tuple[str, str, bool]] = []
 
-    # In this Docker-Desktop-compatible topology, whichever daemon
-    # is "agent-facing" gets its port published on the host
-    # loopback (see `_ensure_smolmachine`'s discovery loop) and the
-    # other stays bundle-internal. The bundle is NOT reachable by
-    # bridge IP from the smolvm guest on macOS — TSI uses macOS
-    # networking, and macOS sees the daemon's bridge via the
-    # published-port loopback forward only.
-
-    # --- pipelock ---------------------------------------------
-    pp = plan.proxy_plan
-    volumes += [
-        (str(pp.yaml_path), "/etc/pipelock.yaml", True),
-        (str(pp.ca_cert_host_path), PIPELOCK_CA_CERT_IN_CONTAINER, True),
-        (str(pp.ca_key_host_path), PIPELOCK_CA_KEY_IN_CONTAINER, True),
-    ]
-
     # --- egress -----------------------------------------------
     ep = plan.egress_plan
+    volumes.append((str(ep.mitmproxy_ca_host_path), EGRESS_CA_IN_CONTAINER, True))
     if ep.routes:
-        env.append(f"EGRESS_UPSTREAM_PROXY={ep.pipelock_proxy_url}")
-        env.append(f"EGRESS_UPSTREAM_CA={EGRESS_PIPELOCK_CA_IN_CONTAINER}")
-        volumes += [
-            (str(ep.routes_path), EGRESS_ROUTES_IN_CONTAINER, True),
-            (str(ep.mitmproxy_ca_host_path), EGRESS_CA_IN_CONTAINER, True),
-            (str(ep.pipelock_ca_host_path), EGRESS_PIPELOCK_CA_IN_CONTAINER, True),
-        ]
+        volumes.append((str(ep.routes_path), EGRESS_ROUTES_IN_CONTAINER, True))
         # Bare-name entries for upstream-token slots. Their values
         # come from the docker-run subprocess env (inherited from
         # the operator's shell), never landing on argv.
@@ -409,14 +347,8 @@ def _bundle_launch_spec(
 
     # Container ports the agent reaches from the smolvm guest —
     # published on host loopback so the guest can dial via TSI +
-    # macOS networking. The HTTP/HTTPS chokepoint is whichever
-    # daemon's port we publish: egress when routes are declared
-    # (token injection first, then forwards to bundle-internal
-    # pipelock), pipelock otherwise.
-    if ep.routes:
-        ports_to_publish: list[int] = [_EGRESS_PORT]
-    else:
-        ports_to_publish = [_PIPELOCK_PORT]
+    # macOS networking. Egress is always the agent's HTTP/HTTPS proxy.
+    ports_to_publish: list[int] = [_EGRESS_PORT]
     if gp.upstreams:
         ports_to_publish.append(_GIT_HTTP_PORT)
     if sp is not None:

bot_bottle/backend/smolmachines/local_registry.py

@@ -48,7 +48,7 @@ from ...log import die
 
 
 # registry:2.8.3, pinned by digest. Same env-override pattern as the
-# pipelock image pin in bot_bottle/backend/docker/pipelock.py.
+# sidecar image pin in bot_bottle/backend/docker/sidecar_bundle.py.
 REGISTRY_IMAGE = os.environ.get(
     "BOT_BOTTLE_REGISTRY_IMAGE",
     "registry@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373",

bot_bottle/backend/smolmachines/prepare.py

@@ -23,24 +23,21 @@ from ...backend.docker.bottle_state import (
     bottle_identity,
     egress_state_dir,
     git_gate_state_dir,
-    pipelock_state_dir,
     supervise_state_dir,
     write_metadata,
 )
 from ...egress import Egress
 from ...env import resolve_env
 from ...git_gate import GitGate
-from ...pipelock import PipelockProxy
 from ...supervise import Supervise
 from ...workspace import workspace_plan as resolve_workspace_plan
 from .bottle_plan import SmolmachinesBottlePlan
 from .util import smolmachines_bundle_subnet, smolmachines_preflight
 
 
-# Gateway ports the bundle exposes inside its container — pipelock
-# HTTPS proxy, git-gate's git-daemon, supervise's MCP. The agent
-# inside the smolvm guest dials these on the bundle's pinned IP.
-_BUNDLE_PIPELOCK_PORT = 8888
+# Gateway ports the bundle exposes inside its container — git-gate's
+# git-daemon, supervise's MCP. The agent inside the smolvm guest
+# dials these on the bundle's pinned IP.
 _BUNDLE_GIT_GATE_PORT = 9418
 _BUNDLE_SUPERVISE_PORT = 9100
 
@@ -145,18 +142,6 @@ def resolve_plan(
         merged_guest_env.setdefault(key, val)
     agent_provision = replace(agent_provision, guest_env=merged_guest_env)
 
-    # Inner Plans for the four bundle daemons. The ABCs are
-    # platform-neutral — `.prepare()` writes config files + returns
-    # a Plan dataclass with no backend-specific assumptions. State
-    # dirs are still keyed by slug under the docker backend's
-    # bottle_state layout (shared on-host convention; not a docker
-    # dependency).
-    pipelock_dir = pipelock_state_dir(slug)
-    pipelock_dir.mkdir(parents=True, exist_ok=True)
-    proxy_plan = PipelockProxy().prepare(
-        bottle, slug, pipelock_dir, agent_provision.egress_routes,
-    )
-
     egress_dir = egress_state_dir(slug)
     egress_dir.mkdir(parents=True, exist_ok=True)
     egress_plan = Egress().prepare(
@@ -181,7 +166,6 @@ def resolve_plan(
         agent_image_ref=agent_image_ref,
         guest_env=agent_provision.guest_env,
         prompt_file=prompt_file,
-        proxy_plan=proxy_plan,
         git_gate_plan=git_gate_plan,
         egress_plan=egress_plan,
         supervise_plan=supervise_plan,

bot_bottle/backend/smolmachines/provision/ca.py

@@ -1,13 +1,10 @@
-"""Install the per-bottle MITM CA into the smolmachines guest's
-trust store (PRD 0023 chunk 4d).
+"""Install the per-bottle egress MITM CA into the smolmachines
+guest's trust store (PRD 0023 chunk 4d).
 
-Mirrors `backend.docker.provision.ca`: select the right CA (egress
-when the bottle has routes, else pipelock), copy it to Debian's
-`/usr/local/share/ca-certificates/` path,
+Mirrors `backend.docker.provision.ca`: copy the egress CA to
+Debian's `/usr/local/share/ca-certificates/` path,
 `update-ca-certificates` to rebuild the trust bundle, and log the
-fingerprint once. The selected cert depends on the agent's
-HTTP_PROXY target — same logic as the docker backend, since the
-agent dials the same daemons through the same bundle.
+fingerprint once.
 
 `smolvm machine exec` runs commands as root in the VM (no `-u`
 flag exists; the VM init is root), so we don't need the explicit
@@ -35,7 +32,7 @@ def provision_ca(plan: SmolmachinesBottlePlan, bottle: Bottle) -> None:
     """Copy the agent-facing CA cert into the guest, rebuild the
     trust bundle, emit a one-line fingerprint log. Called from
     `BottleBackend.provision` after the smolvm guest is up."""
-    cert_host_path, label = select_ca_cert(plan.egress_plan, plan.proxy_plan)
+    cert_host_path, label = select_ca_cert(plan.egress_plan)
 
     bottle.cp_in(str(cert_host_path), AGENT_CA_PATH)
     # Mode 0644 — readable to non-root tools in the guest.

bot_bottle/backend/smolmachines/sidecar_bundle.py

@@ -19,7 +19,7 @@ This module ships the lifecycle primitives only — create
 network, start bundle, stop bundle, remove network — wrapped
 around `subprocess.run(["docker", ...])`. Wiring them into the
 launch flow + populating the `BundleLaunchSpec` from the inner
-Plans (PipelockProxyPlan, EgressPlan, …) lands in chunk 2d."""
+Plans (EgressPlan, …) lands in chunk 2d."""
 
 from __future__ import annotations
 
@@ -69,7 +69,7 @@ class BundleLaunchSpec:
     # Daemon subset CSV for BOT_BOTTLE_SIDECAR_DAEMONS. The
     # supervisor inside the bundle reads it to skip
     # bottle-irrelevant daemons (e.g. supervise=False bottles).
-    daemons_csv: str = "egress,pipelock"
+    daemons_csv: str = "egress"
     # Plain "KEY=VALUE" strings + "KEY" bare names (the bare-name
     # form inherits the value from the docker-run subprocess env,
     # matching the docker backend's compose-up secret-forwarding

bot_bottle/backend/util.py

@@ -14,7 +14,6 @@ from ..log import die, info
 
 if TYPE_CHECKING:
     from ..egress import EgressPlan
-    from ..pipelock import PipelockProxyPlan
 
 
 # Debian-family CA layout, shared by every backend (all guest images
@@ -35,35 +34,20 @@ def host_skill_dir(name: str) -> str:
     return f"{home}/.claude/skills/{name}"
 
 
-def select_ca_cert(
-    egress_plan: EgressPlan, proxy_plan: PipelockProxyPlan
-) -> tuple[Path, str]:
-    """Pick the agent-facing CA cert (and a short label for the log
-    line) that matches the proxy the agent's HTTP_PROXY points at.
-    Egress wins when the bottle declares any routes (it sits in front
-    of pipelock); else pipelock.
+def select_ca_cert(egress_plan: EgressPlan) -> tuple[Path, str]:
+    """Return the egress MITM CA cert path and label for provision_ca.
 
-    Shared by every backend's `provision_ca`: launch mints the chosen
-    CA(s) and re-binds their host paths into these inner plans before
-    provision runs, so an empty/missing path here means launch's
-    bringup is broken — fatal."""
-    if egress_plan.routes:
-        cert = egress_plan.mitmproxy_ca_cert_only_host_path
-        if cert == Path() or not cert.is_file():
-            die(
-                f"egress CA cert missing at {cert or '(empty)'}; "
-                f"launch must have called egress_tls_init and "
-                f"re-bound the plan before provision"
-            )
-        return cert, "egress"
-    cert = proxy_plan.ca_cert_host_path
-    if not cert or not cert.is_file():
+    Launch always mints the CA and re-binds the host path into the
+    egress_plan before provision runs, so an empty/missing path here
+    means launch's bringup is broken — fatal."""
+    cert = egress_plan.mitmproxy_ca_cert_only_host_path
+    if cert == Path() or not cert.is_file():
         die(
-            f"pipelock CA cert missing at {cert or '(empty)'}; "
-            f"launch must have called pipelock_tls_init and re-bound "
-            f"the plan before provision"
+            f"egress CA cert missing at {cert or '(empty)'}; "
+            f"launch must have called egress_tls_init and "
+            f"re-bound the plan before provision"
         )
-    return cert, "pipelock"
+    return cert, "egress"
 
 
 def log_ca_fingerprint(cert_host_path: Path, label: str) -> None:

bot_bottle/egress_addon_core.py

@@ -167,7 +167,7 @@ def is_git_push_request(path: str, query: str) -> bool:
     Universal across routes — the block fires even when no
     egress route matches the host. A bare-pass route (host with
     no auth, no path_allowlist) would otherwise let push through to
-    pipelock + upstream untouched.
+    the upstream untouched.
     """
     if path.endswith("/git-receive-pack"):
         return True
@@ -189,8 +189,8 @@ def match_route(
     exactly (case-insensitive). DNS names are case-insensitive.
 
     Wildcard hosts (`*.foo.com`) are NOT supported — they caused
-    too many edge cases (apex match? cert validation? pipelock
-    mirror mismatch?) for too little payoff. Operators that need
+    too many edge cases (apex match? cert validation?) for too
+    little payoff. Operators that need
     multiple subdomains declare them individually (or one common
     parent host as a bare-pass route)."""
     target = request_host.lower()
@@ -210,8 +210,7 @@ def decide(
     return what the addon should do with the request.
 
     - No matching route → BLOCK. The route table is the bottle's
-      egress allowlist; defense-in-depth complements pipelock's
-      hostname gate on the downstream leg. A bottle that wants a
+      egress allowlist. A bottle that wants a
       host reachable from the agent must declare a route for it
       (bare-pass route — no `auth`, no `path_allowlist` — is fine
       for hosts that just need passthrough).

bot_bottle/egress_entrypoint.sh

@@ -6,15 +6,15 @@
 # call it as a normal child. Behavior is unchanged:
 #
 #   * Upstream proxy: when EGRESS_UPSTREAM_PROXY is set, switch
-#     to `--mode upstream:URL` to forward all post-MITM traffic
-#     through pipelock. mitmproxy does NOT honor HTTPS_PROXY on
-#     its outbound side, so the upstream wiring has to be the
-#     mitmproxy mode flag, not env.
+#     to `--mode upstream:URL` to chain through an upstream proxy.
+#     mitmproxy does NOT honor HTTPS_PROXY on its outbound side,
+#     so the upstream wiring has to be the mitmproxy mode flag,
+#     not env.
 #   * Upstream trust: when EGRESS_UPSTREAM_CA is set, build a
-#     combined trust bundle (system roots + pipelock CA) and point
+#     combined trust bundle (system roots + upstream CA) and point
 #     mitmproxy at it. The option REPLACES mitmproxy's default
-#     trust store, so passing pipelock's CA alone would break
-#     route-configured pipelock passthrough hosts.
+#     trust store, so passing the upstream CA alone would break
+#     non-chained hosts.
 #   * `-s /app/egress_addon.py` loads the addon that reads
 #     /etc/egress/routes.yaml.
 
@@ -38,11 +38,7 @@ fi
 
 # Bind address. Docker backend wants `0.0.0.0` (agent dials egress
 # directly via the docker network alias). Smolmachines backend
-# wants `127.0.0.1` because the agent dials pipelock — not egress
-# — and egress is pipelock's localhost-only upstream inside the
-# bundle. TSI's IP-only allowlist would otherwise let the agent
-# reach `<bundle-ip>:9099` and bypass pipelock's DLP; binding
-# 127.0.0.1 inside the bundle closes that gap (PRD 0023 chunk 3).
+# uses EGRESS_LISTEN_HOST when a non-default binding is needed.
 LISTEN_HOST_FLAG=""
 if [ -n "$EGRESS_LISTEN_HOST" ]; then
   LISTEN_HOST_FLAG="--listen-host $EGRESS_LISTEN_HOST"
@@ -56,13 +52,10 @@ if [ -n "$EGRESS_UPSTREAM_CA" ] && [ -f "$EGRESS_UPSTREAM_CA" ]; then
 fi
 
 # Scope the proxy env to this process tree only. In the bundle
-# image (PRD 0024) the four daemons share one container — setting
+# image (PRD 0024) multiple daemons share one container — setting
 # HTTPS_PROXY at the container level would route git-gate's git
-# pushes through pipelock, which is wrong (pipelock doesn't proxy
-# SSH and would block public git repos). Setting them here means
-# only mitmdump's subprocess inherits them. In the legacy
-# four-sidecar setup these env vars are also set in compose; here
-# they're additionally defensive.
+# pushes through an upstream proxy unintentionally. Setting them
+# here means only mitmdump's subprocess inherits them.
 if [ -n "$EGRESS_UPSTREAM_PROXY" ]; then
   export HTTPS_PROXY="$EGRESS_UPSTREAM_PROXY"
   export HTTP_PROXY="$EGRESS_UPSTREAM_PROXY"

bot_bottle/git_gate.py

@@ -15,9 +15,9 @@ a bare repo on the gate; `git daemon` serves the bare repos over
 
 The agent never sees the upstream credential under either path.
 
-Why a third sidecar (not folded into pipelock or ssh-gate): the
+Why a separate sidecar (not folded into egress or ssh-gate): the
 gate is the only one of the three that holds upstream push
-credentials. Mixing it with pipelock would put push creds in the
+credentials. Mixing it with egress would put push creds in the
 same blast radius as internet-facing TLS interception; mixing it
 with ssh-gate would force ssh-gate above L4 and into git-protocol
 land. See `docs/prds/0008-git-gate.md`.

bot_bottle/manifest.py

@@ -18,8 +18,7 @@ Bottle schema (frontmatter):
     user:       { name: <str>, email: <str> }   # optional
     repos:      { <name>: <git-gate-entry>, ... }  # optional
   egress: { routes: [ <egress-route>, ... ] }
-    # route keys: host, path_allowlist, auth, role, pipelock
-    # pipelock: { tls_passthrough: <bool>, ssrf_ip_allowlist: [<cidr>, ...] }
+    # route keys: host, path_allowlist, auth, role
   supervise:    <bool>                          # optional
 
 Agent schema (frontmatter):
@@ -98,12 +97,11 @@ class Bottle:
     git_user: GitUser = field(default_factory=GitUser)
     egress: EgressConfig = field(default_factory=EgressConfig)
     # Opt-in per-bottle stuck-recovery sidecar (PRD 0013). When true,
-    # the launch step brings up a supervise sidecar that exposes three
-    # MCP tools to the agent (cred-proxy-block, pipelock-block,
-    # capability-block; the cred-proxy-block tool is renamed and
-    # retargeted at egress in PRD 0017 chunk 3) plus mounts the
-    # current-config dir read-only into the agent at /etc/bot-bottle/
-    # current-config. False (the default) skips the sidecar and mount.
+    # the launch step brings up a supervise sidecar that exposes MCP
+    # tools to the agent (egress-block, capability-block) plus mounts
+    # the current-config dir read-only into the agent at
+    # /etc/bot-bottle/current-config. False (the default) skips the
+    # sidecar and mount.
     supervise: bool = False
 
     @classmethod

bot_bottle/sidecar_init.py

@@ -282,10 +282,8 @@ class _Supervisor:
 
     def restart_daemon(self, daemon_name: str, *, grace: float = 5.0) -> bool:
         """Terminate one named child and spawn a fresh one, leaving
-        the other daemons running. Used by the pipelock-apply path:
-        pipelock has no in-process reload, so apply_allowlist_change
-        runs `docker kill --signal USR1 <bundle>` after writing the
-        new yaml; the supervisor catches SIGUSR1 and calls this.
+        the other daemons running. A daemon that has no in-process
+        reload can be restarted this way after its config file changes.
 
         Behavior: SIGTERM → wait up to `grace` seconds → SIGKILL if
         still alive → spawn a replacement under the same DaemonSpec.
@@ -293,8 +291,8 @@ class _Supervisor:
         forward_signal / shutdown calls reach the new pid.
 
         Returns True iff a daemon by that name was running and a
-        replacement spawned; False if no such daemon (the
-        compose-renderer subset said this bottle doesn't run it)."""
+        replacement spawned; False if no such daemon (not wired
+        for this bottle)."""
         if self.shutdown_at is not None:
             _log(f"restart {daemon_name} skipped; supervisor is shutting down")
             return False

bot_bottle/supervise.py

@@ -81,8 +81,7 @@ STATUS_REJECTED = "rejected"
 STATUSES: tuple[str, ...] = (STATUS_APPROVED, STATUS_MODIFIED, STATUS_REJECTED)
 
 # Operator-initiated audit entries (no tool call). PRD 0014's
-# `routes edit <bottle>` and PRD 0015's `pipelock edit <bottle>`
-# verbs write entries with this action.
+# `routes edit <bottle>` verb writes entries with this action.
 ACTION_OPERATOR_EDIT = "operator-edit"
 
 QUEUE_DIR_IN_CONTAINER = "/run/supervise/queue"

bot_bottle/yaml_subset.py

@@ -63,7 +63,7 @@ from typing import cast
 
 class YamlSubsetError(ValueError):
     """Raised when input violates the YAML subset's rules. Callers
-    that want fatal-exit semantics (manifest loader, pipelock-apply,
+    that want fatal-exit semantics (manifest loader, egress-apply,
     etc.) catch this at their own boundary and forward to `die`;
     callers running outside the bot-bottle CLI process (the
     egress sidecar's addon) handle it as a normal exception."""