chore: remove all pipelock references from tests, docs, and non-pipelock source

- Strip pipelock from all unit and integration test fixtures:
  proxy_plan fields removed from DockerBottlePlan/SmolmachinesBottlePlan
  constructors; pipelock-specific test classes deleted or renamed
- Update test_sidecar_init: remove test_pipelock_loses_egress_tokens,
  rename "pipelock" daemon fixtures to "git-gate" throughout
- Remove test_pipelock_binary_present_and_versioned from integration test
- Remove test_pipelock_answers_on_bundle_ip from smolmachines launch test
- Update _SANDBOX_BLOCK_MARKERS: remove "pipelock" marker (egress blocks)
- Dockerfile.sidecars: remove pipelock build stage and COPY; update layout
  comments and port table
- egress_entrypoint.sh: update comments now that egress is sole proxy
- Clean up pipelock references in comments/docstrings across backend,
  network, manifest, supervise, git_gate, yaml_subset, agent_provider,
  sidecar_bundle, sidecar_init, egress_addon_core modules

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

bot_bottle/backend/docker/__init__.py

@@ -4,7 +4,6 @@ The bulk of the implementation lives in sibling modules:
 
   - util:                 thin Docker subprocess wrappers
   - network:              Docker network plumbing
-  - pipelock:             DockerPipelockProxy lifecycle
   - bottle_plan:          DockerBottlePlan
   - bottle_cleanup_plan:  DockerBottleCleanupPlan
   - bottle:               DockerBottle handle

bot_bottle/backend/docker/bottle_state.py

@@ -56,8 +56,8 @@ _AGENT_SUBDIR = "agent"
 _METADATA_NAME = "metadata.json"
 # Live-config dir bind-mounted into the supervise sidecar (read-only).
 # Host's apply paths keep these files fresh so supervise's
-# `list-pipelock-allowlist` / `list-egress-routes` MCP tools
-# return the current state — not a snapshot from launch time.
+# `list-egress-routes` MCP tool returns the current state —
+# not a snapshot from launch time.
 _LIVE_CONFIG_SUBDIR = "live-config"
 LIVE_CONFIG_ROUTES_NAME = "routes.yaml"
 LIVE_CONFIG_ALLOWLIST_NAME = "allowlist"

bot_bottle/backend/docker/compose.py

@@ -50,6 +50,7 @@ from .git_gate import (
     GIT_GATE_ENTRYPOINT_IN_CONTAINER,
     GIT_GATE_HOOK_IN_CONTAINER,
 )
+from . import network as network_mod
 from .sidecar_bundle import (
     SIDECAR_BUNDLE_DOCKERFILE,
     SIDECAR_BUNDLE_IMAGE,
@@ -91,11 +92,11 @@ def _networks(plan: DockerBottlePlan) -> dict[str, Any]:
     bridge."""
     return {
         "internal": {
-            "name": plan.proxy_plan.internal_network,
+            "name": network_mod.network_name_for_slug(plan.slug),
             "internal": True,
         },
         "egress": {
-            "name": plan.proxy_plan.egress_network,
+            "name": network_mod.network_egress_name_for_slug(plan.slug),
         },
     }
 
@@ -131,11 +132,9 @@ def _sidecar_bundle_service(plan: DockerBottlePlan) -> dict[str, Any]:
 
     # --- egress -------------------------------------------------------
     ep = plan.egress_plan
+    volumes.append(_bind(ep.mitmproxy_ca_host_path, EGRESS_CA_IN_CONTAINER))
     if ep.routes:
-        volumes += [
-            _bind(ep.routes_path, EGRESS_ROUTES_IN_CONTAINER),
-            _bind(ep.mitmproxy_ca_host_path, EGRESS_CA_IN_CONTAINER),
-        ]
+        volumes.append(_bind(ep.routes_path, EGRESS_ROUTES_IN_CONTAINER))
         for token_env in sorted(ep.token_env_map.keys()):
             env.append(token_env)
 

bot_bottle/backend/docker/launch.py

@@ -116,15 +116,13 @@ def launch(
                 internal_network=internal_network,
                 egress_network=egress_network,
             )
-        egress_plan = plan.egress_plan
-        if egress_plan.routes:
-            egress_plan = dataclasses.replace(
-                egress_plan,
-                internal_network=internal_network,
-                egress_network=egress_network,
-                mitmproxy_ca_host_path=egress_ca_host,
-                mitmproxy_ca_cert_only_host_path=egress_ca_cert_only,
-            )
+        egress_plan = dataclasses.replace(
+            plan.egress_plan,
+            internal_network=internal_network,
+            egress_network=egress_network,
+            mitmproxy_ca_host_path=egress_ca_host,
+            mitmproxy_ca_cert_only_host_path=egress_ca_cert_only,
+        )
         supervise_plan = plan.supervise_plan
         if supervise_plan is not None:
             supervise_plan = dataclasses.replace(

bot_bottle/backend/docker/network.py

@@ -1,11 +1,10 @@
 """Docker network plumbing for the per-agent egress topology.
 
 The agent container sits on a Docker `--internal` network (no default
-gateway). Pipelock straddles that network and a per-agent user-defined
-bridge for upstream egress. We deliberately do NOT use Docker's legacy
+gateway). Egress straddles that network and a per-agent user-defined
+bridge for upstream traffic. We deliberately do NOT use Docker's legacy
 `bridge` network because only user-defined bridges run Docker's
-embedded DNS resolver, which pipelock needs to resolve api.anthropic.com
-and similar upstream hostnames.
+embedded DNS resolver, which egress needs to resolve upstream hostnames.
 
 Naming: bot-bottle-net-<slug> (internal),
 bot-bottle-egress-<slug> (egress). Numeric suffix on conflict
@@ -77,20 +76,12 @@ def network_create_internal(slug: str) -> str:
 
 def network_create_egress(slug: str) -> str:
     """Create a per-agent user-defined bridge (NOT the legacy `bridge`)
-    so the pipelock sidecar has working DNS for upstream hostnames."""
+    so the egress sidecar has working DNS for upstream hostnames."""
     return _network_create_with_prefix(network_egress_name_for_slug(slug), internal=False)
 
 
 def network_inspect_cidr(name: str) -> str:
-    """Return the IPv4 CIDR Docker assigned to a user-defined network.
-
-    Used by pipelock's SSRF guard exception: the bottle's internal
-    network sits in RFC1918 space, so pipelock's `internal:` list
-    would block any agent request whose destination resolves there
-    — including the cred-proxy sidecar's address. Adding the
-    network's CIDR to pipelock's `ssrf.ip_allowlist` lets traffic
-    targeted at the bottle's own sidecars through while pipelock
-    still body-scans and api_allowlist-gates as usual."""
+    """Return the IPv4 CIDR Docker assigned to a user-defined network."""
     result = subprocess.run(
         ["docker", "network", "inspect",
          "--format", "{{range .IPAM.Config}}{{.Subnet}}{{end}}", name],

bot_bottle/backend/docker/prepare.py

@@ -200,10 +200,9 @@ def resolve_plan(
         # root; for `--cwd` derived images the base Dockerfile is what
         # the agent should propose changes against (the derived layer
         # is just a workspace copy).
-        # (routes.yaml + pipelock allowlist used to land here too but
-        # PRD 0017 chunk 3 moved them behind the
-        # `list-egress-routes` MCP tool so the agent gets live
-        # state rather than a launch-time snapshot.)
+        # (routes.yaml used to land here too but PRD 0017 chunk 3
+        # moved it behind the `list-egress-routes` MCP tool so the
+        # agent gets live state rather than a launch-time snapshot.)
         supervise_dockerfile_path = (
             Path(dockerfile_path)
             if dockerfile_path

bot_bottle/backend/docker/provision/ca.py

@@ -1,19 +1,8 @@
-"""Install the per-bottle MITM CA into the agent container's trust
-store.
+"""Install the per-bottle egress MITM CA into the agent container's
+trust store.
 
-Post-PRD-0017 the CA depends on the agent's HTTP_PROXY target:
-
-  - Bottle declares `egress.routes[]` → agent's HTTP_PROXY
-    points at egress; the cert the agent must trust is the
-    one egress mints leaf certs with (the egress CA).
-  - No egress routes → agent's HTTP_PROXY points straight at
-    pipelock; the cert the agent must trust is pipelock's CA (the
-    pre-cutover behavior).
-
-By the time this provisioner runs, the corresponding `tls_init`
-helper has generated the chosen CA under `plan.stage_dir`, and the
-sidecar (pipelock or egress) is up referencing the
-in-container CA paths.
+By the time this provisioner runs, `egress_tls_init` has generated
+the egress CA and the path is re-bound into `plan.egress_plan`.
 
 Cert lands on Debian's standard source path
 (`/usr/local/share/ca-certificates/`); `update-ca-certificates`
@@ -40,7 +29,7 @@ def provision_ca(plan: DockerBottlePlan, bottle: Bottle) -> None:
     """Copy the agent-facing CA cert into the agent, rebuild the
     trust bundle, emit a one-line fingerprint log. Called from
     `BottleBackend.provision` after the agent container is up."""
-    cert_host_path, label = select_ca_cert(plan.egress_plan, plan.proxy_plan)
+    cert_host_path, label = select_ca_cert(plan.egress_plan)
 
     bottle.cp_in(str(cert_host_path), AGENT_CA_PATH)
     bottle.exec(

bot_bottle/backend/docker/sidecar_bundle.py

@@ -2,10 +2,10 @@
 (PRD 0024).
 
 The bundle image (built by Dockerfile.sidecars, PRD 0024 chunk 1)
-runs pipelock + egress + git-gate + supervise as one container
-per bottle under a small Python init supervisor. As of chunk 5
-the bundle is the only shape — the legacy four-sidecar topology
-and its `BOT_BOTTLE_SIDECAR_BUNDLE` feature flag are gone."""
+runs egress + git-gate + supervise as one container per bottle
+under a small Python init supervisor. As of chunk 5 the bundle
+is the only shape — the legacy four-sidecar topology and its
+`BOT_BOTTLE_SIDECAR_BUNDLE` feature flag are gone."""
 
 from __future__ import annotations