chore: remove all pipelock references from tests, docs, and non-pipelock source

- Strip pipelock from all unit and integration test fixtures:
  proxy_plan fields removed from DockerBottlePlan/SmolmachinesBottlePlan
  constructors; pipelock-specific test classes deleted or renamed
- Update test_sidecar_init: remove test_pipelock_loses_egress_tokens,
  rename "pipelock" daemon fixtures to "git-gate" throughout
- Remove test_pipelock_binary_present_and_versioned from integration test
- Remove test_pipelock_answers_on_bundle_ip from smolmachines launch test
- Update _SANDBOX_BLOCK_MARKERS: remove "pipelock" marker (egress blocks)
- Dockerfile.sidecars: remove pipelock build stage and COPY; update layout
  comments and port table
- egress_entrypoint.sh: update comments now that egress is sole proxy
- Clean up pipelock references in comments/docstrings across backend,
  network, manifest, supervise, git_gate, yaml_subset, agent_provider,
  sidecar_bundle, sidecar_init, egress_addon_core modules

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

bot_bottle/backend/smolmachines/bottle_plan.py

@@ -12,7 +12,6 @@ from dataclasses import dataclass
 from pathlib import Path
 
 from ...agent_provider import PromptMode
-from ...pipelock import PipelockProxyPlan
 from .. import BottlePlan
 
 
@@ -71,7 +70,6 @@ class SmolmachinesBottlePlan(BottlePlan):
     # docker's `--internal` + egress bridge topology; it's on a
     # per-bottle bridge with a pinned IP. The unused fields stay
     # at their dataclass defaults.
-    proxy_plan: PipelockProxyPlan
     # Agent-side endpoints. On Docker Desktop the docker bridge
     # IPs aren't reachable from the smolvm guest (TSI uses macOS
     # networking; docker container IPs live in the daemon's VM),

bot_bottle/backend/smolmachines/enumerate.py

@@ -69,8 +69,8 @@ def enumerate_active() -> list[ActiveAgent]:
 
 
 def _query_bundle_services() -> dict[str, tuple[str, ...]]:
-    """`{slug: ('egress', 'pipelock', ...)}` from each running
-    bundle container's `BOT_BOTTLE_SIDECAR_DAEMONS` env var.
+    """`{slug: ('egress', ...)}` from each running bundle container's
+    `BOT_BOTTLE_SIDECAR_DAEMONS` env var.
     Smolmachines bundles all run the PRD-0024 image with the
     same daemon set declared via env, so one inspect per bundle
     gets us the picture without exec'ing into the container.

bot_bottle/backend/smolmachines/launch.py

@@ -9,13 +9,9 @@ guest pointed at the bundle's pinned IP via TSI's
 exit.
 
 The bundle's daemons consume the inner Plans the docker backend
-already produces: pipelock reads its yaml + CA from the
-PipelockProxyPlan; egress reads routes + CAs from the EgressPlan
-+ EGRESS_UPSTREAM_PROXY pointing at `127.0.0.1:8888` (bundle
-local), since the agent dials pipelock first (not egress) on the
-smolmachines path. Git-gate + supervise plumb through the same
-plans the docker backend uses, minus the docker-network fields
-that don't apply here."""
+already produces: egress reads routes + CAs from the EgressPlan.
+Git-gate + supervise plumb through the same plans the docker
+backend uses, minus the docker-network fields that don't apply here."""
 
 from __future__ import annotations
 
@@ -29,16 +25,11 @@ from ...egress import (
     EGRESS_ROUTES_IN_CONTAINER,
     egress_resolve_token_values,
 )
-from ...pipelock import (
-    PIPELOCK_CA_CERT_IN_CONTAINER,
-    PIPELOCK_CA_KEY_IN_CONTAINER,
-)
 from ...supervise import QUEUE_DIR_IN_CONTAINER, SUPERVISE_PORT
 from ...util import expand_tilde
 from ..docker import util as docker_mod
 from ..docker.egress import (
     EGRESS_CA_IN_CONTAINER,
-    EGRESS_PIPELOCK_CA_IN_CONTAINER,
     EGRESS_PORT as _EGRESS_PORT,
     egress_tls_init,
 )
@@ -48,14 +39,9 @@ from ..docker.git_gate import (
     GIT_GATE_ENTRYPOINT_IN_CONTAINER,
     GIT_GATE_HOOK_IN_CONTAINER,
 )
-from ..docker.pipelock import (
-    BUNDLE_LOCAL_PIPELOCK_URL,
-    PIPELOCK_PORT as _PIPELOCK_PORT_STR,
-    pipelock_tls_init,
-)
 from ...git_gate import revoke_git_gate_provisioned_keys
 from ...log import warn
-from ..docker.bottle_state import git_gate_state_dir
+from ..docker.bottle_state import egress_state_dir, git_gate_state_dir
 from . import loopback_alias as _loopback
 from . import sidecar_bundle as _bundle
 from . import smolvm as _smolvm
@@ -78,9 +64,7 @@ _SMOLMACHINE_CACHE_DIR = Path.home() / ".cache" / "bot-bottle" / "smolmachines"
 # Container-internal listening ports for each bundle daemon. The
 # bundle publishes each one on a random host loopback port (see
 # `_bundle.start_bundle`), and `_bundle.bundle_host_port` looks
-# them up post-start. Pipelock's port is an env-overridable string
-# in docker.pipelock; coerce to int here.
-_PIPELOCK_PORT = int(_PIPELOCK_PORT_STR)
+# them up post-start.
 _GIT_HTTP_PORT = 9420
 _SUPERVISE_PORT = SUPERVISE_PORT
 
@@ -167,33 +151,16 @@ def _allocate_resources(
 
 
 def _mint_certs(plan: SmolmachinesBottlePlan) -> SmolmachinesBottlePlan:
-    """Mint per-bottle CAs and return the plan with CA paths filled.
-
-    Pipelock always runs in the bundle. Egress's CA is only minted
-    when the bottle declares routes — otherwise egress runs idle
-    without MITM and the CA files would be unused."""
-    ca_cert_host, ca_key_host = pipelock_tls_init(plan.proxy_plan.yaml_path.parent)
-    proxy_plan = dataclasses.replace(
-        plan.proxy_plan,
-        ca_cert_host_path=ca_cert_host,
-        ca_key_host_path=ca_key_host,
+    """Mint the egress MITM CA and return the plan with CA paths filled."""
+    egress_ca_host, egress_ca_cert_only = egress_tls_init(
+        egress_state_dir(plan.slug),
     )
-    egress_plan = plan.egress_plan
-    if egress_plan.routes:
-        egress_ca_host, egress_ca_cert_only = egress_tls_init(
-            plan.egress_plan.routes_path.parent,
-        )
-        egress_plan = dataclasses.replace(
-            egress_plan,
-            mitmproxy_ca_host_path=egress_ca_host,
-            mitmproxy_ca_cert_only_host_path=egress_ca_cert_only,
-            pipelock_ca_host_path=ca_cert_host,
-            # On smolmachines, egress's upstream is pipelock on the
-            # bundle's localhost — they're in the same container's
-            # network namespace.
-            pipelock_proxy_url=BUNDLE_LOCAL_PIPELOCK_URL,
-        )
-    return dataclasses.replace(plan, proxy_plan=proxy_plan, egress_plan=egress_plan)
+    egress_plan = dataclasses.replace(
+        plan.egress_plan,
+        mitmproxy_ca_host_path=egress_ca_host,
+        mitmproxy_ca_cert_only_host_path=egress_ca_cert_only,
+    )
+    return dataclasses.replace(plan, egress_plan=egress_plan)
 
 
 def _start_bundle(
@@ -224,17 +191,10 @@ def _discover_urls(
     macOS networking, and macOS sees the daemon's bridge via the
     published-port loopback forward only.
 
-    Proxy hop order: when the bottle declares egress routes, the
-    agent's first hop is egress (for token injection), then
-    pipelock. Without routes, the agent dials pipelock directly.
     NO_PROXY includes the per-bottle loopback alias so the
     supervise + git-gate URLs bypass HTTPS_PROXY."""
-    if plan.egress_plan.routes:
-        agent_facing_port = _EGRESS_PORT
-    else:
-        agent_facing_port = _PIPELOCK_PORT
     agent_facing_host_port = _bundle.bundle_host_port(
-        plan.slug, agent_facing_port, host_ip=loopback_ip,
+        plan.slug, _EGRESS_PORT, host_ip=loopback_ip,
     )
     agent_proxy_url = f"http://{loopback_ip}:{agent_facing_host_port}"
 
@@ -328,8 +288,7 @@ def _bundle_launch_spec(
     """Build a BundleLaunchSpec from the resolved inner Plans.
 
     Daemons in the CSV:
-      - egress + pipelock are always present (pipelock is the
-        agent's first hop; egress is its upstream).
+      - egress is always present.
       - git-gate + git-http are conditional on plan.git_gate_plan.upstreams.
       - supervise is conditional on plan.supervise_plan.
 
@@ -337,36 +296,15 @@ def _bundle_launch_spec(
     daemon-private values only (HTTPS_PROXY is scoped to the
     egress process by egress_entrypoint.sh — see PRD 0024's bundle
     bind-address PR)."""
-    daemons: list[str] = ["egress", "pipelock"]
+    daemons: list[str] = ["egress"]
     env: list[str] = []
     volumes: list[tuple[str, str, bool]] = []
 
-    # In this Docker-Desktop-compatible topology, whichever daemon
-    # is "agent-facing" gets its port published on the host
-    # loopback (see `_ensure_smolmachine`'s discovery loop) and the
-    # other stays bundle-internal. The bundle is NOT reachable by
-    # bridge IP from the smolvm guest on macOS — TSI uses macOS
-    # networking, and macOS sees the daemon's bridge via the
-    # published-port loopback forward only.
-
-    # --- pipelock ---------------------------------------------
-    pp = plan.proxy_plan
-    volumes += [
-        (str(pp.yaml_path), "/etc/pipelock.yaml", True),
-        (str(pp.ca_cert_host_path), PIPELOCK_CA_CERT_IN_CONTAINER, True),
-        (str(pp.ca_key_host_path), PIPELOCK_CA_KEY_IN_CONTAINER, True),
-    ]
-
     # --- egress -----------------------------------------------
     ep = plan.egress_plan
+    volumes.append((str(ep.mitmproxy_ca_host_path), EGRESS_CA_IN_CONTAINER, True))
     if ep.routes:
-        env.append(f"EGRESS_UPSTREAM_PROXY={ep.pipelock_proxy_url}")
-        env.append(f"EGRESS_UPSTREAM_CA={EGRESS_PIPELOCK_CA_IN_CONTAINER}")
-        volumes += [
-            (str(ep.routes_path), EGRESS_ROUTES_IN_CONTAINER, True),
-            (str(ep.mitmproxy_ca_host_path), EGRESS_CA_IN_CONTAINER, True),
-            (str(ep.pipelock_ca_host_path), EGRESS_PIPELOCK_CA_IN_CONTAINER, True),
-        ]
+        volumes.append((str(ep.routes_path), EGRESS_ROUTES_IN_CONTAINER, True))
         # Bare-name entries for upstream-token slots. Their values
         # come from the docker-run subprocess env (inherited from
         # the operator's shell), never landing on argv.
@@ -409,14 +347,8 @@ def _bundle_launch_spec(
 
     # Container ports the agent reaches from the smolvm guest —
     # published on host loopback so the guest can dial via TSI +
-    # macOS networking. The HTTP/HTTPS chokepoint is whichever
-    # daemon's port we publish: egress when routes are declared
-    # (token injection first, then forwards to bundle-internal
-    # pipelock), pipelock otherwise.
-    if ep.routes:
-        ports_to_publish: list[int] = [_EGRESS_PORT]
-    else:
-        ports_to_publish = [_PIPELOCK_PORT]
+    # macOS networking. Egress is always the agent's HTTP/HTTPS proxy.
+    ports_to_publish: list[int] = [_EGRESS_PORT]
     if gp.upstreams:
         ports_to_publish.append(_GIT_HTTP_PORT)
     if sp is not None:

bot_bottle/backend/smolmachines/local_registry.py

@@ -48,7 +48,7 @@ from ...log import die
 
 
 # registry:2.8.3, pinned by digest. Same env-override pattern as the
-# pipelock image pin in bot_bottle/backend/docker/pipelock.py.
+# sidecar image pin in bot_bottle/backend/docker/sidecar_bundle.py.
 REGISTRY_IMAGE = os.environ.get(
     "BOT_BOTTLE_REGISTRY_IMAGE",
     "registry@sha256:a3d8aaa63ed8681a604f1dea0aa03f100d5895b6a58ace528858a7b332415373",

bot_bottle/backend/smolmachines/prepare.py

@@ -23,24 +23,21 @@ from ...backend.docker.bottle_state import (
     bottle_identity,
     egress_state_dir,
     git_gate_state_dir,
-    pipelock_state_dir,
     supervise_state_dir,
     write_metadata,
 )
 from ...egress import Egress
 from ...env import resolve_env
 from ...git_gate import GitGate
-from ...pipelock import PipelockProxy
 from ...supervise import Supervise
 from ...workspace import workspace_plan as resolve_workspace_plan
 from .bottle_plan import SmolmachinesBottlePlan
 from .util import smolmachines_bundle_subnet, smolmachines_preflight
 
 
-# Gateway ports the bundle exposes inside its container — pipelock
-# HTTPS proxy, git-gate's git-daemon, supervise's MCP. The agent
-# inside the smolvm guest dials these on the bundle's pinned IP.
-_BUNDLE_PIPELOCK_PORT = 8888
+# Gateway ports the bundle exposes inside its container — git-gate's
+# git-daemon, supervise's MCP. The agent inside the smolvm guest
+# dials these on the bundle's pinned IP.
 _BUNDLE_GIT_GATE_PORT = 9418
 _BUNDLE_SUPERVISE_PORT = 9100
 
@@ -145,18 +142,6 @@ def resolve_plan(
         merged_guest_env.setdefault(key, val)
     agent_provision = replace(agent_provision, guest_env=merged_guest_env)
 
-    # Inner Plans for the four bundle daemons. The ABCs are
-    # platform-neutral — `.prepare()` writes config files + returns
-    # a Plan dataclass with no backend-specific assumptions. State
-    # dirs are still keyed by slug under the docker backend's
-    # bottle_state layout (shared on-host convention; not a docker
-    # dependency).
-    pipelock_dir = pipelock_state_dir(slug)
-    pipelock_dir.mkdir(parents=True, exist_ok=True)
-    proxy_plan = PipelockProxy().prepare(
-        bottle, slug, pipelock_dir, agent_provision.egress_routes,
-    )
-
     egress_dir = egress_state_dir(slug)
     egress_dir.mkdir(parents=True, exist_ok=True)
     egress_plan = Egress().prepare(
@@ -181,7 +166,6 @@ def resolve_plan(
         agent_image_ref=agent_image_ref,
         guest_env=agent_provision.guest_env,
         prompt_file=prompt_file,
-        proxy_plan=proxy_plan,
         git_gate_plan=git_gate_plan,
         egress_plan=egress_plan,
         supervise_plan=supervise_plan,

bot_bottle/backend/smolmachines/provision/ca.py

@@ -1,13 +1,10 @@
-"""Install the per-bottle MITM CA into the smolmachines guest's
-trust store (PRD 0023 chunk 4d).
+"""Install the per-bottle egress MITM CA into the smolmachines
+guest's trust store (PRD 0023 chunk 4d).
 
-Mirrors `backend.docker.provision.ca`: select the right CA (egress
-when the bottle has routes, else pipelock), copy it to Debian's
-`/usr/local/share/ca-certificates/` path,
+Mirrors `backend.docker.provision.ca`: copy the egress CA to
+Debian's `/usr/local/share/ca-certificates/` path,
 `update-ca-certificates` to rebuild the trust bundle, and log the
-fingerprint once. The selected cert depends on the agent's
-HTTP_PROXY target — same logic as the docker backend, since the
-agent dials the same daemons through the same bundle.
+fingerprint once.
 
 `smolvm machine exec` runs commands as root in the VM (no `-u`
 flag exists; the VM init is root), so we don't need the explicit
@@ -35,7 +32,7 @@ def provision_ca(plan: SmolmachinesBottlePlan, bottle: Bottle) -> None:
     """Copy the agent-facing CA cert into the guest, rebuild the
     trust bundle, emit a one-line fingerprint log. Called from
     `BottleBackend.provision` after the smolvm guest is up."""
-    cert_host_path, label = select_ca_cert(plan.egress_plan, plan.proxy_plan)
+    cert_host_path, label = select_ca_cert(plan.egress_plan)
 
     bottle.cp_in(str(cert_host_path), AGENT_CA_PATH)
     # Mode 0644 — readable to non-root tools in the guest.

bot_bottle/backend/smolmachines/sidecar_bundle.py

@@ -19,7 +19,7 @@ This module ships the lifecycle primitives only — create
 network, start bundle, stop bundle, remove network — wrapped
 around `subprocess.run(["docker", ...])`. Wiring them into the
 launch flow + populating the `BundleLaunchSpec` from the inner
-Plans (PipelockProxyPlan, EgressPlan, …) lands in chunk 2d."""
+Plans (EgressPlan, …) lands in chunk 2d."""
 
 from __future__ import annotations
 
@@ -69,7 +69,7 @@ class BundleLaunchSpec:
     # Daemon subset CSV for BOT_BOTTLE_SIDECAR_DAEMONS. The
     # supervisor inside the bundle reads it to skip
     # bottle-irrelevant daemons (e.g. supervise=False bottles).
-    daemons_csv: str = "egress,pipelock"
+    daemons_csv: str = "egress"
     # Plain "KEY=VALUE" strings + "KEY" bare names (the bare-name
     # form inherits the value from the docker-run subprocess env,
     # matching the docker backend's compose-up secret-forwarding