refactor!: rename project to bot-bottle

Assisted-by: Codex

docs/research/agent-sandbox-landscape.md

@@ -4,13 +4,13 @@ A broader survey than [`landscape-containerized-claude.md`](landscape-containeri
 which focused on Claude-Code-specific containerizers. This one covers
 general AI-agent sandbox / containment projects — some Claude-specific,
 some agent-agnostic, some hosted SaaS — and contrasts them with
-claude-bottle's design.
+bot-bottle's design.
 
 Research conducted 2026-05-11.
 
 ## Summary
 
-Eight projects surveyed. None duplicate claude-bottle's combination of
+Eight projects surveyed. None duplicate bot-bottle's combination of
 local Docker, declarative JSON manifest, per-agent egress allowlist via
 pipelock, and bottle/agent split. Two clusters stand out:
 
@@ -157,7 +157,7 @@ plausible without a heavy stack.
 
 ## Comparison table
 
-| Axis | claude-bottle | endo-familiar | litterbox | agent-safehouse | matchlock | tilde.run | boxlite | microsandbox | smolmachines |
+| Axis | bot-bottle | endo-familiar | litterbox | agent-safehouse | matchlock | tilde.run | boxlite | microsandbox | smolmachines |
 |---|---|---|---|---|---|---|---|---|---|
 | Isolation | Docker + internal net + pipelock; gVisor if present | Object-capability (no OS isolation) | Podman + opt. Landlock | macOS `sandbox-exec` | MicroVM (Firecracker / Virt.fw) | Hosted container (unverified) | MicroVM (KVM / Hypervisor.fw) | MicroVM (libkrun) | MicroVM (libkrun / KVM) |
 | Local vs hosted | Local | Local | Local (Linux) | Local (macOS) | Local | Hosted SaaS | Local | Local | Local |
@@ -171,9 +171,9 @@ plausible without a heavy stack.
 ## What's closest, what's different
 
 **Closest in design and scope.** agent-safehouse and litterbox sit
-nearest claude-bottle: local, single-user, thin wrappers over an
+nearest bot-bottle: local, single-user, thin wrappers over an
 existing OS primitive, low-dep. The split is the isolation primitive —
-claude-bottle uses Docker + pipelock egress (plus gVisor where
+bot-bottle uses Docker + pipelock egress (plus gVisor where
 available); agent-safehouse uses `sandbox-exec`; litterbox uses Podman +
 Landlock. matchlock and smolmachines are spiritually close on the
 *policy* side (default-deny net, per-host allowlist) but use microVMs
@@ -181,16 +181,16 @@ instead of containers.
 
 **Solving a different problem.** tilde.run is hosted SaaS for team /
 production agent pipelines with data-versioned rollback — explicitly
-opposite to claude-bottle's "infrastructure I control" goal. boxlite and
+opposite to bot-bottle's "infrastructure I control" goal. boxlite and
 microsandbox are infrastructure libraries aimed at platform builders
 embedding sandboxes into agent frameworks; they would be a *backend*
-claude-bottle could call, not a competitor to its manifest layer.
+bot-bottle could call, not a competitor to its manifest layer.
 endo-familiar is in a different paradigm entirely: capability passing
 rather than kernel boundaries.
 
 ## Borrowable ideas
 
-What claude-bottle already has that the survey suggested as
+What bot-bottle already has that the survey suggested as
 differentiators:
 - Default-deny egress with a per-agent allowlist (pipelock).
 - DLP scanning of outbound traffic.