refactor!: rename project to bot-bottle

Assisted-by: Codex

docs/research/secret-minimization-over-dlp.md

@@ -13,7 +13,7 @@ existing tools in that space).
 
 ## Summary
 
-claude-bottle's v1 egress story is: pipelock allowlists hostnames,
+bot-bottle's v1 egress story is: pipelock allowlists hostnames,
 intercepts TLS, body-scans every request against 48 builtin DLP
 patterns, and blocks on hit. Gitleaks does the analog on `git push`.
 Both are signature-based. Against a *determined* compromised or
@@ -79,7 +79,7 @@ The agent's conversation channel is therefore wide open as an exfil
 path. A prompt-injected agent that has been told a secret can ship
 it to Anthropic as conversation text, formatted however it likes,
 and pipelock sees only `CONNECT api.anthropic.com:443`. The
-`CLAUDE_BOTTLE_OAUTH_TOKEN` itself rides this exact path.
+`BOT_BOTTLE_OAUTH_TOKEN` itself rides this exact path.
 
 ### 3. Out-of-band channels exist regardless
 
@@ -134,7 +134,7 @@ per-bottle gate that:
 
 Two concrete instances worth implementing:
 
-**Anthropic-API gate.** Holds `CLAUDE_BOTTLE_OAUTH_TOKEN`. Agent's
+**Anthropic-API gate.** Holds `BOT_BOTTLE_OAUTH_TOKEN`. Agent's
 `ANTHROPIC_BASE_URL` points at the gate; gate injects
 `Authorization: Bearer …` and forwards to api.anthropic.com. The
 token is no longer in the bottle's env. Once the token is out,