refactor!: rename project to bot-bottle

Assisted-by: Codex

docs/research/stronger-isolation-alternatives.md

@@ -1,7 +1,7 @@
 # Stronger isolation alternatives: gVisor, Kata, Firecracker, Apple Container
 
 Research into what it would take to replace or augment Docker (with `runc`)
-as the agent runtime in claude-bottle, and what each option would actually
+as the agent runtime in bot-bottle, and what each option would actually
 buy in security terms vs. cost in launcher rewrite.
 
 ## Summary
@@ -17,7 +17,7 @@ There is a ladder, not a menu. Three realistic rungs, ordered by effort:
 
 A fourth option, **Apple Container**, is the right macOS-native answer to
 "I want Kata's isolation model without giving up MacBooks as the dev
-target." Probably the right v2 if claude-bottle keeps macOS in scope.
+target." Probably the right v2 if bot-bottle keeps macOS in scope.
 
 The pipelock egress design is portable across all four: every option can
 provide a network primitive that means "no default route except through
@@ -54,11 +54,11 @@ forwarded to the host kernel.
 
 ### What changes in this codebase
 
-- `claude_bottle/cli/start.py` (where `docker run` is assembled): add
+- `bot_bottle/cli/start.py` (where `docker run` is assembled): add
   `--runtime=runsc` to the container args when the bottle requests it.
   Make it configurable: `bottles.<name>.runtime: "runsc" | "runc"`,
   default `runc`.
-- `claude_bottle/docker.py`: add a `require_runsc()` check that runs
+- `bot_bottle/docker.py`: add a `require_runsc()` check that runs
   `docker info --format '{{.Runtimes}}'` once and dies with an install
   pointer if `runsc` isn't registered.
 - `network.py`, `pipelock.py`, `skills.py`, `ssh.py`: **no changes**.
@@ -111,7 +111,7 @@ Docker network.
 - Slower cold start (hundreds of ms vs. tens). For interactive Claude
   this is fine; for ephemeral batch agents you would notice.
 - Not natively supported on macOS at all — needs a Linux host or a Linux
-  VM you control. **This is the moment claude-bottle stops being "works
+  VM you control. **This is the moment bot-bottle stops being "works
   on a Mac dev laptop with Docker Desktop."**
 
 ### When this is the right rung
@@ -138,18 +138,18 @@ replacing Docker, not adding to it.
 
 ### Files in this repo that would change
 
-- `claude_bottle/docker.py` → replaced by a new `claude_bottle/firecracker.py`
+- `bot_bottle/docker.py` → replaced by a new `bot_bottle/firecracker.py`
   that POSTs to the Firecracker API socket per microVM (`/boot-source`,
   `/drives`, `/network-interfaces`, `/actions`).
-- `claude_bottle/network.py` → a host-side networking module that creates
+- `bot_bottle/network.py` → a host-side networking module that creates
   a Linux bridge per agent, two TAPs (agent-side, pipelock-side), and
   either iptables rules or no host route at all so the agent VM
   literally cannot reach anything except pipelock.
-- `claude_bottle/pipelock.py` → instead of a sidecar container, run
+- `bot_bottle/pipelock.py` → instead of a sidecar container, run
   pipelock as its own microVM (or on the host pinned to the bridge).
   The hostname-allowlist semantics carry over; the implementation is
   different.
-- `claude_bottle/skills.py`, `ssh.py` → can no longer use `docker cp`.
+- `bot_bottle/skills.py`, `ssh.py` → can no longer use `docker cp`.
   Bake skills into the rootfs at build time, or mount a virtiofs share
   read-only.
 - `Dockerfile` → replaced by a rootfs builder. Realistically this means
@@ -221,7 +221,7 @@ scope and the manifest example carries `/Users/didericis` paths:
    and look at Apple Container. Smaller launcher rewrite than
    Firecracker; Linux stays on the gVisor / Kata path. Probably the
    right v2.
-3. **Firecracker only if** claude-bottle's deployment target settles on
+3. **Firecracker only if** bot-bottle's deployment target settles on
    self-hosted Linux, not laptops — at which point the "non-goal:
    self-hosted VMs" line in `CLAUDE.md` flips and the project's
    identity changes.