fix(egress): remove implicit provider routes

tests/unit/test_egress.py

@@ -4,7 +4,6 @@ resolution (PRD 0017)."""
 import unittest
 
 from bot_bottle.egress import (
-    DEFAULT_ALLOWLIST,
     egress_manifest_routes,
     egress_render_routes,
     egress_resolve_token_values,
@@ -85,37 +84,28 @@ class TestRoutesForBottle(unittest.TestCase):
         self.assertEqual("", routes[1].token_env)
 
 
-class TestRoutesForBottleFoldsDefaults(unittest.TestCase):
-    """The effective route table includes DEFAULT_ALLOWLIST +
-    bottle.egress.allowlist as bare-pass entries — pipelock's
-    allowlist is a mirror of this set."""
+class TestRoutesForBottleUsesManifestOnly(unittest.TestCase):
+    """The effective route table is exactly the manifest-declared
+    routes. Provider defaults are not injected implicitly."""
 
-    def test_defaults_present_when_no_manifest_routes(self):
+    def test_no_manifest_routes_means_no_effective_routes(self):
         b = _bottle([])
-        hosts = [r.host for r in egress_routes_for_bottle(b)]
-        for default in DEFAULT_ALLOWLIST:
-            self.assertIn(default, hosts)
+        self.assertEqual((), egress_routes_for_bottle(b))
 
-    def test_manifest_route_wins_over_default(self):
-        # api.anthropic.com is in DEFAULT_ALLOWLIST. A manifest
-        # route for the same host takes precedence — we want the
-        # auth config to apply, not a duplicate bare-pass entry.
+    def test_manifest_route_preserved_with_auth(self):
         b = _bottle([{
             "host": "api.anthropic.com",
             "auth": {"scheme": "Bearer", "token_ref": "T"},
         }])
         routes = egress_routes_for_bottle(b)
-        anthropic = [r for r in routes if r.host == "api.anthropic.com"]
-        self.assertEqual(1, len(anthropic))
-        self.assertEqual("Bearer", anthropic[0].auth_scheme)
+        self.assertEqual(1, len(routes))
+        self.assertEqual("api.anthropic.com", routes[0].host)
+        self.assertEqual("Bearer", routes[0].auth_scheme)
 
-    def test_manifest_only_when_no_defaults_or_allowlist(self):
-        # Sanity: egress_manifest_routes returns just the
-        # manifest entries — defaults are added by the
-        # _routes_for_bottle wrapper.
+    def test_manifest_only(self):
         b = _bottle([{"host": "x.example"}])
-        manifest = [r.host for r in egress_manifest_routes(b)]
-        self.assertEqual(["x.example"], manifest)
+        effective = [r.host for r in egress_routes_for_bottle(b)]
+        self.assertEqual(["x.example"], effective)
 
 
 class TestTokenEnvMap(unittest.TestCase):

tests/unit/test_pipelock_allowlist.py

@@ -1,7 +1,7 @@
 """Unit: pipelock_effective_allowlist — pipelock's allowlist
-mirrors `egress_routes_for_bottle` (which folds in
-DEFAULT_ALLOWLIST). Git upstreams declared in `bottle.git` don't
-contribute; they flow through the per-agent git-gate (PRD 0008)."""
+mirrors manifest-declared egress routes. Git upstreams declared in
+`bottle.git` don't contribute; they flow through the per-agent
+git-gate (PRD 0008)."""
 
 import unittest
 
@@ -24,16 +24,11 @@ def _routes(routes):
 
 
 class TestEffectiveAllowlist(unittest.TestCase):
-    def test_default_allowlist_present_without_any_manifest_routes(self):
-        # No egress routes declared → pipelock allowlist is
-        # just the baked DEFAULT_ALLOWLIST (folded in by
-        # egress_routes_for_bottle).
+    def test_empty_without_any_manifest_routes(self):
         eff = pipelock_effective_allowlist(_bottle({}))
-        self.assertIn("api.anthropic.com", eff)
-        self.assertIn("sentry.io", eff)
+        self.assertEqual([], eff)
 
     def test_sorted_and_deduped(self):
-        # Manifest route for a default host collapses to one entry.
         eff = pipelock_effective_allowlist(_bottle(_routes([
             {"host": "api.anthropic.com",
              "auth": {"scheme": "Bearer", "token_ref": "T"}},
@@ -53,14 +48,12 @@ class TestAllowlistWithRoutes(unittest.TestCase):
         self.assertIn("registry.npmjs.org", eff)
         self.assertIn("api.github.com", eff)
 
-    def test_baked_defaults_still_present_alongside_manifest_routes(self):
+    def test_no_baked_defaults_alongside_manifest_routes(self):
         eff = pipelock_effective_allowlist(_bottle(_routes([
             {"host": "x.example",
              "auth": {"scheme": "Bearer", "token_ref": "T"}},
         ])))
-        for default in ("api.anthropic.com", "sentry.io"):
-            self.assertIn(default, eff)
-        self.assertIn("x.example", eff)
+        self.assertEqual(["x.example"], eff)
 
     def test_egress_hostname_NOT_in_pipelock_allowlist(self):
         # The agent never dials egress via the proxy mechanism

tests/unit/test_pipelock_yaml.py

@@ -42,9 +42,8 @@ class TestBuildConfig(unittest.TestCase):
             },
             cfg["request_body_scanning"],
         )
-        # Baked defaults always present.
-        self.assertIn("api.anthropic.com", cast(list[str], cfg["api_allowlist"]))
-        self.assertIn("raw.githubusercontent.com", cast(list[str], cfg["api_allowlist"]))
+        # No provider defaults are injected implicitly.
+        self.assertEqual([], cast(list[str], cfg["api_allowlist"]))
         # pipelock has no SSH carve-outs at all — neither
         # trusted_domains nor ssrf are emitted from bottle data.
         self.assertNotIn("trusted_domains", cfg)