refactor(docker): forward OAuth token through resolved env

Previously _run_agent_container set os.environ["CLAUDE_CODE_OAUTH_TOKEN"]
deep inside the launch path and added a one-off `-e` pair to docker_args,
which was the only env var to bypass the resolved.forwarded flow used
for everything else.

Move the os.environ mutation + name registration into prepare, right
after resolve_env, so the OAuth token rides the same forwarded-by-name
mechanism as secrets and interpolated entries. _run_agent_container
loses the special case entirely.

claude_bottle/backend/docker/backend.py

@@ -118,6 +118,11 @@ class DockerBottleBackend(BottleBackend["DockerBottlePlan", "DockerBottleCleanup
 
         proxy_plan = self._proxy.prepare(bottle, slug, stage_dir)
         resolved = resolve_env(manifest, spec.agent_name)
+        if spec.forward_oauth_token:
+            # Re-export under the name claude expects, then forward by-name
+            # so the value never lands on argv or in env_file.
+            os.environ["CLAUDE_CODE_OAUTH_TOKEN"] = os.environ["CLAUDE_BOTTLE_OAUTH_TOKEN"]
+            resolved.forwarded.append("CLAUDE_CODE_OAUTH_TOKEN")
         self._write_env_files(resolved, env_file, args_file)
         prompt_file.write_text(agent.prompt)
 
@@ -238,10 +243,6 @@ class DockerBottleBackend(BottleBackend["DockerBottlePlan", "DockerBottleCleanup
             i += 1
             docker_args.extend([flag, vname])
 
-        if plan.spec.forward_oauth_token:
-            os.environ["CLAUDE_CODE_OAUTH_TOKEN"] = os.environ["CLAUDE_BOTTLE_OAUTH_TOKEN"]
-            docker_args.extend(["-e", "CLAUDE_CODE_OAUTH_TOKEN"])
-
         docker_args.extend([plan.runtime_image, "sleep", "infinity"])
 
         info(f"starting container {plan.container_name} from {plan.runtime_image}")