refactor(backend): lift shared CA cert select + fingerprint helpers

Both backends' provision_ca duplicated _select_ca_cert and the
SHA-256 fingerprint computation verbatim. Lift them into the shared
backend/util.py as select_ca_cert + log_ca_fingerprint; docker and
smolmachines now call the shared helpers. No behavior change.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

bot_bottle/backend/docker/provision/ca.py

@@ -31,12 +31,9 @@ stage dir; nothing in the agent ever sees it."""
 
 from __future__ import annotations
 
-import hashlib
-import ssl
 import subprocess
-from pathlib import Path
 
-from ....log import info
+from ...util import log_ca_fingerprint, select_ca_cert
 from ..bottle_plan import DockerBottlePlan
 
 
@@ -47,38 +44,12 @@ AGENT_CA_PATH = "/usr/local/share/ca-certificates/bot-bottle-mitm-ca.crt"
 AGENT_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"
 
 
-def _select_ca_cert(plan: DockerBottlePlan) -> tuple[Path, str]:
-    """Pick the CA cert (and a short label for the log line) that
-    matches the proxy the agent's HTTP_PROXY points at. Egress-proxy
-    wins when the bottle declares any routes (it sits in front of
-    pipelock); else pipelock."""
-    if plan.egress_plan.routes:
-        cert = plan.egress_plan.mitmproxy_ca_cert_only_host_path
-        if cert == Path() or not cert.is_file():
-            from ....log import die
-            die(
-                f"egress CA cert missing at {cert or '(empty)'}; "
-                f"launch must have called egress_tls_init and "
-                f"re-bound the plan before provision"
-            )
-        return cert, "egress"
-    cert = plan.proxy_plan.ca_cert_host_path
-    if not cert or not cert.is_file():
-        from ....log import die
-        die(
-            f"pipelock CA cert missing at {cert or '(empty)'}; "
-            f"launch must have called pipelock_tls_init and re-bound "
-            f"the plan before provision"
-        )
-    return cert, "pipelock"
-
-
 def provision_ca(plan: DockerBottlePlan, target: str) -> None:
     """Copy the agent-facing CA cert into the agent, rebuild the
     trust bundle, emit a one-line fingerprint log. Called from
     `BottleBackend.provision` after the agent container is up."""
     container = target
-    cert_host_path, label = _select_ca_cert(plan)
+    cert_host_path, label = select_ca_cert(plan.egress_plan, plan.proxy_plan)
 
     subprocess.run(
         ["docker", "cp", str(cert_host_path), f"{container}:{AGENT_CA_PATH}"],
@@ -96,8 +67,4 @@ def provision_ca(plan: DockerBottlePlan, target: str) -> None:
         check=True,
     )
 
-    # Stdlib SHA-256 of the cert's DER bytes — the standard
-    # fingerprint form. Never the private key.
-    der = ssl.PEM_cert_to_DER_cert(cert_host_path.read_text())
-    fingerprint = hashlib.sha256(der).hexdigest()
-    info(f"{label} ca fingerprint: sha256:{fingerprint[:32]}...")
+    log_ca_fingerprint(cert_host_path, label)