refactor(backend): lift shared CA cert select + fingerprint helpers

Both backends' provision_ca duplicated _select_ca_cert and the
SHA-256 fingerprint computation verbatim. Lift them into the shared
backend/util.py as select_ca_cert + log_ca_fingerprint; docker and
smolmachines now call the shared helpers. No behavior change.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

bot_bottle/backend/smolmachines/provision/ca.py

@@ -15,49 +15,18 @@ flag exists; the VM init is root), so we don't need the explicit
 
 from __future__ import annotations
 
-import hashlib
-import ssl
-from pathlib import Path
-
-from ....log import die, info
+from ....log import die
 from ...docker.provision.ca import AGENT_CA_BUNDLE, AGENT_CA_PATH
+from ...util import log_ca_fingerprint, select_ca_cert
 from .. import smolvm as _smolvm
 from ..bottle_plan import SmolmachinesBottlePlan
 
 
-def _select_ca_cert(plan: SmolmachinesBottlePlan) -> tuple[Path, str]:
-    """Pick the CA cert (and a short label for the log line) that
-    matches the proxy the agent's HTTP_PROXY points at. Egress-proxy
-    wins when the bottle declares any routes; else pipelock.
-
-    The launch step minted both CAs (pipelock always; egress when
-    routes are declared) and stored their host paths back into the
-    inner Plans via `dataclasses.replace`. If those paths are empty
-    here something has gone wrong in launch's bringup."""
-    if plan.egress_plan.routes:
-        cert = plan.egress_plan.mitmproxy_ca_cert_only_host_path
-        if cert == Path() or not cert.is_file():
-            die(
-                f"egress CA cert missing at {cert or '(empty)'}; "
-                f"launch must have called egress_tls_init and "
-                f"re-bound the plan before provision"
-            )
-        return cert, "egress"
-    cert = plan.proxy_plan.ca_cert_host_path
-    if not cert or not cert.is_file():
-        die(
-            f"pipelock CA cert missing at {cert or '(empty)'}; "
-            f"launch must have called pipelock_tls_init and re-bound "
-            f"the plan before provision"
-        )
-    return cert, "pipelock"
-
-
 def provision_ca(plan: SmolmachinesBottlePlan, target: str) -> None:
     """Copy the agent-facing CA cert into the guest, rebuild the
     trust bundle, emit a one-line fingerprint log. Called from
     `BottleBackend.provision` after the smolvm guest is up."""
-    cert_host_path, label = _select_ca_cert(plan)
+    cert_host_path, label = select_ca_cert(plan.egress_plan, plan.proxy_plan)
 
     _smolvm.machine_cp(str(cert_host_path), f"{target}:{AGENT_CA_PATH}")
     # Mode 0644 — readable to non-root tools in the guest.
@@ -90,11 +59,7 @@ def provision_ca(plan: SmolmachinesBottlePlan, target: str) -> None:
             f"stderr={(r.stderr or '').strip()!r}"
         )
 
-    # Stdlib SHA-256 of the cert's DER bytes — the standard
-    # fingerprint form. Never the private key.
-    der = ssl.PEM_cert_to_DER_cert(cert_host_path.read_text())
-    fingerprint = hashlib.sha256(der).hexdigest()
-    info(f"{label} ca fingerprint: sha256:{fingerprint[:32]}...")
+    log_ca_fingerprint(cert_host_path, label)
 
 
 # Re-exported for the launch/provision_ca caller + tests. The path