docs: replace stale .sh paths with claude_bottle/*.py equivalents

Cleans up references to the pre-refactor bash layout (cli.sh,
lib/*.sh, scripts/*.sh) across README, Dockerfile, the pipelock PRD,
and research notes. Refreshes line numbers in the oauth-token note
against the current cli/start.py.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

docs/research/host-dispatch-to-container-agents.md

@@ -34,7 +34,7 @@ Three pieces in combination give a 100% guarantee:
    - `get_status(job_id)` — check running/done
    - `get_output(job_id)` — read results
 
-3. **Non-interactive container run mode** — `cli.sh run <agent> "<task>"` passes the task to `claude --print` inside the container and captures output. Currently `cli.sh start` is interactive only; this mode does not yet exist.
+3. **Non-interactive container run mode** — `cli.py run <agent> "<task>"` passes the task to `claude --print` inside the container and captures output. Currently `cli.py start` is interactive only; this mode does not yet exist.
 
 ## Proposal
 
@@ -42,7 +42,7 @@ Build host-dispatch-to-container in two deliverables:
 
 **Deliverable 1: Non-interactive run mode for claude-bottle**
 
-Extend `cli.sh` with a `run <agent> <task>` subcommand. Starts the container, writes the task prompt to a file inside it (same `docker cp` pattern used for `--append-system-prompt-file`), invokes `claude --print` with the prompt, streams stdout back to the host, and exits when Claude finishes. Results committed and pushed from inside the container as usual.
+Extend `cli.py` with a `run <agent> <task>` subcommand. Starts the container, writes the task prompt to a file inside it (same `docker cp` pattern used for `--append-system-prompt-file`), invokes `claude --print` with the prompt, streams stdout back to the host, and exits when Claude finishes. Results committed and pushed from inside the container as usual.
 
 **Deliverable 2: MCP server wrapping claude-bottle**
 

docs/research/network-egress-guard.md

@@ -234,7 +234,7 @@ which does not work on macOS Desktop.
 
 Moderate. The script itself is well-understood and can be lifted nearly
 verbatim from Anthropic's devcontainer repo. The integration points in
-`cli.sh` are:
+`cli.py` are:
 
 1. Pass `--cap-add NET_ADMIN --cap-add NET_RAW` in the `docker run` invocation.
 2. `docker cp` an `init-firewall.sh` script into the container (alongside

docs/research/oauth-token-exposure-to-claude.md

@@ -20,11 +20,12 @@ that does not route through `ANTHROPIC_BASE_URL` at all.
 
 ## How the token reaches claude today
 
-1. `cli.sh:526–528` — host's `CLAUDE_BOTTLE_OAUTH_TOKEN` is exported into
-   the launcher process as `CLAUDE_CODE_OAUTH_TOKEN`, then forwarded with
+1. `claude_bottle/cli/start.py` (around line 237–238) — host's
+   `CLAUDE_BOTTLE_OAUTH_TOKEN` is exported into the launcher process as
+   `CLAUDE_CODE_OAUTH_TOKEN`, then forwarded with
    `docker run -e CLAUDE_CODE_OAUTH_TOKEN` (no `=value`, so the value
    never lands on argv — good).
-2. `cli.sh:603–605` — claude is launched via
+2. `claude_bottle/cli/start.py` (around line 318–325) — claude is launched via
    `docker exec -it <container> claude …`, which inherits the container
    PID 1's env, including the token.
 3. claude runs as `node` (UID 1000) with `--dangerously-skip-permissions`.

docs/research/pipelock-assessment.md

@@ -273,7 +273,7 @@ reach, and avoids the `--best-effort` issue on macOS Docker Desktop.
 The claude-bottle manifest model would need one new piece of plumbing: a
 per-agent pipelock ACL YAML generated from the manifest's `allowlist`
 and `ssh` entries, analogous to what the smokescreen section of
-`network-egress-guard.md` already sketches. The `cli.sh` changes required
+`network-egress-guard.md` already sketches. The `cli.py` changes required
 are the same pattern: `docker network create --internal`, `docker run` for
 the proxy container, then `docker run` for the agent with `HTTPS_PROXY`
 injected.
@@ -408,7 +408,7 @@ The reasoning:
    subdomain-entropy DNS exfil detection, MCP scanning, and request
    redaction. The integration shape for claude-bottle is identical: a
    separate container on an internal Docker network, with the agent's
-   `HTTPS_PROXY` pointing at it. The `cli.sh` changes are the same pattern.
+   `HTTPS_PROXY` pointing at it. The `cli.py` changes are the same pattern.
 
 2. **The DLP layer is the most direct answer to the content-tripwire gap.**
    The `secret-exfil-tripwire-encodings.md` note concluded that no