refactor(state): write prepare-time scratch files under state/<slug>/

PRD 0018 chunk 2. Each sidecar's prepare-time output (pipelock yaml +
CAs, egress routes.yaml + CAs, git-gate entrypoint + hooks, supervise
current-config, agent env + prompt) now lands in
~/.claude-bottle/state/<slug>/<service>/ instead of an ephemeral
mktemp dir. The state subdirs become the stable bind-mount sources
that chunk 3's docker compose project will reference.

The SDK launch path is unchanged — `docker cp` still copies from the
plan-held paths into containers, just from new locations. start.py's
session-end cleanup is now in `finally`, which also reaps state dirs
left behind by dry-run / preflight-N / prepare-exception paths
(previously only the post-launch path settled state).

claude_bottle/backend/docker/launch.py

@@ -24,6 +24,7 @@ from . import network as network_mod
 from . import util as docker_mod
 from .bottle import DockerBottle
 from .bottle_plan import DockerBottlePlan
+from .bottle_state import egress_state_dir, pipelock_state_dir
 from .egress import (
     DockerEgress,
     egress_tls_init,
@@ -105,9 +106,13 @@ def launch(
         # the .start steps docker-cp the files in. Private keys never
         # leave the host stage dir, which start.py's outer finally
         # `shutil.rmtree`s after the sidecars are torn down.
-        ca_cert_host, ca_key_host = pipelock_tls_init(plan.stage_dir)
+        # PRD 0018 chunk 2: CAs live under the bottle's state subdirs
+        # so chunk 3's compose bind-mounts have stable sources. The
+        # subdirs were created by prepare; tls_init makes the
+        # `pipelock-ca/` and `egress-ca/` children under them.
+        ca_cert_host, ca_key_host = pipelock_tls_init(pipelock_state_dir(plan.slug))
         egress_ca_host, egress_ca_cert_only = egress_tls_init(
-            plan.stage_dir,
+            egress_state_dir(plan.slug),
         )
 
         # Re-render the pipelock yaml with the SSRF allowlist now that