feat(launch): switch start to docker compose project per bottle

PRD 0018 chunk 3. Each instance is now one `docker compose` project:

  - launch.py renders the compose spec via chunk-1's
    bottle_plan_to_compose, writes it to state/<slug>/docker-compose.yml,
    `docker compose up -d`s, and (on teardown) dumps
    `docker compose logs --no-color --timestamps` to
    state/<slug>/compose.log before `docker compose down`.
  - Networks are pre-created (`docker network create --internal` +
    user-defined bridge) so pipelock yaml can know the internal CIDR
    before compose-up. Compose references them with `external: true`;
    the launch step's ExitStack still owns network removal.
  - Agent still runs `sleep infinity`; claude reaches it via
    `docker exec -it` exactly like before (per the PRD's resolved
    TTY question).
  - metadata.json grows a `compose_project` field so dashboard /
    cleanup tooling can derive compose invocations without
    re-deriving the slug.

Security follow-ups from chunk-2 review:

  (b) CA private keys: pipelock + egress ca-key.pem land at 0o600
      explicitly. The mitmproxy cert+key concat stays 0o644 because
      the egress container's uid-1000 user reads it through the
      bind mount; parent dir at 0o700 still restricts host-side
      reach.
  (c) Apply atomicity: egress_apply + pipelock_apply switch from
      `docker cp` to host-side write-temp-then-rename on the
      bind-mount source. POSIX rename is atomic on the same
      filesystem, so a sidecar SIGHUP racing the apply can't see
      a half-written routes.yaml / pipelock.yaml.

Per-sidecar Docker{Sidecar}.start/stop methods stay in place — the
integration test suite drives them directly to validate each image
in isolation, which is still useful. launch.py no longer calls
them; a follow-up chunk can prune if the integration tests move to
the compose lifecycle.

git-gate entrypoint's chmod 600 on the keyfile + known_hosts now
tolerates EROFS (`|| true`) — the host SSH key is already 0600
(SSH refuses to load otherwise), so the inside-container chmod
was already a no-op in the docker-cp path and now just needs to
not error on the read-only bind mount.

422 unit tests pass; supervise integration test passes; end-to-end
`./cli.py start implementer` brings up the project, attaches,
captures full merged logs on teardown, and reaps all containers +
networks.

claude_bottle/backend/docker/pipelock_apply.py

@@ -24,9 +24,17 @@ from pathlib import Path
 
 from ...pipelock import pipelock_render_yaml
 from ...yaml_subset import parse_yaml_subset
+from .bottle_state import pipelock_state_dir
 from .pipelock import pipelock_container_name
 
 
+def _pipelock_yaml_host_path(slug: str) -> Path:
+    """The bind-mount source for the pipelock sidecar's
+    pipelock.yaml — matches what pipelock.prepare wrote at chunk-2
+    paths."""
+    return pipelock_state_dir(slug) / "pipelock.yaml"
+
+
 PIPELOCK_YAML_IN_CONTAINER = "/etc/pipelock.yaml"
 
 # Allowlist proposals are one-hostname-per-line. Blank lines and
@@ -141,19 +149,26 @@ def apply_allowlist_change(
     cfg["api_allowlist"] = new_hosts
     rendered = pipelock_render_yaml(cfg)
 
-    fd, tmp_path = tempfile.mkstemp(prefix="cb-pipelock-yaml.", suffix=".yaml")
+    # PRD 0018 chunk 3 + security item (c): pipelock.yaml is
+    # bind-mounted into the container, so the write target is the
+    # host path the sidecar reads. POSIX rename is atomic on the
+    # same filesystem, which matters less here than for the
+    # SIGHUP-reload egress case (pipelock fully restarts and
+    # re-reads on boot), but the pattern is uniform across both
+    # apply paths.
+    target = _pipelock_yaml_host_path(slug)
+    target.parent.mkdir(parents=True, exist_ok=True)
+    fd, tmp_path_str = tempfile.mkstemp(
+        prefix=".pipelock.", suffix=".yaml.tmp", dir=str(target.parent),
+    )
+    tmp_path = Path(tmp_path_str)
     try:
         with os.fdopen(fd, "w") as f:
             f.write(rendered)
-        cp = subprocess.run(
-            ["docker", "cp", tmp_path, f"{container}:{PIPELOCK_YAML_IN_CONTAINER}"],
-            capture_output=True, text=True, check=False,
-        )
-        if cp.returncode != 0:
-            raise PipelockApplyError(
-                f"failed to copy pipelock.yaml into {container}: "
-                f"{(cp.stderr or '').strip()}"
-            )
+        # pipelock runs as root in its distroless image — any mode
+        # is fine — but 0o600 matches what prepare wrote.
+        os.chmod(tmp_path, 0o600)
+        os.replace(tmp_path, target)
         restart = subprocess.run(
             ["docker", "restart", container],
             capture_output=True, text=True, check=False,
@@ -163,11 +178,12 @@ def apply_allowlist_change(
                 f"failed to restart {container}: "
                 f"{(restart.stderr or '').strip()}"
             )
-    finally:
+    except BaseException:
         try:
-            Path(tmp_path).unlink()
+            tmp_path.unlink()
         except OSError:
             pass
+        raise
 
     return before, after