refactor(backend): move AGENT_CA path/bundle constants to shared util

The two Debian-family CA-layout constants lived in
docker/provision/ca.py, which forced the smolmachines backend to
import them cross-backend (smolmachines -> docker). Move them into
the shared backend/util.py next to select_ca_cert; docker, compose,
and smolmachines now all import from there. No behavior change.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

claude_bottle/backend/docker/compose.py

@@ -59,6 +59,7 @@ from ...supervise import (
     SUPERVISE_PORT,
 )
 from ...util import expand_tilde
+from ..util import AGENT_CA_BUNDLE, AGENT_CA_PATH
 from .bottle_plan import DockerBottlePlan
 from .egress import (
     EGRESS_CA_IN_CONTAINER,
@@ -75,7 +76,6 @@ from .pipelock import (
     PIPELOCK_CA_KEY_IN_CONTAINER,
     PIPELOCK_PORT,
 )
-from .provision.ca import AGENT_CA_BUNDLE, AGENT_CA_PATH
 from .sidecar_bundle import (
     SIDECAR_BUNDLE_DOCKERFILE,
     SIDECAR_BUNDLE_IMAGE,

claude_bottle/backend/docker/provision/ca.py

@@ -33,17 +33,10 @@ from __future__ import annotations
 
 import subprocess
 
-from ...util import log_ca_fingerprint, select_ca_cert
+from ...util import AGENT_CA_PATH, log_ca_fingerprint, select_ca_cert
 from ..bottle_plan import DockerBottlePlan
 
 
-# Debian-family path for sources that `update-ca-certificates` reads.
-# Bundle path is what the command rebuilds and what every standard
-# TLS consumer in the image reads.
-AGENT_CA_PATH = "/usr/local/share/ca-certificates/claude-bottle-mitm-ca.crt"
-AGENT_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"
-
-
 def provision_ca(plan: DockerBottlePlan, target: str) -> None:
     """Copy the agent-facing CA cert into the agent, rebuild the
     trust bundle, emit a one-line fingerprint log. Called from

claude_bottle/backend/smolmachines/provision/ca.py

@@ -16,8 +16,12 @@ flag exists; the VM init is root), so we don't need the explicit
 from __future__ import annotations
 
 from ....log import die
-from ...docker.provision.ca import AGENT_CA_BUNDLE, AGENT_CA_PATH
-from ...util import log_ca_fingerprint, select_ca_cert
+from ...util import (
+    AGENT_CA_BUNDLE,
+    AGENT_CA_PATH,
+    log_ca_fingerprint,
+    select_ca_cert,
+)
 from .. import smolvm as _smolvm
 from ..bottle_plan import SmolmachinesBottlePlan
 
@@ -63,7 +67,6 @@ def provision_ca(plan: SmolmachinesBottlePlan, target: str) -> None:
 
 
 # Re-exported for the launch/provision_ca caller + tests. The path
-# constants come from the docker module because they're tied to
-# Debian's `update-ca-certificates` layout — same in both backends
-# since both guest images are Debian-family.
+# constants live in the shared `backend.util` (Debian's
+# `update-ca-certificates` layout is the same in both backends).
 __all__ = ["AGENT_CA_BUNDLE", "AGENT_CA_PATH", "provision_ca"]

claude_bottle/backend/util.py

@@ -17,6 +17,15 @@ if TYPE_CHECKING:
     from ..pipelock import PipelockProxyPlan
 
 
+# Debian-family CA layout, shared by every backend (all guest images
+# are Debian-family). AGENT_CA_PATH is the source path that
+# `update-ca-certificates` reads; AGENT_CA_BUNDLE is the bundle it
+# rebuilds, which curl, Python `ssl`, and OpenSSL-based tools all read
+# by default.
+AGENT_CA_PATH = "/usr/local/share/ca-certificates/claude-bottle-mitm-ca.crt"
+AGENT_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"
+
+
 def host_skill_dir(name: str) -> str:
     """Return the host-side path for a named skill:
     `$HOME/.claude/skills/<name>`. Dies if HOME is unset."""