fix(egress-proxy-apply): correct misleading "egress-proxy updated" wording

`_mirror_hosts_to_pipelock` runs BEFORE the egress-proxy write in
`apply_routes_change` — if it raises, egress-proxy is left intact.
The error message claimed the opposite ("egress-proxy routes
updated but pipelock allowlist mirror failed"), pointing the
operator at the wrong half-state.

Reword to make the actual state clear: pipelock failed,
egress-proxy NOT updated, fix pipelock manually with
`pipelock edit <bottle>` then retry.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

claude_bottle/backend/docker/egress_proxy_apply.py

@@ -102,11 +102,14 @@ def _mirror_hosts_to_pipelock(slug: str, hosts: list[str]) -> None:
             return  # nothing to add
         apply_allowlist_change(slug, render_allowlist_content(merged))
     except PipelockApplyError as e:
+        # Mirror runs BEFORE the egress-proxy write, so egress-proxy
+        # is unchanged on this failure path. Report it as a
+        # pipelock-side problem so the operator looks in the right
+        # place; their `pipelock edit` flow can repair manually.
         raise EgressProxyApplyError(
-            f"egress-proxy routes updated but pipelock allowlist "
-            f"mirror failed: {e}. The request will 403 at pipelock "
-            f"until pipelock's allowlist is refreshed; retry the "
-            f"proposal or edit pipelock's allowlist by hand."
+            f"pipelock allowlist mirror failed (egress-proxy NOT "
+            f"updated): {e}. Fix pipelock's allowlist manually with "
+            f"`pipelock edit <bottle>` then retry the proposal."
         ) from e