fix(pipelock): auto-allow cred-proxy hostname when routes are declared

The agent's HTTP_PROXY env points at pipelock, so an
ANTHROPIC_BASE_URL like http://cred-proxy:9099/anthropic doesn't
short-circuit through Docker's embedded DNS — it gets forwarded
through pipelock, which then checks its api_allowlist for the
hostname `cred-proxy` and 403's because the name isn't there. The
agent surfaces the failure as "API Error: 403 blocked: domain not
in allowlist: cred-proxy" on Claude's first call.

Fix: pipelock_effective_allowlist auto-adds CRED_PROXY_HOSTNAME
when bottle.cred_proxy.routes is non-empty (i.e., when the
sidecar will actually be running and reachable).

Move CRED_PROXY_HOSTNAME from backend/docker/cred_proxy.py to the
backend-agnostic claude_bottle/cred_proxy.py so pipelock can
reference it without a layering violation; the docker concrete
imports it from the same place.

claude_bottle/backend/docker/cred_proxy.py

@@ -10,6 +10,7 @@ import subprocess
 from pathlib import Path
 
 from ...cred_proxy import (
+    CRED_PROXY_HOSTNAME,
     CredProxy,
     CredProxyPlan,
     cred_proxy_resolve_token_values,
@@ -30,13 +31,6 @@ CRED_PROXY_DOCKERFILE = "Dockerfile.cred-proxy"
 # both reference it.
 CRED_PROXY_PORT = int(os.environ.get("CLAUDE_BOTTLE_CRED_PROXY_PORT", "9099"))
 
-# DNS name agents use to reach the sidecar. Attached as a
-# --network-alias on the internal docker network so the URL the
-# provisioner writes into the agent's environ is stable across
-# bottles (the container name carries the per-bottle slug; the alias
-# does not).
-CRED_PROXY_HOSTNAME = "cred-proxy"
-
 # In-container path the proxy server reads its route table from.
 # Pre-created in Dockerfile.cred-proxy so `docker cp` can drop the
 # file directly.