fix(pipelock): auto-allow cred-proxy hostname when routes are declared

The agent's HTTP_PROXY env points at pipelock, so an
ANTHROPIC_BASE_URL like http://cred-proxy:9099/anthropic doesn't
short-circuit through Docker's embedded DNS — it gets forwarded
through pipelock, which then checks its api_allowlist for the
hostname `cred-proxy` and 403's because the name isn't there. The
agent surfaces the failure as "API Error: 403 blocked: domain not
in allowlist: cred-proxy" on Claude's first call.

Fix: pipelock_effective_allowlist auto-adds CRED_PROXY_HOSTNAME
when bottle.cred_proxy.routes is non-empty (i.e., when the
sidecar will actually be running and reachable).

Move CRED_PROXY_HOSTNAME from backend/docker/cred_proxy.py to the
backend-agnostic claude_bottle/cred_proxy.py so pipelock can
reference it without a layering violation; the docker concrete
imports it from the same place.

claude_bottle/cred_proxy.py

@@ -31,6 +31,16 @@ from .log import die
 from .manifest import Bottle
 
 
+# DNS name agents use to reach the per-bottle cred-proxy sidecar.
+# Backend-agnostic by contract: every concrete backend (Docker today,
+# others later) attaches this name to its sidecar on the bottle's
+# internal network so the agent's manifest-driven URLs (`http://
+# cred-proxy:9099/...`) work without a backend-specific hostname.
+# pipelock's allowlist also references this when adding the
+# auto-allow entry for cred-proxy traffic from the agent.
+CRED_PROXY_HOSTNAME = "cred-proxy"
+
+
 @dataclass(frozen=True)
 class CredProxyRoute:
     """One resolved route on the cred-proxy sidecar. Maps a path
@@ -247,6 +257,7 @@ class CredProxy(ABC):
 
 
 __all__ = [
+    "CRED_PROXY_HOSTNAME",
     "CredProxy",
     "CredProxyPlan",
     "CredProxyRoute",