fix(egress-proxy): force traffic through pipelock + block unallowlisted hosts

Two issues stopping the bottle's egress allowlist from being
enforced:

1. mitmproxy was bypassing pipelock. We set HTTPS_PROXY=pipelock
   in the egress-proxy container's env, but mitmproxy is a proxy
   *server* — it does NOT honor HTTP(S)_PROXY env vars on its
   outbound side the way HTTP-client libraries do. All
   post-MITM traffic was going direct to the upstream, never
   touching pipelock's hostname allowlist or DLP scanner.

   Fix: use mitmproxy's `--mode upstream:URL` flag. The Dockerfile
   entrypoint now reads a new `EGRESS_PROXY_UPSTREAM_PROXY` env
   (set by `DockerEgressProxy.start` to the pipelock URL when
   pipelock is in the topology) and switches mitmdump to
   upstream-proxy mode. Standalone runs of the image without the
   env still get `--mode regular@9099` direct-to-upstream — useful
   for unit-test boots. Confirmed in the boot log: "HTTP(S) proxy
   (upstream mode) listening at *:9099."

2. egress-proxy was forwarding unrecognized hosts. The addon's
   `decide()` returned `Decision(action="forward")` whenever no
   route matched the request host, deferring to pipelock to gate.
   With #1 broken pipelock wasn't gating either; even with #1
   fixed, defense-in-depth wants both layers enforcing.

   Fix: no-route-match → 403 with a "host not in allowlist"
   reason. The egress allowlist is now strictly the set of hosts
   declared in `bottle.egress_proxy.routes`; bare-pass routes
   (host with no auth, no path_allowlist) cover the passthrough
   case for hosts that just need reach. path_allowlist enforcement
   on matched routes is unchanged.

Test updated: `test_no_matching_route_forwards` →
`test_no_matching_route_blocks`. 364 unit tests pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

claude_bottle/backend/docker/egress_proxy.py

@@ -229,14 +229,25 @@ class DockerEgressProxy(EgressProxy):
             "--network-alias", EGRESS_PROXY_HOSTNAME,
         ]
         if route_via_pipelock:
-            # Route egress-proxy's outbound HTTPS through pipelock so
-            # the egress allowlist + DLP body scanner apply to its
-            # traffic on the egress-proxy → upstream leg. Pipelock
-            # MITMs each handshake with its per-bottle CA, which is
-            # docker-cp'd in below and pointed to via the
-            # EGRESS_PROXY_UPSTREAM_CA env (entrypoint conditionally
-            # adds the matching --set flag).
+            # Route egress-proxy's outbound traffic through pipelock
+            # so the egress allowlist + DLP body scanner apply to
+            # the egress-proxy → upstream leg. Pipelock MITMs each
+            # handshake with its per-bottle CA, which is docker-cp'd
+            # in below and pointed to via the EGRESS_PROXY_UPSTREAM_CA
+            # env (entrypoint conditionally adds the matching --set
+            # flag).
+            #
+            # EGRESS_PROXY_UPSTREAM_PROXY is the mechanism: mitmproxy
+            # does NOT honor HTTPS_PROXY env vars on its outbound
+            # side (it's a proxy server, not a client). The
+            # entrypoint reads this env and switches mitmdump to
+            # `--mode upstream:<URL>` so all post-MITM traffic
+            # CONNECTs to pipelock instead of going direct. The
+            # HTTPS/HTTP_PROXY env vars below are kept for any
+            # bundled client libraries (mitmproxy plugin requests,
+            # etc.) that might honor them — harmless if ignored.
             create_args.extend([
+                "-e", f"EGRESS_PROXY_UPSTREAM_PROXY={plan.pipelock_proxy_url}",
                 "-e", f"HTTPS_PROXY={plan.pipelock_proxy_url}",
                 "-e", f"HTTP_PROXY={plan.pipelock_proxy_url}",
                 "-e", "NO_PROXY=localhost,127.0.0.1",

claude_bottle/egress_proxy_addon_core.py

@@ -190,20 +190,30 @@ def decide(
     """Pure decision: given a route table + request host + path + env,
     return what the addon should do with the request.
 
-    - No matching route → forward unchanged. Pipelock will
-      hostname-gate it downstream; egress-proxy does not need to
-      decide on hosts it doesn't recognise.
+    - No matching route → BLOCK. The route table is the bottle's
+      egress allowlist; defense-in-depth complements pipelock's
+      hostname gate on the downstream leg. A bottle that wants a
+      host reachable from the agent must declare a route for it
+      (bare-pass route — no `auth`, no `path_allowlist` — is fine
+      for hosts that just need passthrough).
     - Matching route with `path_allowlist` set, request path doesn't
       start with any of the allowed prefixes → block with a clear
       reason.
     - Matching route with an auth pair → forward + inject
       Authorization. Token comes from `environ[route.token_env]`;
-      missing/empty values 500 (route declared auth but the secret
+      missing/empty values block (route declared auth but the secret
       isn't here — operator misconfig).
     """
     route = match_route(routes, request_host)
     if route is None:
-        return Decision(action="forward")
+        return Decision(
+            action="block",
+            reason=(
+                f"egress-proxy: host {request_host!r} is not in the "
+                f"bottle's egress_proxy.routes allowlist. Declare a "
+                f"route for it or remove the request."
+            ),
+        )
 
     if route.path_allowlist:
         if not any(request_path.startswith(p) for p in route.path_allowlist):