feat(egress-proxy): block HTTPS git push + restore role provisioner

Two related fixes on top of PR #29's chunk-2 cutover:

1. Universal HTTPS git-push block in the egress-proxy addon
   (`is_git_push_request` in egress_proxy_addon_core, called from the
   mitmproxy request hook before route matching). 403s any
   `/git-receive-pack` or `info/refs?service=git-receive-pack` —
   defense in depth so git-gate (PRD 0008) remains the only outbound
   path for writes, gitleaks-scanned by its pre-receive. Replicates
   cred-proxy's `is_git_push_request` behavior.

2. Restored agent-side role provisioner. Brings back `Role` on
   EgressProxyRoute (manifest + runtime) with three roles —
   `anthropic-base-url`, `npm-registry`, `tea-login`. Singleton
   constraint on the first two carries over from cred-proxy.
   `git-insteadof` is intentionally absent (option 1 above handles
   the push-bypass concern, and the canonical-URL rewrite has no
   function when egress-proxy is on HTTPS_PROXY).

   The provisioner (`backend/docker/provision/egress_proxy.py`):
     - `~/.npmrc` registry= the canonical upstream URL.
     - `~/.config/tea/config.yml` logins[] entry per tea-login route.
     - `ANTHROPIC_BASE_URL` env set in prepare.py based on the
       anthropic-base-url role (was a token_ref="CLAUDE_CODE_OAUTH_TOKEN"
       check in this PR's earlier draft — the role marker is cleaner
       and matches the cred-proxy precedent the user wants kept).

   All three dotfile values point at canonical upstream URLs; the
   agent's HTTPS_PROXY=egress-proxy routes them through the proxy
   automatically.

Tests: 11 new role-validation tests, 11 new provisioner-render tests,
the chunk-1 manifest fixture exercise role=anthropic-base-url. 400
tests pass (was 376).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

claude_bottle/backend/docker/prepare.py

@@ -175,21 +175,31 @@ def resolve_plan(
     # never lands on argv or in env_file) goes into one dict. Nothing
     # mutates the host os.environ.
     forwarded_env: dict[str, str] = dict(resolved.forwarded)
-    # When the bottle declares an egress-proxy route for the Anthropic
-    # OAuth flow, claude-code's outbound Authorization gets stripped +
-    # re-injected by egress-proxy. The agent's environ still needs
-    # *something* claude-code recognises as a credential or it refuses
-    # to start; ship a non-secret placeholder. The placeholder is not
-    # any real `auth.token_ref` value, so leaking it would tell an
-    # attacker only that egress-proxy is in front.
-    has_anthropic_auth = any(
-        r.token_ref == "CLAUDE_CODE_OAUTH_TOKEN"
-        for r in egress_proxy_plan.routes
+    # Find the (at most one) egress-proxy route claiming the
+    # anthropic-base-url role. Manifest validation enforces the
+    # singleton constraint. The role flips on claude-code's
+    # placeholder OAuth token + telemetry-off env vars and pins
+    # ANTHROPIC_BASE_URL at the route's host. Egress-proxy then
+    # strips inbound Authorization on every request and injects
+    # the real one from the route's `auth.token_ref` env var.
+    anthropic_route = next(
+        (r for r in egress_proxy_plan.routes if "anthropic-base-url" in r.roles),
+        None,
     )
-    if has_anthropic_auth:
+    if anthropic_route is not None:
+        # Point claude-code at the canonical Anthropic URL. HTTPS_PROXY
+        # routes the request through egress-proxy, which injects the
+        # real OAuth header from the host env named by the route's
+        # auth.token_ref.
+        forwarded_env["ANTHROPIC_BASE_URL"] = f"https://{anthropic_route.host}"
+        # claude-code refuses to start without *some* credential in
+        # its env. The proxy strips inbound Authorization on every
+        # request and injects the real one — so a non-secret
+        # placeholder is sufficient. The agent cannot exfiltrate
+        # this string because it carries no meaning to upstream.
         forwarded_env["CLAUDE_CODE_OAUTH_TOKEN"] = "egress-proxy-placeholder"
         # Belt-and-braces: turn off telemetry endpoints (statsig,
-        # error reporting) that egress-proxy can't gate by auth.
+        # error reporting) that don't route through ANTHROPIC_BASE_URL.
         forwarded_env.setdefault("CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC", "1")
         forwarded_env.setdefault("DISABLE_ERROR_REPORTING", "1")
     _write_env_file(resolved, env_file)