feat(egress-proxy): block HTTPS git push + restore role provisioner

Two related fixes on top of PR #29's chunk-2 cutover:

1. Universal HTTPS git-push block in the egress-proxy addon
   (`is_git_push_request` in egress_proxy_addon_core, called from the
   mitmproxy request hook before route matching). 403s any
   `/git-receive-pack` or `info/refs?service=git-receive-pack` —
   defense in depth so git-gate (PRD 0008) remains the only outbound
   path for writes, gitleaks-scanned by its pre-receive. Replicates
   cred-proxy's `is_git_push_request` behavior.

2. Restored agent-side role provisioner. Brings back `Role` on
   EgressProxyRoute (manifest + runtime) with three roles —
   `anthropic-base-url`, `npm-registry`, `tea-login`. Singleton
   constraint on the first two carries over from cred-proxy.
   `git-insteadof` is intentionally absent (option 1 above handles
   the push-bypass concern, and the canonical-URL rewrite has no
   function when egress-proxy is on HTTPS_PROXY).

   The provisioner (`backend/docker/provision/egress_proxy.py`):
     - `~/.npmrc` registry= the canonical upstream URL.
     - `~/.config/tea/config.yml` logins[] entry per tea-login route.
     - `ANTHROPIC_BASE_URL` env set in prepare.py based on the
       anthropic-base-url role (was a token_ref="CLAUDE_CODE_OAUTH_TOKEN"
       check in this PR's earlier draft — the role marker is cleaner
       and matches the cred-proxy precedent the user wants kept).

   All three dotfile values point at canonical upstream URLs; the
   agent's HTTPS_PROXY=egress-proxy routes them through the proxy
   automatically.

Tests: 11 new role-validation tests, 11 new provisioner-render tests,
the chunk-1 manifest fixture exercise role=anthropic-base-url. 400
tests pass (was 376).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

tests/unit/test_manifest_egress_proxy.py

@@ -128,6 +128,64 @@ class TestAuth(unittest.TestCase):
             }])
 
 
+class TestRole(unittest.TestCase):
+    def test_omitted_means_no_roles(self):
+        b = _bottle([{"host": "x.example"}])
+        self.assertEqual((), b.egress_proxy.routes[0].Role)
+
+    def test_string_normalizes_to_tuple(self):
+        b = _bottle([{"host": "api.anthropic.com",
+                      "role": "anthropic-base-url",
+                      "auth": {"scheme": "Bearer", "token_ref": "T"}}])
+        self.assertEqual(("anthropic-base-url",),
+                         b.egress_proxy.routes[0].Role)
+
+    def test_list_supported(self):
+        b = _bottle([{"host": "registry.npmjs.org",
+                      "role": ["npm-registry"]}])
+        self.assertEqual(("npm-registry",), b.egress_proxy.routes[0].Role)
+
+    def test_unknown_role_rejected(self):
+        with self.assertRaises(Die):
+            _bottle([{"host": "x.example", "role": "git-insteadof"}])
+
+    def test_non_string_role_rejected(self):
+        with self.assertRaises(Die):
+            _bottle([{"host": "x.example", "role": 42}])
+
+    def test_list_with_non_string_item_rejected(self):
+        with self.assertRaises(Die):
+            _bottle([{"host": "x.example", "role": ["npm-registry", 42]}])
+
+    def test_singleton_anthropic_base_url_enforced(self):
+        with self.assertRaises(Die):
+            _bottle([
+                {"host": "api.anthropic.com", "role": "anthropic-base-url",
+                 "auth": {"scheme": "Bearer", "token_ref": "T1"}},
+                {"host": "api2.anthropic.example",
+                 "role": "anthropic-base-url",
+                 "auth": {"scheme": "Bearer", "token_ref": "T2"}},
+            ])
+
+    def test_singleton_npm_registry_enforced(self):
+        with self.assertRaises(Die):
+            _bottle([
+                {"host": "registry.npmjs.org", "role": "npm-registry"},
+                {"host": "npm.example", "role": "npm-registry"},
+            ])
+
+    def test_tea_login_is_not_singleton(self):
+        # Multiple Gitea instances on one bottle is a legitimate
+        # dev setup; tea-login lays one logins[] entry per route.
+        b = _bottle([
+            {"host": "gitea.example", "role": "tea-login",
+             "auth": {"scheme": "token", "token_ref": "T1"}},
+            {"host": "other-gitea.example", "role": "tea-login",
+             "auth": {"scheme": "token", "token_ref": "T2"}},
+        ])
+        self.assertEqual(2, len(b.egress_proxy.routes))
+
+
 class TestRouteValidation(unittest.TestCase):
     def test_duplicate_hosts_rejected(self):
         # Routes match by exact host; duplicates leave the choice