feat(egress-proxy): block HTTPS git push + restore role provisioner

Two related fixes on top of PR #29's chunk-2 cutover:

1. Universal HTTPS git-push block in the egress-proxy addon
   (`is_git_push_request` in egress_proxy_addon_core, called from the
   mitmproxy request hook before route matching). 403s any
   `/git-receive-pack` or `info/refs?service=git-receive-pack` —
   defense in depth so git-gate (PRD 0008) remains the only outbound
   path for writes, gitleaks-scanned by its pre-receive. Replicates
   cred-proxy's `is_git_push_request` behavior.

2. Restored agent-side role provisioner. Brings back `Role` on
   EgressProxyRoute (manifest + runtime) with three roles —
   `anthropic-base-url`, `npm-registry`, `tea-login`. Singleton
   constraint on the first two carries over from cred-proxy.
   `git-insteadof` is intentionally absent (option 1 above handles
   the push-bypass concern, and the canonical-URL rewrite has no
   function when egress-proxy is on HTTPS_PROXY).

   The provisioner (`backend/docker/provision/egress_proxy.py`):
     - `~/.npmrc` registry= the canonical upstream URL.
     - `~/.config/tea/config.yml` logins[] entry per tea-login route.
     - `ANTHROPIC_BASE_URL` env set in prepare.py based on the
       anthropic-base-url role (was a token_ref="CLAUDE_CODE_OAUTH_TOKEN"
       check in this PR's earlier draft — the role marker is cleaner
       and matches the cred-proxy precedent the user wants kept).

   All three dotfile values point at canonical upstream URLs; the
   agent's HTTPS_PROXY=egress-proxy routes them through the proxy
   automatically.

Tests: 11 new role-validation tests, 11 new provisioner-render tests,
the chunk-1 manifest fixture exercise role=anthropic-base-url. 400
tests pass (was 376).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

tests/unit/test_provision_egress_proxy.py

@@ -0,0 +1,109 @@
+"""Unit: agent-side provisioning for egress-proxy roles (PRD 0017).
+
+Each role drives one dotfile / env-var rewrite at bottle bring-up.
+HTTPS_PROXY routes the canonical URL through egress-proxy, which
+injects auth and DLP-scans on the upstream leg."""
+
+import unittest
+
+from claude_bottle.backend.docker.provision.egress_proxy import (
+    render_npmrc,
+    render_tea_config,
+)
+from claude_bottle.egress_proxy import egress_proxy_routes_for_bottle
+from claude_bottle.manifest import Manifest
+
+
+def _routes(manifest_routes):
+    m = Manifest.from_json_obj({
+        "bottles": {"dev": {"egress_proxy": {"routes": manifest_routes}}},
+        "agents": {"demo": {"skills": [], "prompt": "", "bottle": "dev"}},
+    })
+    return egress_proxy_routes_for_bottle(m.bottles["dev"])
+
+
+# --- npmrc -----------------------------------------------------------
+
+
+class TestRenderNpmrc(unittest.TestCase):
+    def test_canonical_upstream_url(self):
+        routes = _routes([
+            {"host": "registry.npmjs.org", "role": "npm-registry",
+             "auth": {"scheme": "Bearer", "token_ref": "NPM_TOKEN"}},
+        ])
+        self.assertEqual(
+            "registry=https://registry.npmjs.org/\n",
+            render_npmrc(routes),
+        )
+
+    def test_empty_when_no_npm_role(self):
+        routes = _routes([
+            {"host": "api.github.com",
+             "auth": {"scheme": "Bearer", "token_ref": "GH"}},
+        ])
+        self.assertEqual("", render_npmrc(routes))
+
+    def test_no_routes_empty(self):
+        self.assertEqual("", render_npmrc(()))
+
+    def test_no_auth_token_in_npmrc(self):
+        # The proxy injects auth; the npmrc must carry no secret —
+        # not even `:always-auth=true` lines that would prompt npm
+        # to wait for credentials. Just the registry URL.
+        routes = _routes([
+            {"host": "registry.npmjs.org", "role": "npm-registry",
+             "auth": {"scheme": "Bearer", "token_ref": "NPM_TOKEN"}},
+        ])
+        out = render_npmrc(routes)
+        self.assertNotIn("_authToken", out)
+        self.assertNotIn("NPM_TOKEN", out)
+
+
+# --- tea config ------------------------------------------------------
+
+
+class TestRenderTeaConfig(unittest.TestCase):
+    def test_single_login(self):
+        routes = _routes([
+            {"host": "gitea.dideric.is", "role": "tea-login",
+             "auth": {"scheme": "token", "token_ref": "GITEA_TOKEN"}},
+        ])
+        out = render_tea_config(routes)
+        self.assertIn("- name: gitea.dideric.is", out)
+        self.assertIn("url: https://gitea.dideric.is", out)
+        self.assertIn("token: egress-proxy-placeholder", out)
+
+    def test_multiple_logins_each_get_own_entry(self):
+        routes = _routes([
+            {"host": "gitea.a.example", "role": "tea-login",
+             "auth": {"scheme": "token", "token_ref": "T_A"}},
+            {"host": "gitea.b.example", "role": "tea-login",
+             "auth": {"scheme": "token", "token_ref": "T_B"}},
+        ])
+        out = render_tea_config(routes)
+        self.assertIn("- name: gitea.a.example", out)
+        self.assertIn("- name: gitea.b.example", out)
+
+    def test_empty_when_no_tea_role(self):
+        routes = _routes([
+            {"host": "api.github.com",
+             "auth": {"scheme": "Bearer", "token_ref": "GH"}},
+        ])
+        self.assertEqual("", render_tea_config(routes))
+
+    def test_no_routes_empty(self):
+        self.assertEqual("", render_tea_config(()))
+
+    def test_no_real_token_in_config(self):
+        routes = _routes([
+            {"host": "gitea.dideric.is", "role": "tea-login",
+             "auth": {"scheme": "token", "token_ref": "GITEA_TOKEN"}},
+        ])
+        out = render_tea_config(routes)
+        # GITEA_TOKEN is just the env var name, not the value —
+        # placeholder-only is the SC.
+        self.assertIn("egress-proxy-placeholder", out)
+
+
+if __name__ == "__main__":
+    unittest.main()