feat(bottle-plan): render TLS interception in the dry-run preflight

Third step of PRD 0006. The preflight now surfaces the TLS-
intercept layer so the operator sees it before agreeing to launch.

- Text output: one new line under the egress summary
  ("tls intercept : pipelock (per-bottle ephemeral CA, generated
  at launch)").
- JSON output (--format=json contract): new
  egress.tls_interception: { enabled: true, ca_fingerprint: null }
  block. Fingerprint is always null at dry-run because the CA
  only exists after launch; real launches print it as a stderr
  log line from provision_ca.
- Pin the new shape in the dry-run integration test.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

tests/integration/test_dry_run_plan.py

@@ -92,6 +92,14 @@ class TestDryRunPlan(unittest.TestCase):
             self.assertEqual(sorted(set(hosts)), hosts,
                              "hosts must be sorted and deduplicated")
 
+            # PRD 0006: TLS interception is on for every launched
+            # bottle. Fingerprint is null at dry-run (no CA exists
+            # yet); real launches log it from provision_ca.
+            self.assertEqual(
+                {"enabled": True, "ca_fingerprint": None},
+                plan["egress"]["tls_interception"],
+            )
+
             # No Docker side effects (see the GITEA_ACTIONS skip note
             # above — this guard runs locally only).
             if check_side_effects: