docs: bump PRD number from 0052 to 0053

Renames docs/prds/0052-user-provider-plugins.md to 0053-user-provider-plugins.md
and updates the heading inside the file. 0052 is now reserved for the egress
DLP addon.

bot_bottle/egress_addon.py

@@ -82,14 +82,6 @@ class EgressAddon:
             {"Content-Type": "text/plain; charset=utf-8"},
         )
 
-    def _block(self, flow: http.HTTPFlow, reason: str) -> None:
-        sys.stderr.write(f"{reason}\n")
-        flow.response = http.Response.make(
-            403,
-            reason.encode("utf-8"),
-            {"Content-Type": "text/plain; charset=utf-8"},
-        )
-
     def request(self, flow: http.HTTPFlow) -> None:
         request_path, _, query = flow.request.path.partition("?")
 
@@ -108,18 +100,25 @@ class EgressAddon:
                 scan_text = auth_header + "\n" + body
             dlp_result = scan_outbound(route, scan_text, os.environ)
             if dlp_result is not None and dlp_result.severity == "block":
-                self._block(flow, f"egress DLP: {dlp_result.reason}")
+                flow.response = http.Response.make(
+                    403,
+                    f"egress DLP: {dlp_result.reason}".encode("utf-8"),
+                    {"Content-Type": "text/plain; charset=utf-8"},
+                )
                 return
 
         # Strip inbound Authorization — agent cannot smuggle tokens.
         flow.request.headers.pop("authorization", None)
 
         if is_git_push_request(request_path, query):
-            self._block(
-                flow,
-                "egress: git push over HTTPS is not supported; "
-                "use the bottle.git SSH path (gitleaks-scanned by "
-                "git-gate's pre-receive hook).",
+            flow.response = http.Response.make(
+                403,
+                (
+                    b"egress: git push over HTTPS is not supported; "
+                    b"use the bottle.git SSH path (gitleaks-scanned by "
+                    b"git-gate's pre-receive hook)."
+                ),
+                {"Content-Type": "text/plain; charset=utf-8"},
             )
             return
 
@@ -136,7 +135,11 @@ class EgressAddon:
         )
 
         if decision.action == "block":
-            self._block(flow, decision.reason)
+            flow.response = http.Response.make(
+                403,
+                decision.reason.encode("utf-8"),
+                {"Content-Type": "text/plain; charset=utf-8"},
+            )
             return
 
         if decision.inject_authorization is not None:
@@ -156,7 +159,11 @@ class EgressAddon:
         if result is None:
             return
         if result.severity == "block":
-            self._block(flow, f"egress DLP: {result.reason}")
+            flow.response = http.Response.make(
+                403,
+                f"egress DLP: {result.reason}".encode("utf-8"),
+                {"Content-Type": "text/plain; charset=utf-8"},
+            )
         elif result.severity == "warn":
             sys.stderr.write(f"egress DLP warn: {result.reason}\n")
 

tests/integration/test_sandbox_escape.py

@@ -120,10 +120,11 @@ class TestSandboxEscape(unittest.TestCase):
                     # is intentionally unreachable — the pre-receive
                     # gitleaks hook must reject BEFORE git-gate
                     # attempts the upstream push.
-                    "git-gate": {"repos": {
-                        "throwaway": {
-                            "url": "ssh://git@unreachable.invalid:22/throwaway.git",
-                            "identity": str(cls._key_path),
+                    "git": {"remotes": {
+                        "unreachable.invalid": {
+                            "Name": "throwaway",
+                            "Upstream": "ssh://git@unreachable.invalid:22/throwaway.git",
+                            "IdentityFile": str(cls._key_path),
                         },
                     }},
                 },

tests/integration/test_smolmachines_launch.py

@@ -110,10 +110,10 @@ class TestSmolmachinesLaunch(unittest.TestCase):
         # (high-numbered) so we're confirming TSI refusal, not
         # just "no service listening."
         r = self.bottle.exec(
-            "curl -s --show-error --max-time 3 http://127.0.0.1:9 2>&1 || true"
+            "wget -T 3 -t 1 -O - http://127.0.0.1:9 2>&1 || true"
         )
-        # `curl` to a denied destination produces a connect error.
-        # The exact phrasing varies by curl version; we assert
+        # `wget` to a denied destination produces a connect error.
+        # The exact phrasing varies (busybox vs gnu); we assert
         # the response is NOT the body of any real service.
         self.assertNotIn("hello-from-vm", r.stdout)
         self.assertTrue(
@@ -126,10 +126,10 @@ class TestSmolmachinesLaunch(unittest.TestCase):
 
     def test_prompt_file_lands_in_guest(self):
         # provision_prompt copies the host-side prompt.txt into the
-        # guest at /home/node/.bot-bottle-prompt.txt. The content
+        # guest at /root/.bot-bottle-prompt.txt. The content
         # must match what the manifest declared so claude-code's
         # --append-system-prompt-file reads the right text.
-        r = self.bottle.exec("cat /home/node/.bot-bottle-prompt.txt")
+        r = self.bottle.exec("cat /root/.bot-bottle-prompt.txt")
         self.assertEqual(0, r.returncode, msg=r.stderr)
         self.assertEqual(_AGENT_PROMPT, r.stdout.rstrip("\n"))
 
@@ -143,7 +143,7 @@ class TestSmolmachinesLaunch(unittest.TestCase):
         # connect fails, which is the property chunk 3 will
         # preserve once egress is actually running.
         r = self.bottle.exec(
-            f"curl -s --show-error --max-time 3 http://{self.plan.bundle_ip}:9099 "
+            f"wget -T 3 -t 1 -O - http://{self.plan.bundle_ip}:9099 "
             "2>&1 || true"
         )
         self.assertTrue(