build: drop unused agent-image apt deps

Removes socat, openssh-client, and dnsutils from Dockerfile.claude
and Dockerfile.codex.

- socat was the privileged forwarder for the in-container ssh-agent
  that PRD 0009 removed; nothing in bot_bottle references it.
- openssh-client was needed back when the agent talked ssh:// to
  upstreams; git-gate's insteadOf rewrites now route every upstream
  through HTTP/git-protocol, and ssh-keygen runs host-side from the
  deploy-key provisioner.
- dnsutils was only used by tests/integration/test_sandbox_escape.py
  (attack 4b runs dig from inside the agent container).

Splits python3/python3-pip/python3-venv onto a separate layer with
a comment noting they're app-specific and a candidate to move to a
downstream image.

Dockerfile.claude

@@ -16,14 +16,20 @@ FROM node:22-slim
 # features (status checks, commits, PR creation) — without git in the
 # image, those features fail in surprising ways once the user does any
 # real work. ca-certificates is already in the slim base; listed for
-# clarity in case the base ever drops it. socat is the privileged
-# forwarder for the in-container ssh-agent (see bot_bottle/ssh.py): the agent
-# runs as root and rejects non-root connections, so socat sits between
-# node and the agent socket. curl is here so any HTTPS_PROXY-aware
-# tool (curl itself, plus anything that shells out to it) works
-# against egress's bumped TLS without the agent needing local DNS.
+# clarity in case the base ever drops it. curl is here so any
+# HTTPS_PROXY-aware tool (curl itself, plus anything that shells out
+# to it) works against egress's bumped TLS without the agent needing
+# local DNS.
 RUN apt-get update \
-  && apt-get install -y --no-install-recommends git ca-certificates openssh-client socat curl dnsutils python3 python3-pip python3-venv \
+  && apt-get install -y --no-install-recommends git ca-certificates curl \
+  && rm -rf /var/lib/apt/lists/*
+
+# App-specific deps. Python isn't required by claude-code itself
+# (claude-code is a Node CLI), but is convenient for the agent to
+# shell out to for ad-hoc scripts. Kept on its own layer so it can
+# be moved to a downstream image if the base ever needs to shrink.
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends python3 python3-pip python3-venv \
   && rm -rf /var/lib/apt/lists/*
 
 # Install claude-code globally. Pinned to the version verified in the v1

Dockerfile.codex

@@ -6,7 +6,15 @@
 FROM node:22-slim
 
 RUN apt-get update \
-  && apt-get install -y --no-install-recommends git ca-certificates openssh-client socat curl dnsutils python3 python3-pip python3-venv \
+  && apt-get install -y --no-install-recommends git ca-certificates curl \
+  && rm -rf /var/lib/apt/lists/*
+
+# App-specific deps. Python isn't required by codex itself
+# (codex is a Node CLI), but is convenient for the agent to shell
+# out to for ad-hoc scripts. Kept on its own layer so it can be
+# moved to a downstream image if the base ever needs to shrink.
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends python3 python3-pip python3-venv \
   && rm -rf /var/lib/apt/lists/*
 
 RUN npm install -g --no-fund --no-audit @openai/codex@0.136.0 \

docs/prds/0052-egress-dlp-addon.md

@@ -1,4 +1,4 @@
-# PRD 0053: Egress DLP addon
+# PRD 0052: Egress DLP addon
 
 - **Status:** Active
 - **Author:** claude
@@ -397,7 +397,7 @@ afterward, preserving the existing credential-injection security model.
 4. **Naive prompt injection detector (Phase 2).**
    Add `NaiveInjectionDetector` to `dlp_detectors.py`. Wire
    `scan_inbound` into the new `response` hook in `egress_addon.py`.
-   Extend unit tests. Activate PRD 0053 (`Status: Draft → Active`) in
+   Extend unit tests. Activate PRD 0052 (`Status: Draft → Active`) in
    this commit.
 
 ## Open questions

docs/research/yaml-route-matching-formats.md

@@ -3,7 +3,7 @@
 ## Question
 
 Bot-bottle's egress manifest currently supports exact-host matching and
-a flat list of path prefixes (`path_allowlist`). As the DLP work (PRD 0053)
+a flat list of path prefixes (`path_allowlist`). As the DLP work (PRD 0052)
 and future route hardening evolve, we may want more expressive matching:
 glob-style path patterns (`/api/*/data`), header predicates (Content-Type,
 Accept), and per-method rules (GET allowed, POST blocked). What established

tests/integration/test_sandbox_escape.py

@@ -120,11 +120,10 @@ class TestSandboxEscape(unittest.TestCase):
                     # is intentionally unreachable — the pre-receive
                     # gitleaks hook must reject BEFORE git-gate
                     # attempts the upstream push.
-                    "git": {"remotes": {
-                        "unreachable.invalid": {
-                            "Name": "throwaway",
-                            "Upstream": "ssh://git@unreachable.invalid:22/throwaway.git",
-                            "IdentityFile": str(cls._key_path),
+                    "git-gate": {"repos": {
+                        "throwaway": {
+                            "url": "ssh://git@unreachable.invalid:22/throwaway.git",
+                            "identity": str(cls._key_path),
                         },
                     }},
                 },

tests/integration/test_smolmachines_launch.py

@@ -110,10 +110,10 @@ class TestSmolmachinesLaunch(unittest.TestCase):
         # (high-numbered) so we're confirming TSI refusal, not
         # just "no service listening."
         r = self.bottle.exec(
-            "wget -T 3 -t 1 -O - http://127.0.0.1:9 2>&1 || true"
+            "curl -s --show-error --max-time 3 http://127.0.0.1:9 2>&1 || true"
         )
-        # `wget` to a denied destination produces a connect error.
-        # The exact phrasing varies (busybox vs gnu); we assert
+        # `curl` to a denied destination produces a connect error.
+        # The exact phrasing varies by curl version; we assert
         # the response is NOT the body of any real service.
         self.assertNotIn("hello-from-vm", r.stdout)
         self.assertTrue(
@@ -126,10 +126,10 @@ class TestSmolmachinesLaunch(unittest.TestCase):
 
     def test_prompt_file_lands_in_guest(self):
         # provision_prompt copies the host-side prompt.txt into the
-        # guest at /root/.bot-bottle-prompt.txt. The content
+        # guest at /home/node/.bot-bottle-prompt.txt. The content
         # must match what the manifest declared so claude-code's
         # --append-system-prompt-file reads the right text.
-        r = self.bottle.exec("cat /root/.bot-bottle-prompt.txt")
+        r = self.bottle.exec("cat /home/node/.bot-bottle-prompt.txt")
         self.assertEqual(0, r.returncode, msg=r.stderr)
         self.assertEqual(_AGENT_PROMPT, r.stdout.rstrip("\n"))
 
@@ -143,7 +143,7 @@ class TestSmolmachinesLaunch(unittest.TestCase):
         # connect fails, which is the property chunk 3 will
         # preserve once egress is actually running.
         r = self.bottle.exec(
-            f"wget -T 3 -t 1 -O - http://{self.plan.bundle_ip}:9099 "
+            f"curl -s --show-error --max-time 3 http://{self.plan.bundle_ip}:9099 "
             "2>&1 || true"
         )
         self.assertTrue(