refactor: clean up agent SSH setup after fixing host-local routing

- Remove iproute2/NET_ADMIN (no longer needed)
- Remove ip route hack from entrypoint.sh
- rwa-colocation-2 server record updated to use Docker gateway IP
  since 14.215.128.96 is a host-local NIC on the IT0 server

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Dockerfile.service

@@ -40,7 +40,7 @@ RUN pnpm turbo build --filter='./packages/shared/*' --filter=@it0/${SERVICE_NAME
 FROM node:18-alpine
 
 # Install bash (required by Claude Agent SDK Bash tool) + openssh-client (for SSH to managed servers) + su-exec (for privilege drop)
-RUN apk add --no-cache bash openssh-client su-exec iproute2
+RUN apk add --no-cache bash openssh-client su-exec
 
 RUN corepack enable
 

deploy/docker/docker-compose.yml

@@ -116,8 +116,6 @@ services:
         SERVICE_PORT: 3002
     container_name: it0-agent-service
     restart: unless-stopped
-    cap_add:
-      - NET_ADMIN
     ports:
       - "13002:3002"
     volumes:

entrypoint.sh

@@ -6,12 +6,5 @@ if [ -f /tmp/host-ssh-key ]; then
   chown appuser:appuser /home/appuser/.ssh/id_ed25519
 fi
 
-# Route host-local IPs through Docker gateway (for IPs bound to host NICs)
-# 14.215.128.96 is on the host's enp5s0 NIC, unreachable via default Docker NAT
-GATEWAY=$(ip route | awk '/default/ {print $3}')
-if [ -n "$GATEWAY" ]; then
-  ip route add 14.215.128.96/32 via "$GATEWAY" 2>/dev/null || true
-fi
-
 # Drop privileges and start the service
 exec su-exec appuser node dist/services/${SERVICE_NAME}/src/main