Optional kernel-level firewall for outbound LLM traffic

A new optional sidecar enforces LLM egress directly in the Linux kernel via eBPF. The gateway authorizes each LLM call; without an authorization, the kernel drops outbound packets to configured provider hostnames including OpenAI, Anthropic, and Google. Defense in depth: even if the gateway process is compromised, no unsanctioned LLM traffic leaves the host. Drop events are recorded in the existing firewall log.

A new admin page surfaces live counters, recent kernel events, and a one-click switch between observe (audit-only) and enforce modes.

Off by default. Opt in via the egress-guard compose profile and enable in config/egress_guard.yaml. Requires Linux 5.8 or later with BTF and cgroup v2; not supported on managed Kubernetes without elevated capabilities. Recommended rollout: 24 hours in observe mode, then enforce.