Kernel egress firewall installs with no extra steps on supported hosts

The bootstrap script now auto-detects whether the host kernel supports the optional eBPF egress sidecar shipped in v1.8.2, generates the required CO-RE header, and adds the sidecar to the default compose profile when supported. A standard docker compose up -d brings the sidecar online with no --profile flag and no manual header generation step.

Hosts that do not qualify — older kernels, missing BTF, managed Kubernetes — are skipped silently and the rest of the stack runs unaffected. The shipped egress configuration now defaults to observe mode so a fresh install soaks in audit-only until the administrator switches to enforce.

No action required.