Real network egress policy (per-agent firewall)

[kortiene]

Context

v0.2 maps network profiles to coarse podman options:

• none → network=none
• restricted / devops / full → network=slirp4netns (no real egress filtering)

Per docs/SPRINT_PLAN.md §2.3 the granular enforcement was deliberately deferred. v0.3 should close this gap: a restricted profile must actually restrict egress to a declared allowlist (e.g. pypi.org, github.com), and full must remain unrestricted.

Source: docs/SPRINT_PLAN.md §8 + b85bf4d fix note + c29f227 runtime fixes.

Acceptance criteria

• Template schema gains network.egressAllowlist: [str] (empty = deny all).
• Compiler maps the allowlist into either:
  • a netavark plugin config, or
  • a slirp4netns --outbound-addr + per-host iptables rule, or
  • a sidecar squid/forward-proxy with explicit ACL.
• An agent in restricted profile cannot reach hosts outside its allowlist; verified by E2E test that exec's curl against an allowed host (success) and a denied host (timeout/refused).
• claw inspect <agent> returns the effective egress rules.
• claw policy explain shows the egress allowlist.
• Audit event on every denial (rate-limited).

Out of scope

• Ingress filtering — agents have no inbound exposure today.
• DNS-based filtering nuances (CDN IPs, etc.) — start with hostname allowlists, document the limitation.

References

• docs/SPRINT_PLAN.md §2.3
• ADR-0001 (TTY exec via subprocess) — same kind of "podman-py REST limitation" reasoning will apply