Egress capability scoping at emission boundary.

all outbound communications from unsupervised agent paths (chat posts, webhook calls, email sends, HTTP requests, image-rendering URLs, link-preview fetches) pass through an egress gate before leaving the trust boundary. Scope is application-layer egress from automated / scheduled / unattended agent action; interactive responses in user-supervised sessions are out of scope — symmetric with `PL4-prompt-injection-defence`'s ingestion-scope narrowing. IAM-level resource writes are covered separately by `PL4-least-privilege`. Gate enforces destination allowlists per channel, rate limits per destination, elevation gates on novel destinations. Content-based output scanning is defence-in-depth, not primary