User Story

As a security platform integrator, I want proxy-ingress to optionally mirror a copy of all ingress traffic to a passive receiver (e.g., Zeek) so that deep packet inspection and protocol analysis can happen out-of-line without touching the data path.

Background

proxy-ingress currently has no tap/mirror capability. cerberus-zeek requires this to perform passive analysis of ingress traffic.

Acceptance Criteria

• Tap mode implemented — mirrors packet/stream copies to a configurable receiver
• Tap target configurable via env var (address/socket/interface — implementer chooses best mechanism for K8s)
• Tap enabled/disabled via config flag (default off — opt-in)
• Zero measurable performance impact on primary traffic path when tap is active
• Tap mechanism is consistent with proxy-egress tap (same config schema)
• Unit tests cover tap-on and tap-off modes
• Integration test: verify mirrored packets reach a test receiver
• Docs updated (README + Helm values comments)
• Linting passes
• Security scan passes

Notes

Implementer should choose the most appropriate mechanism for K8s environments (TZSP over UDP, AF_PACKET tee, shared network namespace, named pipe, etc.). Coordinate with proxy-egress tap issue to ensure a unified tap interface.