User Story

As a security platform integrator, I want proxy-egress to optionally mirror a copy of all outbound traffic to a passive receiver (e.g., Zeek) so that egress traffic can be analyzed without being in the data path.

Background

proxy-egress currently has no tap/mirror capability. cerberus-zeek requires this to passively analyze outbound/egress traffic flows.

Acceptance Criteria

• Tap mode implemented — same mechanism as proxy-ingress tap (coordinate implementations)
• Tap target configurable via env var
• Tap enabled/disabled via config flag (default off)
• Zero measurable performance impact on primary traffic path
• Unit tests cover tap-on and tap-off modes
• Integration test: verify mirrored packets reach a test receiver
• Docs updated
• Linting passes
• Security scan passes

Notes

Must use the same tap mechanism and config schema as proxy-ingress tap to ensure Zeek can consume from both proxies with a single uniform configuration.