feat(gate): systemd socket activation + daemon client + protocol test + runbook updates

[mdheller]

Follow-on to merged PR #7. Adds host-grade operationalization for the egress gate.

1. systemd units

• systemd/sourceos-gate-egress.socket
• systemd/sourceos-gate-egress.service

2. daemon socket activation

• src/sourceos_gate/daemon.py now supports systemd socket activation via LISTEN_FDS.

3. daemon client

• tools/sourceos_gate_egressctl.py: unix-socket client for health/snapshot/grant/prune/apply/verify.

4. tests

• tests/test_gate_daemon.py: protocol smoke test (health + snapshot).

5. docs

• docs/TRUTH_PLANE_RUNBOOK.md updated to document daemon mode, egressctl, and systemd units.

Security posture preserved:

• unix socket only (no TCP)
• auth via socket filesystem permissions
• explicit allowlist set mutation only
• audit remains append-only

[mdheller]

@copilot fix failed checks and any conflicts

[Copilot]

@copilot fix failed checks and any conflicts

Addressed in 06fad20: fixed the failing markdownlint check (MD032 in docs/RELEASES.md) and verified there are no merge conflicts with main (merge-base is current origin/main, no conflict markers).

[mdheller]

Update pushed: systemd correctness + packaging-lane primitives.

• Removed bogus Environment=LISTEN_PID=%p (systemd sets LISTEN_PID/LISTEN_FDS).
• Added RuntimeDirectory=sourceos + RuntimeDirectoryMode=0755 and RestrictAddressFamilies=AF_UNIX AF_NETLINK to the service.
• Added DirectoryMode=0755 to the socket unit.
• Added systemd/sysusers.d/sourceos.conf to ensure the sourceos group exists.
• Added systemd/tmpfiles.d/sourceos.conf to ensure /run/sourceos and /var/lib/sourceos/... dirs exist.

This keeps auth on filesystem perms and keeps the daemon unix-socket-only.