feat(gate): sqlite-backed egress gate library + unix-socket daemon + CLI refactor

[mdheller]

World-class implementation step-up for the Truth Plane egress gate.

This PR replaces the ad-hoc single-file gate logic with a structured library + daemon, while preserving the security posture:

• local-first
• deny-by-default
• explicit allowlist set mutation only
• replay protection
• append-only audit

Key changes:

1. New library package (repo-local, no packaging required)

• src/sourceos_gate/ with:
  • errors.py (typed errors)
  • timeutil.py (time helpers)
  • audit.py (NDJSON audit writer)
  • store.py (single sqlite DB: replay + grants)
  • nft.py (baseline checks, apply/verify sets, nft -j parsing)
  • egress.py (EgressGate API)
  • protocol.py (line-delimited JSON protocol)
  • daemon.py (asyncio unix socket server)

2. Daemon entrypoint

• tools/sourceos_gate_egressd.py runs a unix socket service via src/ imports.

3. CLI refactor

• tools/sourceos_gate_egress.py now uses sourceos_gate.egress.EgressGate and stores state in sqlite.
• Adds apply and snapshot subcommands.

4. Tests

• tests/test_gate_store.py (sqlite store + replay + expiry)
• tests/test_nft_parse.py (nft -j parsing using existing fixtures)

5. Docs

• docs/DEV_VALIDATE.md updated with unit test invocation.

Notes:

• This PR intentionally keeps the existing nft baseline contract and does not add systemd units.
• The old ad-hoc logic is replaced in-place, but behavior remains consistent: apply/verify only mutate/compare sets.