Add segmentation egress boundary gates

[yanziwei]

Skill Improvement ($50-150 Bounty)

Closes #1685

Skill Modified

Skill name: segmentation
Skill path: skills/network/segmentation/SKILL.md

What Was Wrong

The segmentation skill covered zone maps, trust boundaries, east-west traffic, DMZ design, PCI CDE validation, and segmentation testing, but it did not require evidence for outbound boundaries. A sensitive zone could be isolated laterally while still having broad internet egress through NAT, public IPs, unmanaged DNS, or proxy bypass paths.

What This PR Fixes

• Adds an egress boundary and internet exit review step.
• Requires evidence for source zone/workload, approved destinations, enforcement point, DNS path, direct internet path, inspection/logging, and exception lifecycle.
• Adds SEG-EGRESS-* findings for unrestricted egress, proxy/DNS bypass, port-only allowlists, direct external DNS, stale broad exceptions, missing destination inventory, and untested alternate egress paths.
• Extends severity guidance and output with an Egress Boundary Matrix.
• Adds a pitfall warning that outbound 443 is still broad egress without destination and inspection evidence.

Test Cases Added/Updated

• Added vulnerable test cases (tests/vulnerable/)
• Added benign test cases (tests/benign/)
• Existing tests still pass

Docs/skill-guidance update; no executable test fixtures exist for this skill.

Validation completed locally:

• git diff --check
• Markdown fence-balance check (10 balanced)
• Marker checks for version 1.1.0, Egress Boundary and Internet Exit Review, SEG-EGRESS-01, Egress Boundary Matrix, and the outbound 443 pitfall

Bounty Tier

• Minor ($50) — Doc update, small logic tweak, typo fix
• Moderate ($100) — New edge case coverage, FP reduction with evidence
• Substantial ($150) — Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Can be provided privately after acceptance