Outbound permission control

Egress is part of the audit-export evidence relay. Reopen the Latest export receipt from /settings?intent=upgrade, keep the same filename, filters, and SHA-256, and carry that proof into verification, go-live, and the admin follow-up surface while you review outbound destinations.

Navigation-only manual relay: this card keeps the workspace context stitched together but does not automate, impersonate, or change workspace state on your behalf.