Sandbox egress middleware RFC

[pimlock]

Summary

Create and review the RFC for sandbox egress middleware: the request-processing hook that lets OpenShell inspect, transform, block, and annotate outbound sandbox request content before it leaves the sandbox boundary.

This is the real GitHub-mirrored child issue for the Privacy Guard roadmap item. Privacy Guard is the initial use case; the feature being specified is the middleware layer that enables that use case.

Scope

• Define the v1 egress hook stage: after network/L7 policy, before credential injection and upstream forwarding.
• Define how trusted middleware/guard services are registered, configured, discovered by supervisors, and validated.
• Define the hot-path interface: request and response shape, capability reporting, metadata contract, transformation semantics, and failure handling.
• Define how sandbox policy selects middleware and attaches middleware behavior to endpoint rules.
• Define secure defaults, including fail-closed behavior when required inspection cannot run.
• Define audit evidence and logging expectations without storing raw sensitive values by default.
• Explain how middleware findings can feed future model routing without making model routing part of this RFC.

Out of Scope

• Model router design and routing policy language, which are tracked in Pluggable model routing RFC #1734
• Building a generic middleware framework for every possible hook stage beyond the v1 egress hook.
• Implementation work beyond the RFC and any minimal examples needed to make the proposal concrete.
• Response-body scanning unless explicitly added during RFC review.

Deliverable

• RFC folder: rfc/0005-sandbox-egress-middleware/
• RFC PR linked to this GitHub issue.

Context

• Parent roadmap issue: Privacy Guard #1043
• Existing research notes: rfc/0005-privacy-guard/research-notes/