fix: audit pipeline correctness after full review

- bee-audit init.d: use --output file: so "audit output written" is logged
  (stdout mode silently redirects, never emits the slog confirmation)
- build-nvidia-module.sh: use $KERNEL_SRC in find for .ko collection
  (was hardcoded $EXTRACT_DIR/kernel, silent failure if path differs)
- smoketest: add bee-audit to required services (was never checked)
- smoketest: remove legacy bee-audit-debug from service list
- smoketest: internet ping → warn (live CD runs in isolated network, no internet)
- build.sh: auto-copy smoketest.sh → overlay/usr/local/bin/bee-smoketest
  (removes manual sync hazard; smoketest.sh is now single source of truth)
- remove static overlay/usr/local/bin/bee-smoketest (generated by build.sh now)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

iso/builder/smoketest.sh

@@ -95,7 +95,7 @@ fi
 
 echo ""
 echo "-- openrc services --"
-for svc in bee-nvidia bee-network; do
+for svc in bee-nvidia bee-network bee-audit; do
     if rc-service "$svc" status >/dev/null 2>&1; then
         ok "service running: $svc"
     else
@@ -103,7 +103,7 @@ for svc in bee-nvidia bee-network; do
     fi
 done
 
-for svc in bee-audit-debug dropbear bee-sshsetup; do
+for svc in dropbear bee-sshsetup; do
     if [ -f "/etc/init.d/$svc" ]; then
         if rc-service "$svc" status >/dev/null 2>&1; then
             ok "service running: $svc"
@@ -166,7 +166,7 @@ fi
 if ping -c1 -W3 1.1.1.1 >/dev/null 2>&1; then
     ok "internet: reachable (1.1.1.1)"
 else
-    fail "internet: unreachable"
+    warn "internet: unreachable (expected — live CD runs in isolated network segment)"
 fi
 
 echo ""