Fix critical ISO build bugs: kernel pinning, service registration, PATH, audit checks

- Pin linux-lts to exact KERNEL_PKG_VERSION=6.12.76-r0 in build and ISO package list
- Add build-time verification that compiled kernel version matches pin (fails loudly)
- Fix bee-audit-debug → bee-audit in genapkovl OpenRC registration (service was never starting)
- Add AUDIT_VERSION=0.1.0 to VERSIONS (was undefined, bee-release had empty fields)
- Pin linux-lts-dev version in second apk add in build-nvidia-module.sh
- Add /root/.profile to overlay so /usr/local/bin is in PATH for SSH sessions
- Remove "DEBUG MODE" from motd
- Fix smoketest: grep for slog "audit output written" instead of non-existent "audit completed"
- Document no-internet constraint in system-overview and runtime-flows
- Remove redundant genapkovl copy to /var/tmp (now found via ~/.mkimage/)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

bible-local/architecture/system-overview.md

@@ -25,6 +25,16 @@ Fills gaps where Redfish/logpile is blind:
 - Interactive TUI (`bee-tui`) for network setup, service management, GPU tests
 - GPU stress testing via `gpu_burn` (vendor binary, optional)
 
+## Network isolation — CRITICAL
+
+**The live CD runs in an isolated network segment with no internet access.**
+
+- All tools, drivers, and binaries MUST be pre-baked into the ISO at build time
+- No `apk add` at boot — packages are installed during ISO creation, not at runtime
+- No downloads at boot — NVIDIA modules, vendor tools, and all binaries come from the ISO overlay
+- DHCP is used only for LAN access (SSH from operator laptop); internet is NOT assumed
+- Any feature requiring network downloads cannot be added to the live CD
+
 ## Out of scope
 
 - Any writes to the server being audited
@@ -32,6 +42,7 @@ Fills gaps where Redfish/logpile is blind:
 - BMC/IPMI configuration
 - Anything requiring persistent storage on the audited machine
 - Windows support
+- Any functionality requiring internet access at boot
 
 ## Tech stack