Fix critical ISO build bugs: kernel pinning, service registration, PATH, audit checks

- Pin linux-lts to exact KERNEL_PKG_VERSION=6.12.76-r0 in build and ISO package list
- Add build-time verification that compiled kernel version matches pin (fails loudly)
- Fix bee-audit-debug → bee-audit in genapkovl OpenRC registration (service was never starting)
- Add AUDIT_VERSION=0.1.0 to VERSIONS (was undefined, bee-release had empty fields)
- Pin linux-lts-dev version in second apk add in build-nvidia-module.sh
- Add /root/.profile to overlay so /usr/local/bin is in PATH for SSH sessions
- Remove "DEBUG MODE" from motd
- Fix smoketest: grep for slog "audit output written" instead of non-existent "audit completed"
- Document no-internet constraint in system-overview and runtime-flows
- Remove redundant genapkovl copy to /var/tmp (now found via ~/.mkimage/)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

iso/builder/VERSIONS

@@ -1,4 +1,9 @@
 ALPINE_VERSION=3.21
 KERNEL_VERSION=6.12
+# Exact Alpine package version for linux-lts. Pin this to match builder headers with ISO kernel.
+# To update: check `apk info linux-lts` on the target Alpine 3.21 system, update both here and in
+# build-nvidia-module.sh + mkimg.bee.sh. Do NOT change without rebuilding NVIDIA modules cache.
+KERNEL_PKG_VERSION=6.12.76-r0
 NVIDIA_DRIVER_VERSION=590.48.01
 GO_VERSION=1.23.6
+AUDIT_VERSION=0.1.0