Fix critical ISO build bugs: kernel pinning, service registration, PATH, audit checks

- Pin linux-lts to exact KERNEL_PKG_VERSION=6.12.76-r0 in build and ISO package list
- Add build-time verification that compiled kernel version matches pin (fails loudly)
- Fix bee-audit-debug → bee-audit in genapkovl OpenRC registration (service was never starting)
- Add AUDIT_VERSION=0.1.0 to VERSIONS (was undefined, bee-release had empty fields)
- Pin linux-lts-dev version in second apk add in build-nvidia-module.sh
- Add /root/.profile to overlay so /usr/local/bin is in PATH for SSH sessions
- Remove "DEBUG MODE" from motd
- Fix smoketest: grep for slog "audit output written" instead of non-existent "audit completed"
- Document no-internet constraint in system-overview and runtime-flows
- Remove redundant genapkovl copy to /var/tmp (now found via ~/.mkimage/)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

iso/builder/build.sh

@@ -25,6 +25,7 @@ while [ $# -gt 0 ]; do
 done
 
 . "${BUILDER_DIR}/VERSIONS"
+export KERNEL_PKG_VERSION
 export PATH="$PATH:/usr/local/go/bin"
 
 # NOTE: lz4 compression for modloop is disabled — Alpine initramfs may not support lz4 squashfs.
@@ -112,10 +113,25 @@ done
 # --- build NVIDIA kernel modules and inject into overlay ---
 echo ""
 echo "=== building NVIDIA ${NVIDIA_DRIVER_VERSION} modules ==="
-sh "${BUILDER_DIR}/build-nvidia-module.sh" "${NVIDIA_DRIVER_VERSION}" "${DIST_DIR}"
+sh "${BUILDER_DIR}/build-nvidia-module.sh" "${NVIDIA_DRIVER_VERSION}" "${DIST_DIR}" "${KERNEL_PKG_VERSION}"
 
-# Determine kernel version (same as what goes into the ISO — both use linux-lts from same Alpine)
+# Determine kernel version from installed headers (must match KERNEL_PKG_VERSION)
 KVER=$(ls /usr/src/ 2>/dev/null | grep '^linux-headers-' | sed 's/linux-headers-//' | sort -V | tail -1)
+
+# Build-time verification: ensure modules were compiled for the pinned kernel version.
+# KERNEL_PKG_VERSION is like "6.12.76-r0"; KVER is like "6.12.76-0-lts".
+# Extract numeric part from both and compare.
+PINNED_KVER="$(echo "${KERNEL_PKG_VERSION}" | sed 's/-r[0-9]*//')"
+RUNNING_KVER="$(echo "${KVER}" | sed 's/-[0-9]*-lts//')"
+if [ "${PINNED_KVER}" != "${RUNNING_KVER}" ]; then
+    echo "ERROR: kernel version mismatch!"
+    echo "  VERSIONS pins: ${KERNEL_PKG_VERSION} (numeric: ${PINNED_KVER})"
+    echo "  Installed headers: ${KVER} (numeric: ${RUNNING_KVER})"
+    echo "  Update KERNEL_PKG_VERSION in iso/builder/VERSIONS to match installed headers."
+    exit 1
+fi
+echo "=== kernel version OK: ${KVER} matches pin ${KERNEL_PKG_VERSION} ==="
+
 NVIDIA_CACHE="${DIST_DIR}/nvidia-${NVIDIA_DRIVER_VERSION}-${KVER}"
 
 # Inject .ko files into overlay at /usr/local/lib/nvidia/ (not /lib/modules/ — modloop squashfs
@@ -176,12 +192,9 @@ if [ -d /var/tmp/bee-iso-work ]; then
         -exec rm -rf {} + 2>/dev/null || true
 fi
 
-# Run from /var/tmp to avoid git repo context conflicts and to ensure enough scratch space.
 # mkinitfs/update-kernel use TMPDIR for initramfs build; tmpfs /tmp is only ~1GB.
-# mkimage.sh sources genapkovl-*.sh from CWD (not from ~/.mkimage), so copy it here too.
+# genapkovl-bee.sh is found by mkimage via ~/.mkimage/ (copied above) — no CWD dependency.
 export TMPDIR=/var/tmp
-cp "${BUILDER_DIR}/genapkovl-bee.sh" /var/tmp/
-cd /var/tmp
 sh /usr/share/aports/scripts/mkimage.sh \
     --tag "v${ALPINE_VERSION}" \
     --outdir "${DIST_DIR}" \