Phase 16: add Byte Floor Audit layer

[Riverbraid]

Adds the Byte Floor Audit layer for Ring 2. The audit hashes tracked file bytes, detects BOMs, records dirty worktree state, checks required files, verifies verify-output.json status, emits audit-output.json, writes AUDIT-MANIFEST.sha256, and appends AUDIT-TRAIL.ndjson. The recorded Ring 2 audit passes with BYTE_GATE_PASS_VERIFIED across 8 of 8 repositories.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: df417ce104

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Expand BOM gate to cover all audited text source types

The BOM gate only treats files with extensions listed in TEXT_EXTENSIONS as blocking candidates, but common text source/script types in this repo set (for example .ps1 and .rs) are missing. As a result, BOM-bearing tracked files are marked bom_present: true yet do not produce BOM_PRESENT, allowing BYTE_VERIFIED to pass despite BOMs in executable/source text files; this is a false negative in the byte-floor policy.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Emit failure_codes when repository path is missing

When a repo directory does not exist, auditRepo returns early with byte_status: "REPO_MISSING" before initializing failure_codes. Downstream trail output maps failure_codes from blocked repos, so missing-repo entries lose their reason metadata (the field is omitted), which breaks diagnostics/consumers that rely on explicit block codes. Populate failure_codes before this early return.

Useful? React with 👍 / 👎.