chore: promote v1.2.0 release to main

[peg]

Summary

• Promote the v1.2.0 release candidate from staging to main.
• Include the hosted approval API foundation, Hermes audit/tool-call correlation, OpenClaw plugin discovery default preservation, OpenClaw provider-surface replay coverage, and audit-chain recovery hardening.
• Align release-facing docs, installer examples, bundled OpenClaw/Hermes plugin metadata, runtime-exported plugin versions, and the bundled OpenClaw policy stamp to 1.2.0.

Validation

• GitHub Actions passed on the latest staging merge commit 54fcc7a.
• Verified OpenClaw and Hermes bundled metadata/runtime versions report 1.2.0 on the exact origin/staging tree.
• Core local validation on 54fcc7a: go vet ./..., go test -count=1 ./..., go build -v ./cmd/rampart, installer sync/syntax checks, and git diff --check origin/main...HEAD.
• OpenClaw bundled plugin regressions: node internal/plugin/openclaw/smoke-test.mjs, tool-alias-test.mjs, provider-surface-replay.mjs, approval-regression.mjs, and degraded-mode-test.mjs.
• OpenClaw latest isolated compatibility: node scripts/compat-openclaw-latest.mjs --npm-latest passed against OpenClaw 2026.6.1 with plugin install, config validation, plugin inspection, and bundled harness checks.
• OpenClaw live runtime proof: RAMPART_OPENCLAW_RUNTIME=1 node scripts/test-openclaw-codex-native-audit.mjs passed on 54fcc7a; OpenClaw trajectory contained a native bash tool call for marker rampart-runtime-codex-shell-20260608163350, and Rampart audit recorded canonical exec event 01KTM1BG0V41HM4B7071WWKK43 with action allow.
• Hermes: python3 -m unittest internal/plugin/hermes/test_hermes_plugin.py passed, and python3 scripts/compat-hermes-latest.py --package hermes-agent passed against Hermes Agent v0.16.0 with deny blocking, allow continuation, ask blocking without resume, auth-error fail-closed behavior, mutating fail-closed behavior, and configured read fail-open behavior.
• Setup/help smoke remains covered by the release-candidate validation pass for OpenClaw and Hermes setup surfaces.

Notes

• Hermes support remains intentionally described as an experimental policy gate / hosted approval foundation, not full hosted approval/resume support.
• The audit recovery hardening fixes future restart/recovery behavior; it does not rewrite or repair already-broken historical audit chains.