Fix release-blocking audit and Hermes checks

[peg]

Summary

• fail closed for Hermes auth-error responses instead of treating error-only bodies as allow decisions
• tighten audit verify --since anchor verification so only anchors proven outside the selected window are skipped
• sort rotated audit files by date and numeric .pN suffix for recovery and CLI verification
• refresh release compatibility harnesses/docs for latest Hermes/OpenClaw checks, including Hermes auth-error fail-closed coverage, OpenClaw tool-alias coverage, and latest OpenClaw via npm
• update CI, release, Docker, and upstream compatibility gates to Go 1.25.11 and stabilize CI test job names

Validation

• GitHub CI run 26989880335: all jobs passed
• git diff --check
• go vet ./...
• go test -count=1 ./...
• go test -race -count=1 ./internal/proxy
• go build -v ./cmd/rampart
• go1.25.11 vet ./...
• go1.25.11 test -count=1 ./...
• go1.25.11 run golang.org/x/vuln/cmd/govulncheck@v1.3.0 ./... (0 called vulnerabilities)
• python -m unittest internal/plugin/hermes/test_hermes_plugin.py
• python scripts/compat-hermes-latest.py (Hermes Agent v0.15.2, plugin v1.2.0, deny/ask/allow/auth-error/fail-closed/fail-open checks passed)
• node scripts/compat-openclaw-latest.mjs --npm-latest (OpenClaw 2026.6.1, plugin install/config/tool-alias harness checks passed)
• npm exec --yes --package openclaw@latest -- node scripts/test-openclaw-codex-native-audit.mjs --yes (OpenClaw 2026.6.1 CLI path, Codex native bash trajectory and Rampart canonical exec audit correlation passed)
• node internal/plugin/openclaw/smoke-test.mjs
• node internal/plugin/openclaw/tool-alias-test.mjs
• node internal/plugin/openclaw/approval-regression.mjs
• node internal/plugin/openclaw/degraded-mode-test.mjs
• mkdocs build --strict