Implement audit closure hardening and docs

[Telli]

Updated the docs to match the implemented audit-closure work, including README.md, SECURITY.md, docs/COMPATIBILITY.md, docs/QUICKSTART.md, docs/USER_GUIDE.md, docs/TOOLS_GUIDE.md, docs/sandboxing.md, docs/ROADMAP.md, and docs/architecture-startup-refactor.md. The updates cover the hardened plugin IPC model, approval posture and simulator, incident export, estimated token admission control, sandbox lease observability, and the staged startup composition.

[augmentcode]

augment review

[augmentcode]

🤖 Augment PR Summary

Summary: This PR closes out audit items by hardening plugin IPC, expanding operator/admin tooling, and updating documentation to match the new security posture surfaces.

Changes:

• Hardened JS/TS plugin bridge transports (socket/hybrid) with per-plugin private runtime socket directories and an authenticated local IPC handshake.
• Added admin/operator endpoints: GET /admin/posture, POST /admin/approvals/simulate, and GET /admin/incident/export, plus matching CLI commands.
• Introduced optional estimated-token admission control to reject turns before calling the LLM when remaining session budget is likely insufficient.
• Made session admission stricter (serialized admission + explicit capacity rejection) and improved session-lock cleanup/disposal on shutdown.
• Expanded RuntimeMetrics to cover approvals, session capacity/evictions, plugin bridge auth/restarts, browser cancellation resets, and sandbox lease lifecycle.
• Added atomic JSON file persistence helpers and applied them to operator/admin stores (policies, metadata, grants, audit).
• Enforced plugin-root containment for package entry paths and native dynamic plugin assembly paths with structured diagnostics.
• Updated docs (README/SECURITY/Guides/Roadmap) to reflect the hardened IPC model, approval semantics, incident export, sandbox observability, and staged startup composition.

Technical Notes: Adds new tests covering admission control, posture/simulation/export endpoints, bridge auth, socket transport auth failures, plugin containment checks, and new observability counters.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 3 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

DisposeCoreAsync recursively deletes _socketDirectory; when SocketPath is configured, _socketDirectory is derived from Path.GetDirectoryName(socketPath) and may point at an operator-managed directory. That can cause unintended permission/deletion attempts outside the bridge’s private runtime directory.

Severity: high

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[augmentcode]

Approval simulation normalizes file_write→write_file for the approval-gated check, but the autonomy check calls AutonomyHook.BeforeExecuteAsync with the raw request.ToolName. If callers use the file_write alias, the simulator could report allow in readonly mode even though write_file would be treated as write-capable.

Severity: medium

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[augmentcode]

IsEstimatedBudgetAdmissionError relies on substring-matching the exception message, so a wording change would make admission-control rejections look like provider failures and return the generic error text. A dedicated exception type/code would make this path more robust.

Severity: medium

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}