Non-structural (proxy-only) backends (macOS vz, WSL2 wsl2) now fail
closed by default. Users must pass --allow-non-structural, set
allow_non_structural = true in firma.toml, or set
FIRMA_RUN_ALLOW_NON_STRUCTURAL=1 to proceed.

Runtime logs for non-structural backends emit a warn-level
"backend compatibility proof" with mode=proxy_only enforced=false
instead of the unqualified "backend network enforcement proof".

Docs rewritten to make structural vs proxy-only the primary claim.

The precompiled binary tab pointed at an install.openfirma.ai script and
prebuilt downloads that do not exist yet (slated for v0.1.1). Drop the tab,
flatten the from-source instructions into the single install method, and
update the intro to reflect build-from-source.

Doctor verdicts contradicted what the runtime does. Make them match:

• sandbox: reuse firma-run's WSL/userns detection. On WSL, bwrap is no
  longer [OK] (runtime refuses it) and wsl2 is [OK] (the selected
  backend), not "not supported on linux"; native-Linux userns sysctl
  off => bwrap [FAIL].
• reachability: cross-check live per-run sidecars via sidecar markers and
  report them [OK]; absence of a long-lived daemon in a firma-run-only
  workflow is a [WARN], never a hard [FAIL].
• optional dirs: capability seed and data dir report [OK] when absent
  (expected on a healthy install), not [WARN].

Monitor showed nothing after a real decision. Two bugs:

• per-run sidecars synthesized from the minimal template defaulted audit
  to stdout, which is discarded to the spawned sidecar's null stdout.
  Default the audit sink to file at <state_dir>/audit.jsonl (the path
  monitor tails) when the template configures none; explicit sinks win.
• the tailer seeked to EOF even for one-shot reads, so
  'firma monitor --no-follow' never showed existing records. Read from
  start when one-shot or backfilling.

Docs updated for the new doctor verdicts, follow vs one-shot, and the
per-run default audit sink.- run: default FIRMA_RUN_BWRAP_RUNTIME_HOME to false (#124)

• make FIRMA_RUN_BWRAP_RUNTIME_HOME false by default

• fix(bwrap): rebind $HOME writable when runtime_home_isolation=false

ro-bind on / makes $HOME read-only; without runtime_home_isolation the
agent writes to real $HOME (config, session state, plugins) and hits
EROFS. Add --bind $HOME $HOME before the tmpfs masks so writes succeed
while mask_home_paths overlays still take precedence.

• refactor(bwrap): extract bind_host_home helper to fix clippy too_many_lines- seccomp: embed policy in binary, extract to XDG_RUNTIME_DIR (#127)
• fix(seccomp): embed policy in binary and extract to XDG_RUNTIME_DIR

• Replace CARGO_MANIFEST_DIR default path (broken for installed binaries)
  with include_str! embedding; extracted to XDG_RUNTIME_DIR/firma/seccomp/
  on first use so users can inspect and override the file
• Use default_runtime_dir() for seccomp artifact dir instead of temp_dir()
  (temp_dir() returns TMPDIR which bwrap's --tmpfs /tmp masks in nix-shell)
• Add fs::write_private_file (0o600, atomic via OpenOptions::mode) to
  firma-stack; use it alongside create_private_dir_all (0o700) when
  extracting the policy to avoid a write+chmod race
• Rename policies/ -> seccomp/ in source tree for clarity

• refactor(seccomp): rename default_ -> ensure_, add staleness note and artifact dir log

• Rename default_managed_policy_path -> ensure_managed_policy_path to
  signal side-effecting behavior (dir creation + file write)
• Add doc comment to MANAGED_SECCOMP_POLICY noting stale-file behavior:
  existing file is not overwritten; delete to pick up a newer embedded version
• Log seccomp artifact dir at debug level so operators can confirm which
  path is in use without needing strace

• fix(clippy): shorten first doc paragraph, add semicolon in match arm

• override file

• add test- stack: probe correct transport for per-run sidecar health
  firma sidecar status reported a healthy per-run sidecar as unhealthy.
  probe_entry unconditionally connected to <marker_dir>/sidecar.sock, but
  an http_proxy per-run sidecar (the default profile) binds a loopback TCP
  port and exposes no UDS, so the probe always failed.

Persist the interceptor listen endpoint in metadata.toml and probe the
recorded transport: a bounded TCP connect when listen parses as a
SocketAddr, else a UDS connect. Legacy markers without the field fall
back to sidecar.sock, so daemon and pre-existing per-run behavior are
unchanged.

Closes FIR-195- cli: standardize warn/info/err formatting across CLI surfaces (FIR-211)
Introduce firma::output with [OK]/[INFO]/[WARN]/[ERR] prefixes,
TTY-gated owo-colors palette, and 80-col wrap with hanging indent. Wrap
is skipped when stderr/stdout is not a TTY so scripted captures keep
greppable single-line messages.

Replace ad-hoc println! / eprintln! warning, info and error calls in
main, services/{authority,config,doctor,monitor,sidecar,sidecar_status, supervise,token}, and policy/validate with the new helpers. Structured
multi-line reports (key-gen, TLS bootstrap, scaffold) are left as-is so
their column alignment survives.

Doctor's pretty render gains color on its [OK]/[WARN]/[FAIL] tags
through the same owo-colors TTY gate.

Swap tracing-subscriber's default formatter for a compact one when
logs go to stderr: emits [LEVEL] message key=value with no timestamp,
target, or line number, and drops FmtSpan::CLOSE events. --log-file
keeps the full structured format for machine consumers.- monitor: surface network-layer DENYs with identity + audit pre-pipeline denials (FIR-208)
Network-layer DENYs were emitted but EnforcementDecision::Deny discarded
the validated CapabilityClaims, so deny audit events had empty
agent_id/token_id. firma monitor --agent <id> then dropped every deny
while keeping allows. Pre-pipeline deny paths (malformed request,
strict-MITM preflight fail-closed) emitted no audit event at all.

• Add DenyIdentity to EnforcementDecision::Deny; populate in enforce_inner
  for Stage-2 and credential-injection denials so deny audit carries
  agent/token/context_hash attribution.

• Add RequestHandler::emit_synthetic_deny; wire into all pre-pipeline
  bypass paths (deny_malformed helper, strict-MITM preflight) so those
  denials surface in monitor.

• Document below-network (seccomp/filesystem) events as an explicit
  V0.1 limitation in the audit-log guide (not structurally feasible:
  SECCOMP_RET_ERRNO, bwrap EROFS, no audit channel from firma-run).- sidecar: standalone firma sidecar --config startup resilience (FIR-214)
  A firma config-scaffolded firma.toml only started via the firma run
  autostart path. Standalone firma sidecar --config <path> hit three
  startup blockers; fix them sidecar-side so the scaffold drift surface
  stays small.

• Empty https_mitm.intercept_hosts no longer fatal. Add
  HttpsMitmConfig::is_active() (enabled AND non-empty hosts); validate()
  treats enabled-but-empty as disabled, and the HTTP interceptor skips
  building the MITM runtime (and CA load) when inactive.

• Preflight falls back to [sidecar.authority].public_key_path when
  [sidecar.preflight].authority_pub_key_path is unset, via new
  resolve_authority_pub_key_path; error now names both sources.

• listen_addr is already scaffolded; pinned by a standalone-startup
  regression test that also calls SidecarConfig::validate().- config: platform-aware scaffold backend, WSL selects wsl2 (FIR-191)
  firma config wrote backend = "bwrap" on WSL because WSL compiles as
  target_os = "linux"; the compile-time cfg gating could not tell WSL from
  native Linux, and WSL kernels refuse bwrap. The Linux branch of
  default_run_backend now probes detect_wsl() at runtime and routes through
  a pure backend_for_linux(WslKind): native Linux keeps bwrap, WSL selects
  wsl2. macOS (vz) and Windows (wsl2) are unchanged.

Quickstart docs gain a per-platform default-backend table.- codex: detect and handle nested bwrap restrictions (#148)

• fix codex inner bwrap error

• improve tests

• fix(codex): restrict danger-full-access to kernels that block nested bwrap

Use kernel sysctls to detect restricted unprivileged user namespaces
instead of applying danger-full-access unconditionally. Covers Ubuntu
(AppArmor unpriv_bwrap), Debian ≥12, and hardened kernels with
unprivileged_userns_clone=0. Other platforms keep workspace-write.

• fix mac test

• fix(codex): use nested bwrap probe and align profile config

• Replace sysctl checks with a bwrap-inside-bwrap probe that catches
  all restriction mechanisms (AppArmor profiles, setuid bwrap, etc.)
• Move nested_userns_restricted() to backend/platform.rs alongside
  userns_restricted()
• Extract codex_executable_policy(restricted) to test both sandbox
  branches independently
• Fix ensure_run_profiles_section to write [run....

POSIX shell installer for the firma CLI. Detects target triple from
uname, resolves the latest release via the GitHub releases/latest
redirect probe, downloads the .tar.gz + .sha256, verifies SHA-256,
extracts into $HOME/.local/bin (overridable), ensures the dir is on
PATH via the user's shell rc (bash/zsh/fish), and optionally prompts
to run 'firma stack init'. Prefers 'brew install
Firma-AI/openfirma/firma' when brew is present.

Supports --version, --install-dir, --no-brew, --no-modify-path,
--no-init, --force, --dry-run, plus FIRMA_* env-var equivalents.
shellcheck-clean under --shell=sh; brew failures fall back to the
tarball path; PATH edits are sentinel-guarded for idempotency.- install: add install.ps1 for Windows (FIR-82)
Adds the PowerShell counterpart of install.sh. Detects arch, resolves
the latest release via the GitHub redirect probe, downloads the .zip

• .sha256, verifies SHA-256, extracts into a user-writable bin dir,
  adds that dir to the User PATH, and optionally runs firma stack init.

Adds installer-lint.yml (shellcheck + PSScriptAnalyzer) and
installer-smoke.yml (POSIX matrix + windows-latest) workflows.- cli: remove firma stack; add firma init; move start/stop to firma sidecar (FIR-182)
Replace firma stack per CLI spec v0.5:

• firma init scaffolds a project (config dir, keys, default
  policies). Supports interactive wizard, --yes, scripted
  (--agent, --provider, --workspace, --authority), and a
  user-global --global flag. Defaults to <cwd>/.firma/.
• firma sidecar {start,stop} replace firma stack {start,stop};
  firma sidecar status covers the dropped firma stack status.
• firma run calls the scaffold implicitly on first use when no
  firma.toml is discoverable.
• firma_config::resolve_config gains a project-local tier that walks
  up from cwd looking for .firma/firma.toml (spec §4 step 1), ahead
  of the XDG/platform fallbacks.

firma-stack crate is kept as the supervision library used by
firma sidecar start/stop; only the CLI surface is rewritten.

Docs, install scripts, demos, and tests refreshed accordingly.- init: split config_dir / state_dir; keys never in config tree

• Add --state-dir flag (env: FIRMA_STATE_DIR; defaults to platform state
  dir via resolve_state_dir) to InitArgs

• Rename output_dir → config_dir in CollectedInputs; add state_dir

• Config tree (firma.toml, policies/, mappings/): mode 0700, no keys

• State tree (authority.key, audit.key, revocations.txt, generated-CA):
  mode 0700, separate location — safe to commit config_dir to git

• Template: all state paths are absolute {{ state_dir }}/... so they
  resolve correctly regardless of where firma.toml is loaded from

• scaffold_from_plan aligned to same split

• Tests: verify keys land in state_dir not config_dir, paths absolute- audit: add sandbox_id to ExecutionEvent and firma monitor filter (FIR-185)
  Per-run identity flows end-to-end so operators can attribute and filter
  audit events back to the firma run invocation that produced them.

• proto: add sandbox_id (field 17) to ExecutionEvent

• sidecar: EventBuilder::with_sandbox_id stamps the configured ID on
  every event and includes it in the ECDSA signing payload

• startup: read FIRMA_RUN_SANDBOX_ID env at sidecar boot; empty when
  the sidecar is not autostarted by firma run

• firma-run: SidecarSupervisor exports FIRMA_RUN_SANDBOX_ID on the
  spawned child so the marker dir name matches the audit field

• firma monitor: --sandbox-id <id> filter, AuditLite.sandbox_id
  parsed for filtering, pretty output appends sandbox=<id> when set

• docs-site: document the new field and filter in the audit-log guide- cli: unify firma run sidecar selection into authority-style flag (FIR-177)
  Replace the split --sidecar <auto|external> value-enum + --sidecar-endpoint

• --no-autostart conflicts_with with a single --sidecar <local|url> flag,
  mirroring the existing --authority selection shape.

• --sidecar local autostarts a per-run sidecar.
• --sidecar tcp://...|unix://... targets an external sidecar; never autostarts.
• omitted: persisted sidecar_endpoint (external) else local autostart.
• --no-autostart stays global; incompatible with --sidecar local
  (typed SidecarLocalNoAutostart) and the no-endpoint case (MissingSidecar).

Add SidecarCli/SidecarSelection + sidecar::resolve() resolved in resolve_profile;
retire SidecarMode; simplify routing::resolve_effective_endpoint. Update CLI
tests, docs/cli.md, the firma-run guide, README, and stray references.

closes fir-181- quickstart: rewrite for binary install flow (FIR-180)
Drop Rust/protoc/make prerequisites; firma now ships as a precompiled
static binary. Replace git clone + make demo-ci with the install-script
one-liner (install.openfirma.ai), then firma init and firma run as the
zero-knowledge setup path. Add firma monitor to watch decisions and
point useful references at firma doctor instead of the repo demo README.- readme: refresh README and add docs-site assets- release: add v0.1.0 release notes
Human-written release notes for the v0.1.0 open-source launch: overview,
install, and Known issues (firma monitor/doctor bug per FIR-193; prebuilt
binaries are unsigned). Intended as the GitHub Release body for the v0.1.0 tag.

Release archives are published as firma--.{tar.gz,zip}
(no v prefix), but install.sh/install.ps1 were building filenames with the
full tag (v0.0.0) and 404ing on every download. Strip the v prefix when
constructing ARCHIVE_NAME while keeping the v-tagged path segment for the
release download URL.

Pin FIRMA_VERSION=v0.0.0 in the smoke workflow so it does not rely on the
releases/latest redirect, which excludes prereleases.- install: satisfy shellcheck SC2015 and PSScriptAnalyzer plural-noun

• setup_tmp: rewrite [ -n ] && [ -d ] || die chain as an explicit
  if-block. SC2015 warns about A && B || C ambiguity; the explicit
  form is also easier to read.

• Rename Get-AuthHeaders -> Get-AuthHeader to satisfy PSUseSingularNouns.- init: wire authority/sidecar listen addrs into template; add 0700 dirs

• Add authority_listen, sidecar_listen, authority to CollectedInputs

• Parameterize firma.toml.j2: [authority] block conditional on local
  authority; authority_url derived from AuthorityShape (local vs remote)

• Set mode 0700 on output_dir and sensitive subdirs on Unix

• Adapt init.rs integration tests to user's --output-dir API (not main's
  --config-dir/--state-dir split); rename mode test to match new layout

• Fix cli_parsing test: use --name/--posture/--mapping (not --agent/--provider)- init: let sidecar use its own defaults; drop fixed port override
  The sidecar already defaults to unix_socket mode on Unix and http_proxy
  on Windows. Emitting mode/listen_addr in the template overrides that.
  Remove [sidecar.interceptor] block from the template so the sidecar
  picks the right transport per platform automatically. Drop sidecar_listen
  from CollectedInputs and ScaffoldPlan — no longer needed.- sidecar: hold ready until authority streams hydrate; rebase autostart template paths (FIR-183)
  Harden sidecar supervisor lifecycle so wrapped agents cannot race the
  readiness gate at startup.

• Split the seven-line ready contract: emit lines 1-6 (log_pre_ready_sequence)
  immediately, then hold line 7 (ready) until both the policy-bundle and
  revocation streams report ready. With no authority_url, both flags are
  pre-seeded true so ready fires immediately (no behavior change).

• Add ReadinessFlag::wait_until_fully_ready / snapshot and
  ReadinessState::fully_ready to drive the gate.

• firma run autostart: rebase relative resource paths in the operator
  template (audit/policy/mapping/authority/capability_seed) onto the
  template's config dir, so they keep resolving against the operator's
  files after the synthesized config is written into the per-run marker dir.- wal: flaky test (#69)

• fix(wal): flaky test

• fix(wal): windows

• more reliable test- generic profile mac and windows (#111)- policy: make scaffolded postures pass validation; authority validates bundle at load (FIR-190)
  The scaffolded postures referenced a schema that was never implemented, so
  firma policy validate failed on all three and the Authority loaded them
  parse-only (a forbid on an unknown action loaded fine and silently never
  fired). Two fixes:

1. Conform the posture templates to the canonical Firma schema:

   • Drop the resource.id like "169.254.169.254*" forbid — Firma::Resource
     has no attributes, so it can't be expressed in Cedar. The metadata-endpoint
     block belongs at the network/sandbox layer; templates now say so.
   • Remove payment.refund / payment.payout from the payment auto-deny lists;
     neither action exists in the schema. payment.transfer / payment.purchase /
     browser.purchase remain.
     strict, dev, and dev-with-delete-watch now pass firma policy validate.

2. Authority bundle load is now fail-closed on schema errors. Added
   firma_core::validate_policies (strict schema check) and cal...

POSIX shell installer for the firma CLI. Detects target triple from
uname, resolves the latest release via the GitHub releases/latest
redirect probe, downloads the .tar.gz + .sha256, verifies SHA-256,
extracts into $HOME/.local/bin (overridable), ensures the dir is on
PATH via the user's shell rc (bash/zsh/fish), and optionally prompts
to run 'firma stack init'. Prefers 'brew install
Firma-AI/openfirma/firma' when brew is present.

Supports --version, --install-dir, --no-brew, --no-modify-path,
--no-init, --force, --dry-run, plus FIRMA_* env-var equivalents.
shellcheck-clean under --shell=sh; brew failures fall back to the
tarball path; PATH edits are sentinel-guarded for idempotency.- install: add install.ps1 for Windows (FIR-82)
Adds the PowerShell counterpart of install.sh. Detects arch, resolves
the latest release via the GitHub redirect probe, downloads the .zip

• .sha256, verifies SHA-256, extracts into a user-writable bin dir,
  adds that dir to the User PATH, and optionally runs firma stack init.

Adds installer-lint.yml (shellcheck + PSScriptAnalyzer) and
installer-smoke.yml (POSIX matrix + windows-latest) workflows.- cli: remove firma stack; add firma init; move start/stop to firma sidecar (FIR-182)
Replace firma stack per CLI spec v0.5:

• firma init scaffolds a project (config dir, keys, default
  policies). Supports interactive wizard, --yes, scripted
  (--agent, --provider, --workspace, --authority), and a
  user-global --global flag. Defaults to <cwd>/.firma/.
• firma sidecar {start,stop} replace firma stack {start,stop};
  firma sidecar status covers the dropped firma stack status.
• firma run calls the scaffold implicitly on first use when no
  firma.toml is discoverable.
• firma_config::resolve_config gains a project-local tier that walks
  up from cwd looking for .firma/firma.toml (spec §4 step 1), ahead
  of the XDG/platform fallbacks.

firma-stack crate is kept as the supervision library used by
firma sidecar start/stop; only the CLI surface is rewritten.

Docs, install scripts, demos, and tests refreshed accordingly.- init: split config_dir / state_dir; keys never in config tree

• Add --state-dir flag (env: FIRMA_STATE_DIR; defaults to platform state
  dir via resolve_state_dir) to InitArgs

• Rename output_dir → config_dir in CollectedInputs; add state_dir

• Config tree (firma.toml, policies/, mappings/): mode 0700, no keys

• State tree (authority.key, audit.key, revocations.txt, generated-CA):
  mode 0700, separate location — safe to commit config_dir to git

• Template: all state paths are absolute {{ state_dir }}/... so they
  resolve correctly regardless of where firma.toml is loaded from

• scaffold_from_plan aligned to same split

• Tests: verify keys land in state_dir not config_dir, paths absolute- audit: add sandbox_id to ExecutionEvent and firma monitor filter (FIR-185)
  Per-run identity flows end-to-end so operators can attribute and filter
  audit events back to the firma run invocation that produced them.

• proto: add sandbox_id (field 17) to ExecutionEvent

• sidecar: EventBuilder::with_sandbox_id stamps the configured ID on
  every event and includes it in the ECDSA signing payload

• startup: read FIRMA_RUN_SANDBOX_ID env at sidecar boot; empty when
  the sidecar is not autostarted by firma run

• firma-run: SidecarSupervisor exports FIRMA_RUN_SANDBOX_ID on the
  spawned child so the marker dir name matches the audit field

• firma monitor: --sandbox-id <id> filter, AuditLite.sandbox_id
  parsed for filtering, pretty output appends sandbox=<id> when set

• docs-site: document the new field and filter in the audit-log guide- cli: unify firma run sidecar selection into authority-style flag (FIR-177)
  Replace the split --sidecar <auto|external> value-enum + --sidecar-endpoint

• --no-autostart conflicts_with with a single --sidecar <local|url> flag,
  mirroring the existing --authority selection shape.

• --sidecar local autostarts a per-run sidecar.
• --sidecar tcp://...|unix://... targets an external sidecar; never autostarts.
• omitted: persisted sidecar_endpoint (external) else local autostart.
• --no-autostart stays global; incompatible with --sidecar local
  (typed SidecarLocalNoAutostart) and the no-endpoint case (MissingSidecar).

Add SidecarCli/SidecarSelection + sidecar::resolve() resolved in resolve_profile;
retire SidecarMode; simplify routing::resolve_effective_endpoint. Update CLI
tests, docs/cli.md, the firma-run guide, README, and stray references.

closes fir-181- quickstart: rewrite for binary install flow (FIR-180)
Drop Rust/protoc/make prerequisites; firma now ships as a precompiled
static binary. Replace git clone + make demo-ci with the install-script
one-liner (install.openfirma.ai), then firma init and firma run as the
zero-knowledge setup path. Add firma monitor to watch decisions and
point useful references at firma doctor instead of the repo demo README.- readme: refresh README and add docs-site assets- release: add v0.1.0 release notes
Human-written release notes for the v0.1.0 open-source launch: overview,
install, and Known issues (firma monitor/doctor bug per FIR-193; prebuilt
binaries are unsigned). Intended as the GitHub Release body for the v0.1.0 tag.

Release archives are published as firma--.{tar.gz,zip}
(no v prefix), but install.sh/install.ps1 were building filenames with the
full tag (v0.0.0) and 404ing on every download. Strip the v prefix when
constructing ARCHIVE_NAME while keeping the v-tagged path segment for the
release download URL.

Pin FIRMA_VERSION=v0.0.0 in the smoke workflow so it does not rely on the
releases/latest redirect, which excludes prereleases.- install: satisfy shellcheck SC2015 and PSScriptAnalyzer plural-noun

• setup_tmp: rewrite [ -n ] && [ -d ] || die chain as an explicit
  if-block. SC2015 warns about A && B || C ambiguity; the explicit
  form is also easier to read.

• Rename Get-AuthHeaders -> Get-AuthHeader to satisfy PSUseSingularNouns.- init: wire authority/sidecar listen addrs into template; add 0700 dirs

• Add authority_listen, sidecar_listen, authority to CollectedInputs

• Parameterize firma.toml.j2: [authority] block conditional on local
  authority; authority_url derived from AuthorityShape (local vs remote)

• Set mode 0700 on output_dir and sensitive subdirs on Unix

• Adapt init.rs integration tests to user's --output-dir API (not main's
  --config-dir/--state-dir split); rename mode test to match new layout

• Fix cli_parsing test: use --name/--posture/--mapping (not --agent/--provider)- init: let sidecar use its own defaults; drop fixed port override
  The sidecar already defaults to unix_socket mode on Unix and http_proxy
  on Windows. Emitting mode/listen_addr in the template overrides that.
  Remove [sidecar.interceptor] block from the template so the sidecar
  picks the right transport per platform automatically. Drop sidecar_listen
  from CollectedInputs and ScaffoldPlan — no longer needed.- sidecar: hold ready until authority streams hydrate; rebase autostart template paths (FIR-183)
  Harden sidecar supervisor lifecycle so wrapped agents cannot race the
  readiness gate at startup.

• Split the seven-line ready contract: emit lines 1-6 (log_pre_ready_sequence)
  immediately, then hold line 7 (ready) until both the policy-bundle and
  revocation streams report ready. With no authority_url, both flags are
  pre-seeded true so ready fires immediately (no behavior change).

• Add ReadinessFlag::wait_until_fully_ready / snapshot and
  ReadinessState::fully_ready to drive the gate.

• firma run autostart: rebase relative resource paths in the operator
  template (audit/policy/mapping/authority/capability_seed) onto the
  template's config dir, so they keep resolving against the operator's
  files after the synthesized config is written into the per-run marker dir.- wal: flaky test (#69)

• fix(wal): flaky test

• fix(wal): windows

• more reliable test- generic profile mac and windows (#111)- policy: make scaffolded postures pass validation; authority validates bundle at load (FIR-190)
  The scaffolded postures referenced a schema that was never implemented, so
  firma policy validate failed on all three and the Authority loaded them
  parse-only (a forbid on an unknown action loaded fine and silently never
  fired). Two fixes:

1. Conform the posture templates to the canonical Firma schema:

   • Drop the resource.id like "169.254.169.254*" forbid — Firma::Resource
     has no attributes, so it can't be expressed in Cedar. The metadata-endpoint
     block belongs at the network/sandbox layer; templates now say so.
   • Remove payment.refund / payment.payout from the payment auto-deny lists;
     neither action exists in the schema. payment.transfer / payment.purchase /
     browser.purchase remain.
     strict, dev, and dev-with-delete-watch now pass firma policy validate.

2. Authority bundle load is now fail-closed on schema errors. Added
   firma_core::validate_policies (strict schema check) and cal...