Add runtime enforcement posture self-check

[SSBrouhard]

Summary

• add a conservative runtime posture model that reports advisory/cannot_determine/hard_enforcement_ready instead of relying only on runbook discipline
• expose posture through broker health metadata, GET /v1/posture, broker startup stderr, and vmga-operator posture
• check broker auth, backend wrapper choice, approval/evidence modes, obvious agent-root path placement, evidence rotation, direct-bypass unknowns, and single-process boundary
• document that posture is a runtime self-check, not a formal sandbox proof, and that unknowns do not count as hard-ready

Validation

• .venv/bin/python -m pytest -q
• .venv/bin/python -m compileall src tests scripts integrations
• .venv/bin/python scripts/vmga_release_check.py
• npm test && npm run plugin:validate (integrations/openclaw)
• manual local posture smoke via operator_main