Add managed enterprise config

[jmcte]

Summary

• Closes Roadmap: MDM-friendly managed config for enterprise rollouts #51 by adding managed macOS preference support for the dev.omt.apw domain before ~/.apw/config.json.
• Adds managed/user/default provenance to apw doctor --json through a managed-config check.
• Adds enterprise deployment docs with a sample .mobileconfig payload and links it from the docs index.
• Extends config/runtime schema for managed supportedDomains and disableDemo, and lets associated-domain doctor checks consume configured domains.
• Preserves invalid user-config failures under MDM so managed preferences do not silently bypass malformed or unsafe local config files.
• Keeps the associated-domain doctor probe non-destructive: malformed user config is preserved while supportedDomains are read from managed preferences or a best-effort user-config parse.

Verification

• cargo fmt --manifest-path rust/Cargo.toml -- --check
• cargo clippy --manifest-path rust/Cargo.toml --all-targets -- -D warnings
• cargo test --manifest-path rust/Cargo.toml utils::tests::supported_domain_probe_read -- --nocapture
• cargo test --manifest-path rust/Cargo.toml doctor::tests::associated_domains_check_skipped_when_env_unset -- --nocapture
• cargo test --manifest-path rust/Cargo.toml read_config_applies_managed_preferences_before_user_config -- --nocapture
• cargo test --manifest-path rust/Cargo.toml config_provenance_reports_specific_setting_sources -- --nocapture
• cargo test --manifest-path rust/Cargo.toml managed_config_check_reports_setting_provenance_in_json -- --nocapture
• cargo test --manifest-path rust/Cargo.toml managed_preferences_do_not_mask_invalid_user_config -- --nocapture
• bash scripts/ci/run-fast-checks.sh
• git diff --check
• cargo test --manifest-path rust/Cargo.toml (outside sandbox; sandboxed local sockets fail with Operation not permitted)

Notes

• This PR does not include the broader mutation/CRAP indicator work; that is tracked separately in Add mutation and CRAP quality indicators #64 for Roadmap: threat-model refresh after legacy runtime removal #55.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 755627de56

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Prevent doctor from mutating config on read failures

When APW_AASA_DOMAINS is unset, this check now calls read_config_file(), which can invoke clear_config() on malformed/unsupported user config and delete ~/.apw/config.json. That makes apw doctor destructive: simply running diagnostics can erase operator state instead of just reporting it. This is reproducible with an invalid JSON config file and no env override, and should be avoided by using a non-destructive read path for supportedDomains.

Useful? React with 👍 / 👎.