docs: add CloudShell FOG integration profile (draft)

[mdheller]

Summary

Adds a TurtleTerm-side integration profile for CloudShell FOG and a receipt-context smoke test proving CloudShell session context can be propagated through SourceOS terminal environment variables into TurtleTerm receipts.

Integration scope

This PR documents and validates:

• CloudShell FOG session/audit correlation
• TurtleTerm ownership of terminal receipt semantics
• SOURCEOS_* environment propagation from CloudShell context
• receipt context preservation for session, workspace, actor, policy bundle, and execution domain

CI triage status

Green on latest head:

• Trust Surface
• TurtleTerm Script Checks
• verify-pages

Remaining red checks are tracked separately:

• Linux native package build/verify: Stabilize native package build verification for RPM/Debian/Arch #7
• cargo-audit findings: Classify and remediate cargo-audit findings #8
• Homebrew install-from-HEAD validation: Stabilize Homebrew install-from-HEAD validation #9

Notes

During triage, this branch also fixed several packaging/script guard issues that were blocking Script Checks and package-layout validation:

• helper scripts are invoked through bash instead of relying on executable-bit preservation
• install guide now uses the TurtleTerm-facing turtleterm.lua profile path
• agentic integration plan avoids a forbidden lexical phrase while preserving the same security invariant

The remaining red checks are now narrowed to focused packaging/security follow-up issues rather than the CloudShell FOG receipt-correlation semantics themselves.

[mdheller]

CI triage update

Current head: 06390c6202b8e9b708d102e3e1ab5eb7275b95aa.

Green on latest head:

• Trust Surface
• TurtleTerm Script Checks
• verify-pages

Script Checks are now fully green, including Linux package layout, branding, product identity, native packaging guard, Neovim, release readiness, and agentic integration.

Remaining red:

• TurtleTerm Linux Packaging
• TurtleTerm Homebrew Validation
• TurtleTerm Security Checks

Narrowed findings:

• Linux package layout validation is green; failures are now in native package build/verify for RPM/Debian/Arch.
• Homebrew formula audit is green across matrix cells; failures occur at Install TurtleTerm formula from HEAD.
• Security is narrowed to cargo audit; wrapper safety is green.

Patches already pushed on this branch:

• invoke stage-linux-package.sh through bash in layout verification
• use turtleterm.lua in install guide profile activation paths
• remove forbidden lexical phrase from the agentic integration plan while preserving the invariant
• invoke RPM/Debian/Arch package builders through bash in verifier scripts
• invoke staging helper through bash in RPM spec, Debian builder, and Arch builder

Likely next native-packaging fix:

• verify whether package verifier assertions still expect product wrapper names under /usr/libexec/turtle-term/ where the staged private runtime contract uses wezterm, wezterm-gui, and wezterm-mux-server.
• align verifier assertions to the staged package layout contract that is now passing.

Note: attempted to apply this verifier-alignment patch through the connector, but the write was blocked by the tool safety layer, so no additional verifier edit was forced.