[Security audit] Detect stale generated audit tests with schema/compiler/policy digests

[cssbruno]

Problem

Generated audit tests can become stale when routes, policies, posture schema, or compiler behavior changes. The emitted tests are readable and useful, but they do not currently carry enough identity data for CI to tell whether they still match the current project posture.

Verified in this checkout:

• internal/appgen/audit_tests.go generates TestGOWDKAuditGeneratedSecurityPosture from scenarios.
• gowdk audit --emit-tests writes a standalone test, and gowdk audit --run builds a temporary generated app and runs generated tests.
• The generated test source does not embed posture schema version, compiler version, policy digest, or posture digest.
• There is no gowdk audit --check-tests command/flag.

Acceptance criteria

• Embed posture schema version, compiler version, policy digest, and posture digest in emitted audit tests.
• Add gowdk audit --check-tests or equivalent CI mode that fails when checked-in generated audit tests are stale.
• Define how policy/route/config changes update the digest.
• Add docs for the intended workflow: emit, commit, check in CI, regenerate on policy/posture changes.
• Expand generated fixtures to cover anonymous users, authenticated users, multiple roles/permissions, expired sessions where supported, missing/invalid CSRF, and denied resource access through an app-supplied adapter.
• Keep standalone tests honest about what they cannot prove, and steer endpoint/auth scenarios to generated-app/runtime tests when needed.