fix(v1.8.1): align audit verifier with EventChainWriter canonical chain

[lopadova]

Summary\n- align compliance verifier with runner writer canonicalization\n- first event now expects prev_hash=null (seed remains internal all-zero for hash input)\n- hash recomputation excludes prev_hash/hash from canonical body\n- tests/docs updated for the reconciled contract\n\n## Validation\n- bun run typecheck\n- bun run lint\n- bun run --filter @aqa/compliance test\n- bun run --filter @aqa/runner test\n- bun run --filter @aqa/kit test run-cmd.test.ts\n

[Copilot]

Pull request overview

This PR reconciles the audit hash-chain verification logic in @aqa/compliance with the canonical chain produced by @aqa/runner’s EventChainWriter, so valid events.jsonl logs verify consistently across the toolchain.

Changes:

• Update verifyEventChain to treat the first persisted record as prev_hash: null while still using the internal all-zero seed for hashing, and to exclude prev_hash/hash from the canonicalized body when recomputing hashes.
• Adjust compliance tests to generate events consistent with the writer’s canonical contract.
• Update kit test commentary and add docs entries capturing the reconciliation.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
packages/kit/test/run-cmd.test.ts	Updates the local test verifier commentary to reflect the now-shared canonical contract while keeping the implementation local.
packages/compliance/test/compliance.test.ts	Updates fixtures to set prev_hash: null for the first event and to hash only the non-hash/non-prev body.
packages/compliance/src/audit-verify.ts	Aligns verifier logic with EventChainWriter by making first-record prev_hash nullable and excluding prev_hash from the canonical hash body.
docs/PROGRESS.md	Records closure of the v1.8.1 audit-chain reconciliation slice.
docs/LESSON.md	Captures the key lesson that writer/verifier must share the exact canonicalization contract.

Comments suppressed due to low confidence (1)

packages/compliance/src/audit-verify.ts:12

• Top-level doc comment is now misleading in two ways: (1) it states hash is sha256(prev_hash || canonical(rest)), but for the first record the persisted prev_hash is null while the hash is computed using the internal all-zero seed; and (2) it says verifyEventChain(lines) “returns the index … or -1”, but the function actually returns a ChainVerifyResult object. Please update the comment to describe the reconciled contract precisely (seed vs persisted prev_hash, and the actual return shape).

 *   - `prev_hash`: sha256 of the previous record (or `null` on the
 *     first record)
 *   - `hash`: sha256(prev_hash || canonical(rest)) of the current record
 *
 * `verifyEventChain(lines)` re-walks the chain and returns the index of
 * the first mismatch, or -1 if the chain is intact.