docs(audit): track AUDIT-FINDINGS-*.md in repo + commit 2026-05-05 report

Project invariant: every artifact MiOS produces is whitelisted in
.gitignore and pushed to origin -- pulling the latest repo must
fully restore working context (no out-of-band buckets, no
"point-in-time" untracked reports).

Adds:
- .gitignore whitelist for the AUDIT-FINDINGS-*.md class.
- AUDIT-FINDINGS-20260505.md: the 2026-05-05 read-only audit report
  per CLAUDE.AUDIT.md, with HIGH/MEDIUM/LOW findings cross-referenced
  to remediation commit 507a7fa.

The audit pass itself was performed against pre-507a7fa HEAD
(d384a69); 8 of 10 findings landed in 507a7fa, 2 INFO findings
deferred (set -euo pipefail header style; usr/lib/dracut/ overlay
investigation). Two latent registry issues (quay.io/ceph/ceph:latest
and code.forgejo.org/forgejo/runner:6.5 do not exist upstream) were
discovered during remediation and fixed in the same commit.

Author: Kabuki94

.gitignore

@@ -63,6 +63,12 @@
 !/MiOS-SBOM.csv
 !/MiOS-Build-Scripts.md
 !/CLAUDE.AUDIT.md
+# Audit findings reports. Recurring class -- one file per audit pass,
+# named AUDIT-FINDINGS-YYYYMMDD.md per the format defined in
+# CLAUDE.AUDIT.md. Always tracked so a fresh clone restores full
+# audit history alongside the rest of the repo (per project
+# invariant: pulling the latest must reconstitute context).
+!/AUDIT-FINDINGS-*.md
 !/image-versions.yml
 !/install.sh
 !/install-mios-agents.sh