security/runtime: verify deploy manifest integrity at startup

[benvinegar]

Problem

Deploy writes baudbot-manifest.json with file hashes, and security-audit.sh can check integrity, but startup does not currently enforce or warn on manifest mismatch before launching bridge/agent.

This means tampering or accidental drift may go unnoticed until manual audit.

Proposed solution

• Add optional startup integrity verification step in start.sh:
  • verify runtime files against ~/.pi/agent/baudbot-manifest.json
  • on mismatch: fail fast (strict mode) or log high-severity warning (configurable)
• Exclude expected mutable paths (sessions/memory/logs).
• Add a doctor/audit surface showing last integrity check result.

Helpful context

• Manifest generation in bin/deploy.sh (baudbot-manifest.json, SHA256).
• Security docs reference integrity checks via audit.
• start.sh currently validates env and launches services but does not verify manifest.