DO-NOT-MERGE · Keep the internal docs/audit archive (88 files) out of the published sdist

[Antawari]

What

The published source distribution still packaged the entire internal
docs/audit/ build-process archive — 88 files — and shipped it to PyPI.

The wheel is already clean (it only packages src/bonfire), but the sdist
defaults to the whole VCS tree, so every audit artifact under docs/audit/
went out in the release tarball. A large majority of those files carry
internal-only content (absolute developer paths, internal branch names,
internal role vocabulary, and internal tracker IDs in both filenames and
bodies) — exactly the class of content that does not belong in a public
release artifact.

This is pre-existing on the base branch; it is not introduced by any
recent code-doc removal.

Why this approach

Two defensible fixes exist: scrub the in-repo files, or stop shipping them.
A separate, in-flight PR handles scrubbing the in-repo copies. This PR adds
the belt-and-suspenders packaging guard so the archive can never reach PyPI
regardless of whether the in-repo scrub reaches the whole tree:

[tool.hatch.build.targets.sdist]
exclude = [
    "docs/audit",
]

Public docs (docs/adr/, docs/architecture.md, docs/product/,
docs/release-gates.md, ...) are untouched and still ship.

How to verify

git fetch origin
git switch catrina/2026-06-12/docs-audit-sdist-leak

python -m venv /tmp/v && /tmp/v/bin/pip install build twine

# BEFORE (on origin/main): ships the whole archive
git stash; git switch main
/tmp/v/bin/python -m build --sdist
tar tzf dist/*.tar.gz | grep -c 'docs/audit'      # -> 88

# AFTER (this branch): archive excluded, everything else intact
git switch catrina/2026-06-12/docs-audit-sdist-leak
rm -rf dist && /tmp/v/bin/python -m build --sdist
tar tzf dist/*.tar.gz | grep -c 'docs/audit'      # -> 0
tar tzf dist/*.tar.gz | grep -cE 'src/bonfire|docs/adr' # -> still present
/tmp/v/bin/python -m twine check dist/*            # -> PASSED

Gate results (run from the worktree)

• sdist docs/audit count: 88 -> 0 (before/after build, anchored)
• legit docs + src/bonfire + pyproject.toml: retained (152 entries)
• twine check dist/*: PASSED
• wheel built from the extracted sdist: OK (sdist still self-sufficient; wheel has 0 docs/audit)
• ruff check src/ tests/: All checks passed!
• ruff format --check src/ tests/: 311 files already formatted
• pyproject.toml parses; only change is the new [tool.hatch.build.targets.sdist] section
• smoke install-into-fresh-venv leg was network-bound in the sandbox and not completed locally; the sdist->wheel build path it exercises was proven offline instead

Merge policy

Operator merges — do not auto-merge. This PR is a packaging guard; the
human gates the merge.