Add offline bundle verification and offline installer with doctor readiness checks

[rad1092]

Motivation

• Provide an offline-only installation path that installs from a prebuilt bundle while enforcing policy checks (hash/allowlist/license) before any installation step.
• Surface offline readiness in diagnostics so operators can confirm model, dependency and bundle-file readiness prior to attempting offline installs.

Description

• Add bitnet_tools/offline_bundle.py implementing verify_bundle which validates SHA256, allowlist membership and allowed license rules from a meta/offline_policy.json policy and returns a structured violations report.
• Add cross-platform installers offline_install.sh and offline_install.ps1 that call python -m bitnet_tools.offline_bundle verify and abort installation with an error if any policy violations are found, then install from local wheels using pip --no-index.
• Extend scripts/prepare_online_bundle.sh to generate meta/offline_policy.json (assets + sha256 + allowlist + allowed_licenses) and copy offline_requirements.txt, and to include instructions for the offline install flow.
• Extend bitnet_tools.doctor.collect_environment to include offline_readiness via _collect_offline_readiness, which reports bundle_dir, required file presence (offline_install scripts, offline_policy, deferred_install_manifest.json), dependencies (e.g. pip), model request/availability and a combined ready boolean.
• Update README.md with the offline bundle creation/install instructions and the verification guarantees.
• Add unit tests tests/test_offline_bundle.py and tests/test_doctor.py that validate policy verification success/failure behaviors and the new offline_readiness keys.

Testing

• Ran targeted tests: pytest -q tests/test_offline_bundle.py tests/test_doctor.py tests/test_cli.py::test_cli_doctor_mode and they passed (5 passed).
• Ran full test suite: pytest -q and it succeeded (74 passed).

---

Codex Task

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3795c2757b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Install bitnet-tools before optional requirements

scripts/prepare_online_bundle.sh always writes meta/offline_requirements.txt with only optional packages (matplotlib, pandas, jupyterlab, pytest), so this branch is always taken and bitnet-tools is never installed on a fresh offline host. It also makes optional-wheel download failures fatal at install time, even though the download step is marked best-effort. The installer should install bitnet-tools explicitly (and treat optional deps separately).

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Include executed requirements file in policy verification

The generated policy only records wheel files (and optionally models/ollama_install.sh), but offline_install.(sh|ps1) later executes meta/offline_requirements.txt via pip -r. Because verify_bundle checks only policy["assets"], edits to offline_requirements.txt are not detected, so a tampered bundle can pass verification and still install attacker-selected packages from wheels/.

Useful? React with 👍 / 👎.