Bump DefaultFirewallVersion to v0.27.7

[lpcox]

Goal

Bump the shared firewall dependency DefaultFirewallVersion from v0.27.6 → v0.27.7 and recompile/regenerate everything that pins it.

Release: https://github.com/github/gh-aw-firewall/releases/tag/v0.27.7
Full changelog: github/gh-aw-firewall@v0.27.6...v0.27.7

What's in v0.27.7

• fix: check iptables availability before host firewall setup (gh-aw-firewall#5136)
• fix(api-proxy): map OpenAI Responses API cached tokens to cache_read (#5262)
• ci(smoke): add token-usage sanity checks to smoke workflows (#5264)
• fix(containers): apt install fallback to archive.ubuntu.com (#5266)
• fix(api-proxy): 403 for terminal caps; fix Anthropic/Copilot input credits (#5271)

Why this matters for gh-aw

• Terminal hard caps now return HTTP 403 instead of 429 ([go-fan] Go Module Review: spf13/cobra #5271). Previously, hitting maxRuns / maxAiCredits / effective-token / cache-miss caps returned 429, which LLM SDK clients treat as a transient rate-limit and retry-storm against a non-recoverable cap until the step times out (10–16 min). 403 is non-retryable, so the agent stops cleanly. This directly improves agent reliability and run duration for any gh-aw workflow that uses budget caps.
• More accurate AI-credits accounting ([go-fan] Go Module Review: spf13/cobra #5271, 📊 Agentic Workflow Lock File Statistics Analysis - December 2025 #5262): provider-aware input-token credit math for Anthropic/Copilot and correct cache_read mapping for the OpenAI Responses API. (Note: there is still a harness-side AIC under-report for Anthropic — see Agent-side AI-credits calculator under-reports AIC for Anthropic (subtracts cache_read from input_tokens) #40205 — which is independent of this bump.)
• apt fallback ([daily issues] Daily Issues Report - 2025-12-02 #5266) and iptables pre-check (Limit step summary size to 1000KB and add lightweight console summary #5136) improve container build/runtime robustness on constrained runners.

Suggested changes (per the awf-release-integrator skill)

1. Update the constant in pkg/constants/version_constants.go:

   const DefaultFirewallVersion Version = "v0.27.7"

2. Review the AWF*MinVersion constants in the same file — no new version-gated flags are introduced by v0.27.7, so these should not need changes, but confirm.
3. Recompile all workflow lock files so the new binary/image tag and container SHA pins are refreshed (the second compile pass resolves container SHAs).
4. Update golden testdata that embeds the version — e.g. pkg/workflow/testdata/TestWasmGolden_AllEngines/*.golden and pkg/workflow/testdata/wasm_golden/WasmBinary/*.golden currently contain v0.27.6 / imageTag":"0.27.6".
5. Update version-pinning test expectations as needed (firewall_version_pinning_test.go, aw_info_versions_test.go, etc. derive from the constant, so most should pass automatically).
6. Add a changeset (.changeset/…md, "gh-aw": patch) and CHANGELOG entry noting the bump.
7. CI (.github/workflows/ci.yml) extracts DefaultFirewallVersion for verification — ensure it stays consistent.

Acceptance criteria

• DefaultFirewallVersion == "v0.27.7"
• All workflow *.lock.yml recompiled and reference the v0.27.7 tag + refreshed container SHA pins
• Golden/test fixtures updated; go test ./... green
• Changeset + CHANGELOG entry added