No user-facing CLI changes.

- Improved failure messages for `assert artifact` when policy rules r…

…eference a control: missing or non-compliant attestations now report the control identifier (e.g. "artifact is missing required decision for control '<id>'" and "decision for control '<id>' is non-compliant in trail") instead of the generic attestation name/type message.

`kosli attest sonar` now works against self-hosted SonarQube **Server…

… versions older than 10.0**. Previously the CLI only presented the API token as a Bearer header, which Server < 10.0 rejects (it requires HTTP Basic auth with the token as the username), producing a misleading `please check your API token is correct` error.

The CLI now tries Bearer first (SonarQube Cloud and Server 10.0+) and transparently falls back to Basic for older self-hosted Servers, caching the resolved scheme for the run. SonarQube Cloud is always sent Bearer. Authentication failures now return a status-aware message (HTTP 401/403 token/permission, 5xx server-unavailable) instead of a single generic line.

- chore(deps): bump the Go dependencies group with 10 updates (#928)

**Full changelog:** v2.23.2...v2.24.0

Version v2.23.2

- Flow creation now always sends `visibility: private` in the payload…

… for compatibility with older Kosli server versions.

- Removed `--visibility` flag from `kosli create flow` command (previ…

…ously defaulted to `"private"`).

- Added a deprecation warning when creating a flow without `--template-file` or `--use-empty-template`, indicating the legacy API endpoint will stop working in a future release.

- Refactored URL construction in `diff snapshots`, `list approvals`, …

…`list artifacts`, and `list snapshots` commands to use `url.JoinPath` and `url.Values` for safer, properly encoded query parameters.

- Added new `kosli attest decision` command (currently hidden/beta) t…

…o record a compliance decision against a control in a Kosli trail, supporting `--control`, `--compliant`, `--attachments`, `--fingerprint`, and other standard attestation flags.

- Added `Tutorial` field to command documentation metadata, enabling tutorial URLs to be surfaced in generated docs.

- `log environment`: added `--start`, `--end`, `--start-ts`, and `--e…

…nd-ts` flags to filter environment events by snapshot index, time expression, or Unix timestamp range.

- `attest jira`: fixed false-positive Jira issue key matches from multi-segment identifiers such as CVE numbers (e.g. `CVE-2026-41284` no longer incorrectly matches as a Jira key).
- `attest junit`: improved JUnit XML ingestion to walk directories recursively, deduplicate file scanning, and provide a clearer error message when non-UTF-8 encoded XML files are encountered.

No user-facing CLI changes.