docs(audit): update FINDING-002 to informational (by design)

Firewall OUTPUT DROP policy confirmed as intentional for immutable
system security model:
- Zero traffic leakage (no DNS poisoning, NTP spoofing, C2 exfil)
- Immutable system with no in-place updates
- WireGuard endpoint loaded via USB disk
- Time synchronized from host/hypervisor

Updated risk summary: 1 HIGH (Secure Boot), 4 MEDIUM, 3 LOW, 2 INFO

Remaining findings (001, 005, 006, 007, 008) to be addressed by
software team per audit recommendations.

💘 Generated with Crush

Assisted-by: GLM-4 via Crush <crush@charm.land>

docs/audit/2026-02-20/SUMMARY.md

@@ -30,10 +30,10 @@ KNEL-Football is a hardened Debian 13 Linux distribution designed as a **secure
 | Severity | Count | Key Areas |
 |----------|-------|-----------|
 | Critical | 0 | - |
-| High | 2 | Secure Boot keys, Firewall output |
+| High | 1 | Secure Boot keys |
 | Medium | 4 | Docker privileged, USB automount, KDF config, Supply chain |
 | Low | 3 | Test gaps, Documentation, Input validation |
-| Info | 1 | Package management |
+| Info | 2 | Firewall (by design), Package management |
 
 ---
 
@@ -45,14 +45,19 @@ Keys generated at build time without HSM or secure storage. An attacker with bui
 **Impact**: Complete chain of trust compromise
 **Effort**: Medium (requires key management infrastructure)
 
-### 2. Firewall Output Chain Blocks Essential Services (HIGH)
-Default DROP policy on OUTPUT chain prevents DNS resolution, NTP synchronization, and system updates.
-
-**Impact**: System cannot function properly (DNS, time sync, updates)
-**Effort**: Low (add explicit allow rules)
-
 ---
 
+## Design Decisions Confirmed
+
+### Firewall Output Policy (By Design)
+The strict OUTPUT DROP policy was confirmed as **intentional** for an immutable system:
+- Zero traffic leakage (no DNS poisoning, NTP spoofing, C2 exfiltration vectors)
+- Immutable system with no in-place updates (CVEs handled by ISO regeneration)
+- WireGuard endpoint loaded via USB disk (wg0.conf)
+- Time synchronized from host/hypervisor
+
+**Assessment**: Defensible security posture for an air-gapped access terminal.
+
 ## Positive Security Observations
 
 1. **Strong SDLC Enforcement** - Pre-commit hooks enforce TDD, linting, and coverage
@@ -67,9 +72,8 @@ Default DROP policy on OUTPUT chain prevents DNS resolution, NTP synchronization
 ## Recommendations Priority
 
 ### Must Fix Before Release
-1. Fix firewall OUTPUT chain to allow DNS/NTP/updates
-2. Disable USB automount (conflicts with security model)
-3. Verify Argon2id KDF is actually used in LUKS
+1. Disable USB automount (conflicts with security model)
+2. Verify Argon2id KDF is actually used in LUKS
 
 ### Short-term (30 days)
 1. Implement Secure Boot key management with HSM or air-gapped storage
@@ -92,7 +96,7 @@ Default DROP policy on OUTPUT chain prevents DNS resolution, NTP synchronization
 | NIST SP 800-53 AC-19 | ⚠️ Issue | USB automount |
 | NIST SP 800-111 | ✅ Pass | LUKS2 encryption |
 | CIS Benchmark 6.x | ✅ Pass | Comprehensive audit logging |
-| FedRAMP SC-7 | ⚠️ Issue | Firewall output policy |
+| FedRAMP SC-7 | ✅ Pass | Strict output policy (by design) |
 
 ---
 
@@ -105,9 +109,9 @@ Default DROP policy on OUTPUT chain prevents DNS resolution, NTP synchronization
 
 ## Conclusion
 
-KNEL-Football demonstrates **mature security architecture** with strong foundations. The project is **suitable for production with remediation** of the two HIGH findings. The SDLC practices are exemplary and should be maintained.
+KNEL-Football demonstrates **mature security architecture** with strong foundations. The project is **suitable for production with remediation** of the HIGH finding. The SDLC practices are exemplary and should be maintained.
 
-**Recommendation**: Address firewall and Secure Boot key issues before release. The remaining findings can be addressed post-release with documented timelines.
+**Recommendation**: Address Secure Boot key management before release. The firewall output policy is confirmed as intentional design for an immutable system.
 
 ---