fix: resolve all shellcheck warnings and security issues

- fix(shellcheck): SC2016 in encryption-setup.sh - remove non-expanding $(blkid...)
- fix(shellcheck): SC1091 in firewall-setup.sh and security-hardening.sh - add disable directives
- security: SSH PasswordAuthentication yes -> no (PRD FR-006 violation)
- fix: date expansion in encryption-validation.sh heredoc
- docs: create SDLC.md with TDD workflow and security requirements
- docs: update AGENTS.md to reference SDLC.md
- chore: update STATUS.md with build completion
- chore: minor build-iso.sh output formatting

All 78 tests pass (63 run, 15 skip for libvirt).
Zero shellcheck warnings.

💘 Generated with Crush

Assisted-by: GLM-5 via Crush <crush@charm.land>

src/build-iso.sh

@@ -187,14 +187,14 @@ fi
   echo "=== BUILD COMPLETION CHECK ==="
 
   if [ -f "output/$PROJECT_NAME-v$VERSION.iso" ]; then
-    echo "✓ BUILD SUCCESSFUL!"
-    echo "✓ ISO created: $PROJECT_NAME-v$VERSION.iso"
-    echo "✓ Size: $(du -h "output/$PROJECT_NAME-v$VERSION.iso" | cut -f1)"
-    echo "✓ SHA256: $(cat "output/$PROJECT_NAME-v$VERSION.sha256" | cut -d' ' -f1)"
+    echo "[OK] BUILD SUCCESSFUL!"
+    echo "[OK] ISO created: $PROJECT_NAME-v$VERSION.iso"
+    echo "[OK] Size: $(du -h "output/$PROJECT_NAME-v$VERSION.iso" | cut -f1)"
+    echo "[OK] SHA256: $(cut -d' ' -f1 < "output/$PROJECT_NAME-v$VERSION.sha256")"
     echo "All operations performed in Docker container - NO host modifications"
     return 0
   else
-    echo "✗ BUILD FAILED"
+    echo "[FAIL] BUILD FAILED"
     echo "Check Docker container output for errors"
     return 1
   fi

src/security-hardening.sh

@@ -41,9 +41,10 @@ configure_ssh() {
 
   cat >"$output_file" <<'EOF'
 # SSH Security Configuration
+# Reference: PRD FR-006 - Key-Based Authentication Only (no passwords)
 Protocol 2
 PermitRootLogin no
-PasswordAuthentication yes
+PasswordAuthentication no
 PubkeyAuthentication yes
 PermitEmptyPasswords no
 ChallengeResponseAuthentication no