feat: add dual-mode ISO builds (production vs demo) with serial console

Two build modes:
- `./run.sh iso` — production ISO (prompts for credentials, quiet boot)
- `./run.sh iso:demo` — demo/CI ISO (hardcoded test credentials, serial
  console output, verbose kernel)

Changes:
- run.sh: Accept iso:demo subcommand, pass KNEL_BUILD_MODE to Docker
- run.sh: Demo mode uses verbose kernel cmdline with console=ttyS0
- config/bootloaders/grub-pc/config.cfg: GRUB serial console on ttyS0
  at 115200 baud alongside VGA gfxterm (dual output)
- config/includes.installer/demo.preseed.cfg: Fully automated preseed
  with hardcoded test credentials (NOT for production use)
- config/hooks/binary/0199-serial-console.hook: Ensures serial console
  on Debian installer entries too
- .gitignore: Fix binary/ pattern to /binary/ (was matching config/hooks/binary/)

Demo credentials (TESTING ONLY):
- User: football / Kn3l-F00tball-D3m0!
- Root: Kn3l-R00t-D3m0!
- LUKS: Kn3l-D3m0-LUKS!

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

run.sh

@@ -850,7 +850,8 @@ Usage: $0 <command> [args]
 
 Build Commands:
   build           Build Docker image
-  iso             Build ISO (60-90 minutes)
+  iso             Build production ISO (prompts for credentials during install)
+  iso:demo        Build demo/CI ISO (hardcoded test credentials, serial console)
   monitor [secs]  Monitor build progress (default: check every 180s)
   clean           Clean build artifacts
 
@@ -885,9 +886,11 @@ Prerequisites for VM Testing:
 
 Examples:
   $0 build                    # Build Docker image
-  $0 iso                      # Build ISO (60-90 min)
+  $0 iso                      # Build production ISO (prompts for credentials)
+  $0 iso:demo                 # Build demo ISO (hardcoded test credentials)
   $0 monitor                  # Monitor build progress
   $0 test                     # Run all tests
+  $0 validate                 # Validate ISO via QEMU boot test
   $0 test:iso boot-test       # Boot test in VM
   $0 test:iso console         # Connect to VM console
   $0 test:iso destroy         # Cleanup test VM
@@ -980,7 +983,15 @@ main() {
                 "${DOCKER_IMAGE}" \
                 bash
             ;;
-        iso)
+        iso|iso:demo)
+            if [ "$1" = "iso:demo" ]; then
+                KNEL_BUILD_MODE="demo"
+                log_info "Build mode: DEMO (hardcoded test credentials, serial console)"
+                log_warn "DO NOT deploy demo ISO in production!"
+            else
+                KNEL_BUILD_MODE="production"
+                log_info "Build mode: PRODUCTION (prompts for credentials during install)"
+            fi
             log_warn "Host FDE check: SKIPPED (not enforced on this host)"
             echo "Building KNEL-Football secure ISO..."
             echo "ALL operations run inside Docker container"
@@ -997,6 +1008,7 @@ main() {
                 -e LC_ALL="C" \
                 -e USER_UID="$(id -u)" \
                 -e USER_GID="$(id -g)" \
+                -e KNEL_BUILD_MODE="${KNEL_BUILD_MODE}" \
                 "${DOCKER_IMAGE}" \
                 bash -c '
 cd /tmp && 
@@ -1009,6 +1021,7 @@ lb config \
     --mode debian \
     --chroot-filesystem squashfs \
     --binary-images iso-hybrid \
+    --bootappend-live "console=ttyS0,115200 console=tty0" \
     --iso-application "KNEL-Football Secure OS" \
     --iso-publisher "KNEL-Football Security Team" \
     --iso-volume "KNEL-Football Secure" \
@@ -1022,6 +1035,15 @@ if [ -d /workspace/config ]; then
     cp -r /workspace/config/* ./config/
 fi &&
 
+# Apply build mode overrides
+if [ "${KNEL_BUILD_MODE}" = "demo" ]; then
+    echo "Applying DEMO mode overrides..." &&
+    if [ -f config/includes.installer/demo.preseed.cfg ]; then
+        cp config/includes.installer/demo.preseed.cfg config/includes.installer/preseed.cfg &&
+        echo "Demo preseed applied (hardcoded credentials)"
+    fi
+fi &&
+
 # Create Secure Boot binary hook inline
 echo "Creating Secure Boot hook..." &&
 mkdir -p config/hooks/binary &&
@@ -1127,7 +1149,11 @@ UKI_FILE="${UKI_DIR}/BOOTX64.EFI"
 CMDLINE_FILE="/tmp/cmdline.txt"
 
 # Kernel command line with lockdown mode
-echo "quiet splash lockdown=confidentiality module.sig_enforce=1" > "$CMDLINE_FILE"
+if [ "${KNEL_BUILD_MODE}" = "demo" ]; then
+    echo "console=ttyS0,115200 console=tty0 lockdown=confidentiality module.sig_enforce=1" > "$CMDLINE_FILE"
+else
+    echo "quiet splash lockdown=confidentiality module.sig_enforce=1" > "$CMDLINE_FILE"
+fi
 
 # Build UKI using objcopy
 echo "[SB] Bundling kernel + initramfs + cmdline into UKI..."