feat: update specification with pre-flight discussion decisions

- Update compliance: CMMC Level 3, LI-SaaS, CIS+STIG, adapt Debian 11 STIG
- Add QR code import capability with zbar and desktop shortcut
- Add package management disabling hook with chattr +i
- Update preseed: US/Chicago timezone, US keyboard, password complexity
- Add secure boot: UEFI only, measured boot, custom keys
- Add .gitignore to exclude ISO files
- Remove package management from applications, add test suite
- Add minimal package list (no aptitude/synaptic)
- Update testing: in-ISO tests, command line execution

.gitignore

@@ -0,0 +1,43 @@
+# .gitignore for Secure Debian ISO Project
+
+# Output directory
+output/
+
+# Generated ISO files
+*.iso
+*.iso.sha256
+*.iso.asc
+
+# Build artifacts
+config/binary
+config/cache
+config/chroot
+config/.build
+
+# Live-build temporary files
+binary-hybrid.iso
+live-build.log
+
+# Virtual machine images
+*.qcow2
+*.vmdk
+*.img
+
+# Test artifacts
+test-reports/
+coverage/
+
+# IDE and editor files
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS specific files
+.DS_Store
+Thumbs.db
+
+# Temporary files
+tmp/
+temp/

football-spec.md

@@ -18,20 +18,23 @@ This project aims to build a highly secure, compliant Debian 13 (Trixie) install
 ## Target System Profile
 
 ### Operating System
-- **Base OS**: Debian 13 (Trixie)
+- **Base OS**: Debian 13.3.0 (Trixie) stable release
 - **Architecture**: amd64
 - **Kernel**: Latest stable kernel with security patches
+- **Secure Boot**: UEFI only with measured boot, custom keys included
 
 ### Desktop Environment
 - **Window Manager**: IceWM (minimal configuration)
-- **Display Manager**: LightDM with privacy enhancements
+- **Display Manager**: LightDM with privacy enhancements, usernames hidden
 - **Theme**: Minimal, secure default configuration
+- **Boot Mode**: UEFI only, no Legacy BIOS support
 
 ### Core Applications
 - **Remote Desktop**: Remmina
-- **VPN**: WireGuard tools
+- **VPN**: WireGuard tools with zbar for QR code scanning
 - **Text Editor**: Mousepad
-- **File Manager**: PCManFM
+- **Test Suite**: In-ISO validation tests (command line execution)
+- **No Package Management**: apt, dpkg, aptitude, synaptic disabled/removed
 
 ### Security Configuration
 
@@ -72,6 +75,11 @@ This project aims to build a highly secure, compliant Debian 13 (Trixie) install
    - Execution: `pkexec /usr/local/bin/apply-vpn-config.sh`
    - Icon: Network/VPN branded icon
 
+3. **QR Code Import**
+   - Target: Scan WireGuard QR code and update config
+   - Execution: `pkexec /usr/local/bin/scan-wireguard-qr.sh`
+   - Icon: Camera/QR branded icon
+
 ## Installation Automation
 
 ### Build Process
@@ -83,8 +91,9 @@ This project aims to build a highly secure, compliant Debian 13 (Trixie) install
 ### Preseed Configuration
 - **File**: `config/preseed.cfg`
 - **Automated Items**:
-  - Localization settings
+  - Localization settings (US/Chicago timezone, US English keyboard)
   - Software package selection
+  - Password complexity enforcement
   - Timezone configuration
   - Keyboard layout
 - **Manual Items**:
@@ -119,6 +128,8 @@ This project aims to build a highly secure, compliant Debian 13 (Trixie) install
 - All generated files owned by invoking user
 - Docker volume mounts with proper UID/GID mapping
 - No root-owned output files
+- Package management tools disabled with `chmod -x` and `chattr +i`
+- Test suite included in ISO for post-install validation
 
 ## Quality Assurance & Testing
 
@@ -147,10 +158,10 @@ tests/
 ## Compliance Requirements
 
 ### Standards Framework
-- **CMMC** (Cybersecurity Maturity Model Certification)
+- **CMMC Level 3** - Entry point to tier0 infrastructure supporting ITAR/SECRET systems
-- **FedRAMP** (Federal Risk and Authorization Management Program)
+- **FedRAMP LI-SaaS** - For RackRental.net federal government product
-- **STIG** (Security Technical Implementation Guide)
+- **STIG** - DISA STIG for Debian (adapt Debian 11 STIG for Debian 13)
-- **CIS Benchmarks** (Center for Internet Security)
+- **CIS Benchmarks** - CIS Benchmark for Debian Linux (baseline security controls)
 
 ### Compliance Documentation
 - **Matrix Document**: `COMPLIANCE.md`
@@ -158,12 +169,13 @@ tests/
 - **Validation**: Automated compliance verification tests
 
 ### Key Compliance Areas
-- Filesystem hardening
+- Filesystem hardening (CIS + STIG)
-- Password policy enforcement
+- Password policy enforcement (CIS + STIG)
-- Audit daemon configuration
+- Audit daemon configuration (STIG)
-- Service hardening
+- Service hardening (CIS + STIG)
-- Network security implementation
+- Network security implementation (STIG)
-- Logging and monitoring
+- Logging and monitoring (STIG)
+- Package management disabling (custom requirement)
 
 ## Project Structure
 
@@ -175,6 +187,7 @@ secure-debian-iso/
 ├── run.sh                      # Host wrapper script
 ├── Dockerfile                  # Build/test container
 ├── .dockerignore              # Docker ignore rules
+├── .gitignore                  # Git ignore rules (exclude ISO files)
 ├── config/                    # live-build configuration
 │   ├── preseed.cfg            # Installation automation
 │   ├── package-lists/         # Software package selections
@@ -345,6 +358,36 @@ USER builder
 CMD ["/bin/bash"]
 ```
 
+### Package Management Security
+
+#### config/hooks/installed/disable-package-management.sh
+```bash
+#!/bin/bash
+# Disable package management after installation
+set -euo pipefail
+
+echo "Disabling package management..."
+
+# Remove execute permissions from package management tools
+chmod -x /usr/bin/apt /usr/bin/apt-get /usr/bin/dpkg
+chmod -x /usr/bin/apt-cache /usr/bin/apt-key /usr/bin/dpkg-deb
+chmod -x /usr/bin/dpkg-query /usr/bin/dpkg-split /usr/bin/dpkg-trigger
+
+# Make immutable
+chattr +i /usr/bin/apt /usr/bin/apt-get /usr/bin/dpkg
+chattr +i /usr/bin/apt-cache /usr/bin/apt-key /usr/bin/dpkg-deb
+chattr +i /usr/bin/dpkg-query /usr/bin/dpkg-split /usr/bin/dpkg-trigger
+
+# Remove package metadata directories
+rm -rf /var/lib/apt/* /var/lib/dpkg/*
+
+# Create immutable empty directories to prevent recreation
+mkdir -p /var/lib/apt /var/lib/dpkg
+chattr +i /var/lib/apt /var/lib/dpkg
+
+echo "Package management disabled successfully."
+```
+
 ### Tests Structure
 
 #### tests/unit/firewall_test.bats
@@ -431,6 +474,114 @@ load 'test_helper/bats-assert/load'
 }
 ```
 
+### config/hooks/live/qr-code-import.sh
+```bash
+#!/bin/bash
+# Install QR code scanning tools for WireGuard
+set -euo pipefail
+
+echo "Installing QR code scanning tools..."
+
+# Install zbar for QR code scanning
+apt-get update
+apt-get install -y zbar-tools python3-pil
+apt-get clean
+
+# Create QR code scanning script
+cat > /usr/local/bin/scan-wireguard-qr.sh << 'EOF'
+#!/bin/bash
+# Scan WireGuard QR code and update configuration
+set -euo pipefail
+
+# Check if webcam is available
+if ! ls /dev/video* >/dev/null 2>&1; then
+    echo "Error: No webcam device found"
+    exit 1
+fi
+
+# Create temporary file for QR data
+qr_data=$(mktemp)
+trap "rm -f $qr_data" EXIT
+
+# Scan QR code
+echo "Scanning QR code..."
+zbarcam --raw --prescale=320x240 /dev/video0 > "$qr_data" &
+zbar_pid=$!
+
+# Wait for user to stop scanning
+echo "Press Enter to stop scanning..."
+read -r
+kill $zbar_pid 2>/dev/null || true
+
+# Parse QR data and update WireGuard config
+if [[ -s "$qr_data" ]]; then
+    # Validate QR data format (basic WireGuard format)
+    if grep -q "private_key\|endpoint\|allowed_ips" "$qr_data"; then
+        # Backup existing config
+        if [[ -f "/etc/wireguard/wg0.conf" ]]; then
+            cp /etc/wireguard/wg0.conf "/etc/wireguard/wg0.conf.bak.$(date +%Y%m%d_%H%M%S)"
+        fi
+        
+        # Convert QR data to WireGuard config format
+        python3 << 'PYTHON_EOF' "$qr_data"
+import sys
+import re
+
+qr_data = sys.argv[1]
+
+# Simple QR to WireGuard config conversion
+config_lines = ["[Interface]"]
+private_key = ""
+address = ""
+
+for line in open(qr_data):
+    if "private_key=" in line.lower():
+        private_key = line.strip()
+    elif "address=" in line.lower():
+        address = line.strip()
+
+if private_key:
+    config_lines.append(f"PrivateKey = {private_key.split('=')[1].strip()}")
+if address:
+    config_lines.append(f"Address = {address.split('=')[1].strip()}")
+
+# Add basic peer template
+config_lines.append("")
+config_lines.append("[Peer]")
+config_lines.append("# Add PublicKey, Endpoint, and AllowedIPs manually")
+
+print("\n".join(config_lines))
+PYTHON_EOF
+        
+        echo "QR code scanned successfully. Please edit /etc/wireguard/wg0.conf to complete configuration."
+    else
+        echo "Error: Invalid WireGuard QR code format"
+        exit 1
+    fi
+else
+    echo "Error: No QR code data captured"
+    exit 1
+fi
+EOF
+
+chmod +x /usr/local/bin/scan-wireguard-qr.sh
+
+# Create desktop shortcut
+mkdir -p /usr/share/applications
+cat > /usr/share/applications/scan-wireguard-qr.desktop << EOF
+[Desktop Entry]
+Name=Import WireGuard QR Code
+Comment=Scan QR code to import WireGuard configuration
+Exec=pkexec /usr/local/bin/scan-wireguard-qr.sh
+Icon=camera-web
+Terminal=true
+Type=Application
+Categories=Network;System;
+EOF
+
+echo "QR code scanning tools installed successfully."
+```
+
 ### config/hooks/live/security-hardening.sh
 
 ```bash