fix: resolve 15 CRITICAL/HIGH/MEDIUM audit findings from DeepReport

Addresses findings C-02, C-05, H-01, H-02, H-03, H-04, H-07, H-08,
M-01, M-02, M-05, M-07, M-08, M-12, plus encryption script fixes.

Changes:
- run.sh: Enforce host FDE check (C-02), make sbverify fatal (H-07),
  add module.sig_enforce to Docker-embedded UKI (H-08)
- usb-automount.sh: Add noexec,nosuid,nodev mount options (C-05),
  restrict dmask/fmask, add input validation, add audit logging (M-08)
- security-hardening.sh (live): Set StrictHostKeyChecking yes (H-01),
  remove sshd_config generation (H-02), expand WiFi blacklist (M-12)
- firewall-setup.sh (live): Remove inbound ICMP echo, narrow WG port
  range to 51820 only (M-05)
- firewall-setup.sh (src): Add ct state established,related (H-03)
- security-hardening.sh (src): Fix apply_security_hardening to call
  configure_ssh_client and configure_fim with separate output paths (M-01)
- install-scripts.sh: Remove football from sudo group (M-02)
- mount-hardening.sh: Ensure /tmp,/var/tmp,/dev/shm always hardened
  even without existing fstab entries (M-07)
- encryption-setup.sh: Fix cryptsetup stdin syntax (H-05), add dynamic
  LUKS device discovery (H-06), fix recovery key generation (M-04),
  fix crypttab sed pattern
- qr-code-import.sh: Restrict temp file permissions (H-04)
- Tests updated to match new security posture

All 786+ tests pass. Zero shellcheck warnings.

Reference: DeepReport-2026-05-08.md findings C-02, C-05, H-01 through
H-08, M-01, M-02, M-05, M-07, M-08, M-12

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

config/hooks/installed/encryption-setup.sh

@@ -31,7 +31,7 @@ EOF
 if [ -f /etc/crypttab ]; then
     echo "Verifying crypttab configuration..."
     # Ensure crypttab has proper options
-    sed -i 's/luks$/luks,discard,cipher=aes-xts-plain64,key-size=512/g' /etc/crypttab
+    sed -i '/\/dev\/mapper\|^#/!s/\bluks\b/luks,discard,cipher=aes-xts-plain64,key-size=512/' /etc/crypttab
 fi
 
 # Configure initramfs to include necessary modules for decryption
@@ -99,8 +99,8 @@ Recovery Information:
 
 Commands:
 - Check encryption status: cryptsetup status cryptroot
-- Add additional passphrase: cryptsetup luksAddKey /dev/sda3
-- List key slots: cryptsetup luksDump /dev/sda3
+- Add additional passphrase: cryptsetup luksAddKey $(find-luks-device.sh)
+- List key slots: cryptsetup luksDump $(find-luks-device.sh)
 
 WARNING: Losing the encryption passphrase will result in
 permanent data loss. There is NO backdoor or recovery mechanism
@@ -138,11 +138,18 @@ for dev in /dev/mapper/*; do
 done
 echo ""
 
-# Check LUKS container details
-if [ -b /dev/sda3 ]; then
-    echo "LUKS Container Information:"
+# Check LUKS container details (dynamic device discovery)
+LUKS_DEV=""
+for dev in /dev/sda3 /dev/nvme0n1p3 /dev/nvme1n1p3 /dev/vda3; do
+    if [ -b "$dev" ] && cryptsetup isLuks "$dev" 2>/dev/null; then
+        LUKS_DEV="$dev"
+        break
+    fi
+done
+if [ -n "$LUKS_DEV" ]; then
+    echo "LUKS Container Information ($LUKS_DEV):"
     echo "---------------------------"
-    cryptsetup luksDump /dev/sda3 | head -20
+    cryptsetup luksDump "$LUKS_DEV" | head -20
     echo ""
 fi
 
@@ -160,6 +167,45 @@ EOF
 
 chmod +x /usr/local/bin/check-encryption.sh
 
+# Create LUKS device discovery helper
+cat > /usr/local/bin/find-luks-device.sh <<'EOF'
+#!/bin/bash
+# Discover the LUKS encrypted partition dynamically
+set -euo pipefail
+
+# Method 1: Check crypttab for the root device
+if [ -f /etc/crypttab ]; then
+    while read -r name device _ _; do
+        [ -z "$name" ] || [ "$name" = "#" ] && continue
+        if [ -b "$device" ] && cryptsetup isLuks "$device" 2>/dev/null; then
+            echo "$device"
+            exit 0
+        fi
+    done < /etc/crypttab
+fi
+
+# Method 2: Check common partition layouts
+for dev in /dev/sda3 /dev/nvme0n1p3 /dev/nvme1n1p3 /dev/vda3; do
+    if [ -b "$dev" ] && cryptsetup isLuks "$dev" 2>/dev/null; then
+        echo "$dev"
+        exit 0
+    fi
+done
+
+# Method 3: Scan all partitions with lsblk
+if command -v lsblk >/dev/null 2>&1; then
+    while read -r dev; do
+        if cryptsetup isLuks "$dev" 2>/dev/null; then
+            echo "$dev"
+            exit 0
+        fi
+    done < <(lsblk -lnpo NAME,FSTYPE 2>/dev/null | awk '$2 == "crypto_LUKS" {print $1}')
+fi
+
+exit 1
+EOF
+chmod +x /usr/local/bin/find-luks-device.sh
+
 # Create encryption key management script
 cat > /usr/local/bin/manage-encryption-keys.sh <<'EOF'
 #!/bin/bash
@@ -201,13 +247,23 @@ case $choice in
             exit 1
         fi
 
-        echo "$existing_pass" | cryptsetup luksAddKey /dev/sda3 <<< "$new_pass"
+        LUKS_DEV=$(/usr/local/bin/find-luks-device.sh)
+        if [ -z "$LUKS_DEV" ]; then
+            echo "ERROR: No LUKS device found"
+            exit 1
+        fi
+        printf '%s\n' "$existing_pass" "$new_pass" | cryptsetup luksAddKey "$LUKS_DEV"
         echo "New passphrase added successfully"
         ;;
     2)
-        cryptsetup luksDump /dev/sda3 | grep "Key Slot"
+        LUKS_DEV=$(/usr/local/bin/find-luks-device.sh)
+        if [ -z "$LUKS_DEV" ]; then
+            echo "ERROR: No LUKS device found"
+            exit 1
+        fi
+        cryptsetup luksDump "$LUKS_DEV" | grep "Key Slot"
         read -p "Enter key slot to remove: " slot
-        cryptsetup luksKillSlot /dev/sda3 "$slot"
+        cryptsetup luksKillSlot "$LUKS_DEV" "$slot"
         echo "Key slot removed successfully"
         ;;
     3)
@@ -225,19 +281,37 @@ case $choice in
         fi
 
         # This is complex and requires careful handling
+        LUKS_DEV=$(/usr/local/bin/find-luks-device.sh)
+        if [ -z "$LUKS_DEV" ]; then
+            echo "ERROR: No LUKS device found"
+            exit 1
+        fi
         echo "This operation requires manual intervention"
-        echo "Please use: cryptsetup luksChangeKey /dev/sda3"
+        echo "Please use: cryptsetup luksChangeKey $LUKS_DEV"
         ;;
     4)
+        LUKS_DEV=$(/usr/local/bin/find-luks-device.sh)
+        if [ -z "$LUKS_DEV" ]; then
+            echo "ERROR: No LUKS device found"
+            exit 1
+        fi
         echo "Active key slots:"
-        cryptsetup luksDump /dev/sda3 | grep "Key Slot" | grep "ENABLED"
+        cryptsetup luksDump "$LUKS_DEV" | grep "Key Slot" | grep "ENABLED"
         ;;
     5)
         echo "Generating recovery key..."
         # Generate a strong random key
-        dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 > /var/backups/keys/recovery_key_$(date +%Y%m%d_%H%M%S).txt
-        chmod 600 /var/backups/keys/recovery_key_*.txt
-        echo "Recovery key generated and stored in /var/backups/keys/"
+        LUKS_DEV=$(/usr/local/bin/find-luks-device.sh)
+        if [ -z "$LUKS_DEV" ]; then
+            echo "ERROR: No LUKS device found"
+            exit 1
+        fi
+        KEY_FILE="/var/backups/keys/recovery_key_$(date +%Y%m%d_%H%M%S).txt"
+        dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 > "$KEY_FILE"
+        chmod 600 "$KEY_FILE"
+        echo "Recovery key generated: $KEY_FILE"
+        echo "To add this key to a LUKS slot:"
+        echo "  cryptsetup luksAddKey $LUKS_DEV $KEY_FILE"
         echo "WARNING: Store this key in a secure, offline location"
         ;;
     0)