fix: resolve 15 CRITICAL/HIGH/MEDIUM audit findings from DeepReport

Addresses findings C-02, C-05, H-01, H-02, H-03, H-04, H-07, H-08,
M-01, M-02, M-05, M-07, M-08, M-12, plus encryption script fixes.

Changes:
- run.sh: Enforce host FDE check (C-02), make sbverify fatal (H-07),
  add module.sig_enforce to Docker-embedded UKI (H-08)
- usb-automount.sh: Add noexec,nosuid,nodev mount options (C-05),
  restrict dmask/fmask, add input validation, add audit logging (M-08)
- security-hardening.sh (live): Set StrictHostKeyChecking yes (H-01),
  remove sshd_config generation (H-02), expand WiFi blacklist (M-12)
- firewall-setup.sh (live): Remove inbound ICMP echo, narrow WG port
  range to 51820 only (M-05)
- firewall-setup.sh (src): Add ct state established,related (H-03)
- security-hardening.sh (src): Fix apply_security_hardening to call
  configure_ssh_client and configure_fim with separate output paths (M-01)
- install-scripts.sh: Remove football from sudo group (M-02)
- mount-hardening.sh: Ensure /tmp,/var/tmp,/dev/shm always hardened
  even without existing fstab entries (M-07)
- encryption-setup.sh: Fix cryptsetup stdin syntax (H-05), add dynamic
  LUKS device discovery (H-06), fix recovery key generation (M-04),
  fix crypttab sed pattern
- qr-code-import.sh: Restrict temp file permissions (H-04)
- Tests updated to match new security posture

All 786+ tests pass. Zero shellcheck warnings.

Reference: DeepReport-2026-05-08.md findings C-02, C-05, H-01 through
H-08, M-01, M-02, M-05, M-07, M-08, M-12

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

config/hooks/live/security-hardening.sh

@@ -11,15 +11,22 @@ cat >/etc/modprobe.d/blacklist-wifi.conf <<'EOF'
 blacklist cfg80211
 blacklist mac80211
 blacklist brcmfmac
+blacklist brcmsmac
+blacklist brcm80211
 blacklist iwlwifi
+blacklist iwlmvm
 blacklist ath9k
 blacklist ath9k_htc
 blacklist ath10k_pci
+blacklist ath10k_sdio
+blacklist ath11k_pci
+blacklist ath11k_ahb
 blacklist rtl8188ee
 blacklist rtl8192ce
 blacklist rtl8192se
 blacklist rtl8723ae
 blacklist rtl8821ae
+blacklist rtl8xxxu
 blacklist rt73usb
 blacklist rt2800usb
 blacklist rt2x00lib
@@ -27,6 +34,8 @@ blacklist rt2x00usb
 blacklist mwifiex
 blacklist mwifiex_pcie
 blacklist mwifiex_sdio
+blacklist r8188eu
+blacklist r8723bs
 EOF
 
 # Bluetooth module blacklist
@@ -57,22 +66,15 @@ Host *
     ConnectTimeout 30
     ServerAliveInterval 300
     ServerAliveCountMax 2
-    StrictHostKeyChecking ask
+    StrictHostKeyChecking yes
     UserKnownHostsFile ~/.ssh/known_hosts
 EOF
 
-# SSH server config (defense-in-depth - sshd not installed per PRD FR-006)
-cat >/etc/ssh/sshd_config <<'EOF'
-# SSH Server Hardening (defense-in-depth)
-# Reference: PRD FR-006 - Client-only system, sshd not installed
-Protocol 2
-PermitRootLogin no
-PermitEmptyPasswords no
-MaxAuthTries 3
-ClientAliveInterval 300
-ClientAliveCountMax 2
-X11Forwarding no
-EOF
+# SSH server is NOT installed per PRD FR-006
+# Ensure no sshd_config exists to prevent accidental activation
+rm -f /etc/ssh/sshd_config
+touch /etc/ssh/sshd_config.disabled
+echo "# SSH server disabled per PRD FR-006" > /etc/ssh/sshd_config.disabled
 
 # Password policy - PRD FR-007, NIST SP 800-63B
 mkdir -p /etc/security