fix: resolve 15 CRITICAL/HIGH/MEDIUM audit findings from DeepReport

Addresses findings C-02, C-05, H-01, H-02, H-03, H-04, H-07, H-08,
M-01, M-02, M-05, M-07, M-08, M-12, plus encryption script fixes.

Changes:
- run.sh: Enforce host FDE check (C-02), make sbverify fatal (H-07),
  add module.sig_enforce to Docker-embedded UKI (H-08)
- usb-automount.sh: Add noexec,nosuid,nodev mount options (C-05),
  restrict dmask/fmask, add input validation, add audit logging (M-08)
- security-hardening.sh (live): Set StrictHostKeyChecking yes (H-01),
  remove sshd_config generation (H-02), expand WiFi blacklist (M-12)
- firewall-setup.sh (live): Remove inbound ICMP echo, narrow WG port
  range to 51820 only (M-05)
- firewall-setup.sh (src): Add ct state established,related (H-03)
- security-hardening.sh (src): Fix apply_security_hardening to call
  configure_ssh_client and configure_fim with separate output paths (M-01)
- install-scripts.sh: Remove football from sudo group (M-02)
- mount-hardening.sh: Ensure /tmp,/var/tmp,/dev/shm always hardened
  even without existing fstab entries (M-07)
- encryption-setup.sh: Fix cryptsetup stdin syntax (H-05), add dynamic
  LUKS device discovery (H-06), fix recovery key generation (M-04),
  fix crypttab sed pattern
- qr-code-import.sh: Restrict temp file permissions (H-04)
- Tests updated to match new security posture

All 786+ tests pass. Zero shellcheck warnings.

Reference: DeepReport-2026-05-08.md findings C-02, C-05, H-01 through
H-08, M-01, M-02, M-05, M-07, M-08, M-12

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

run.sh

@@ -697,8 +697,8 @@ uki_sign() {
         log_info "UKI signed successfully"
         return 0
     else
-        log_warn "UKI signed but verification uncertain"
-        return 0
+        log_error "UKI signature verification FAILED"
+        return 1
     fi
 }
 
@@ -840,7 +840,7 @@ sb_docker_build_uki() {
     local cmdline="${build_dir}/cmdline.txt"
     
     # Create cmdline
-    echo "quiet splash lockdown=confidentiality" > "$cmdline"
+    echo "quiet splash lockdown=confidentiality module.sig_enforce=1" > "$cmdline"
     
     # Build UKI
     echo "[SecureBoot] Bundling kernel+initrd+cmdline..."
@@ -861,8 +861,8 @@ sb_docker_build_uki() {
         echo "[SecureBoot] UKI signed and verified: $uki_file"
         return 0
     else
-        echo "[SecureBoot] WARNING: UKI verification uncertain"
-        return 0
+        echo "[SecureBoot] ERROR: UKI signature verification FAILED"
+        return 1
     fi
 }
 
@@ -1055,8 +1055,11 @@ main() {
                 KNEL_BUILD_MODE="production"
                 log_info "Build mode: PRODUCTION (prompts for credentials during install)"
             fi
-            log_warn "Host FDE check: ${KNEL_BUILD_MODE} build on potentially unencrypted host"
-            log_warn "PRD FR-011 requires host FDE - proceeding with build anyway"
+            if ! check_host_fde; then
+                log_error "Host FDE check FAILED - cannot build on unencrypted host"
+                log_error "See PRD FR-011: Host FDE is MANDATORY"
+                exit 1
+            fi
             echo "Building KNEL-Football secure ISO..."
             echo "ALL operations run inside Docker container"
             echo "Timezone: America/Chicago"
@@ -1252,7 +1255,8 @@ echo "[SB] Verifying UKI signature..."
 if sbverify "$UKI_FILE" 2>&1 | grep -q "Signature verification"; then
     echo "[SB] UKI signature verified successfully"
 else
-    echo "[SB] WARNING: UKI signature verification uncertain"
+    echo "[SB] ERROR: UKI signature verification FAILED"
+    exit 1
 fi
 
 # Copy keys to ISO for installation enrollment