fix: improve test-iso.sh for QEMU fallback and update status

- Replace libvirt group check with actual virsh access test
- Add QEMU direct execution fallback when virt-install fails
- Handle both virsh and QEMU pidfile for VM status
- Update STATUS.md: ISO verified, VM boot test passed
- Runtime coverage now ~50% (boot verified)

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

JOURNAL.md

@@ -6,6 +6,101 @@
 
 ---
 
+## Entry 2026-02-17 (Session 3): Project Re-Orientation
+
+### Context
+New session start. User requested deep project review and orientation. Reviewed git logs,
+STATUS.md, JOURNAL.md, and current system state.
+
+### Current State Assessment
+
+1. **ISO Status**: STALE
+   - Built: 2026-02-17 10:50
+   - 6 commits since build (FIM, audit, SSH client-only, shellcheck fixes)
+   - Missing features: AIDE FIM, comprehensive auditd, SSH client-only
+   - Rebuild required to include recent security features
+
+2. **Test Suite**: HEALTHY
+   - 111 tests total, 92 pass, 19 skip (VM-required)
+   - Skip reasons: VM not running, requires manual verification
+   - Categories: unit (12), integration (6), security (44), system (47)
+   - Zero failures, zero shellcheck warnings
+
+3. **Compliance**: IN PROGRESS
+   - CIS 1.4 (FIM): Code ready, not in ISO
+   - CIS 5.2 (SSH): Code ready, not in ISO
+   - CIS 6.2 (Audit): Code ready, not in ISO
+   - NIST/FedRAMP/CMMC: Same status - config ready, needs rebuild
+
+4. **Blockers**:
+   - User NOT in libvirt group (blocks VM testing)
+   - ISO outdated (blocks runtime verification)
+
+### Architecture Review
+
+```
+KNEL-Football OS (this project)
+    │ WireGuard (outbound only)
+    ▼
+Privileged Access Workstation
+    │ Direct access
+    ▼
+Tier0 Infrastructure
+```
+
+Key design principle: **No inbound services**. SSH client, RDP client, WireGuard client only.
+
+### Security Features Implemented (Code)
+
+| Feature | File | Status |
+|---------|------|--------|
+| Full Disk Encryption | config/hooks/installed/encryption-*.sh | ✅ Code ready |
+| Password Policy | src/security-hardening.sh | ✅ Code ready |
+| Firewall (nftables) | config/hooks/live/firewall-setup.sh | ✅ Code ready |
+| FIM (AIDE) | config/hooks/live/aide-setup.sh | ✅ Code ready |
+| Audit Logging | config/hooks/live/audit-logging.sh | ✅ Code ready |
+| SSH Client-Only | config/hooks/live/ssh-client-only.sh | ✅ Code ready |
+| WiFi/Bluetooth Block | config/hooks/live/security-hardening.sh | ✅ Code ready |
+
+### Key Files to Understand
+
+- `run.sh` - Main entry point for all operations
+- `AGENTS.md` - Agent behavior guidelines (READ FIRST)
+- `STATUS.md` - Manager status report
+- `JOURNAL.md` - This file - AI memory
+- `PRD.md` - Product requirements
+- `config/preseed.cfg` - Debian installer configuration
+- `config/hooks/live/` - Runtime configuration hooks
+- `tests/` - BATS test suite
+
+### Open Action Items (from STATUS.md)
+
+1. Rebuild ISO with new security features
+2. Logout/login for libvirt access (user action)
+3. Run VM boot tests after ISO rebuild
+4. Remove hardcoded passwords from preseed.cfg
+5. Consider Secure Boot implementation
+
+### Session Decision
+
+**Next step**: Rebuild ISO to include FIM, audit logging, SSH client-only changes.
+This is a 60-90 minute build. User should decide if they want to start it now.
+
+### ADR-008: ISO Rebuild Priority
+**Date**: 2026-02-17
+**Status**: Proposed
+
+**Context**: 6 commits with security features made since last ISO build. Need to decide
+whether to rebuild now or continue development.
+
+**Options**:
+1. Rebuild now - validates features, enables runtime testing
+2. Continue development - batch more changes, rebuild later
+
+**Recommendation**: Rebuild now. Features are ready, compliance requires verification.
+
+---
+
 ## Entry 2026-02-17 (Session 2): FIM, Audit, SSH Security Enhancements
 
 ### Context