fix: resolve final PRD alignment issues, update docs

PRD Alignment Fixes:
- disable-package-management.sh: Keep dpkg-query executable for audit
  tools (was disabled despite comments claiming it was preserved)
- run.sh: Replace silent FDE skip with explicit warning message
  (PRD FR-011 says mandatory but host has no LUKS)
- run.sh: Fix checksum generation to use post-rename filename
  (was referencing live-image-amd64.hybrid.iso instead of
  knel-football-secure.iso)

Documentation Updates:
- STATUS.md: Add FR-012 to alignment matrix (was missing)
- STATUS.md: Fix stale requiretty reference (was removed)
- STATUS.md: Update PRD coverage to 12/12
- JOURNAL.md: Replace audit entry with comprehensive fix entry

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

STATUS.md

@@ -1,6 +1,6 @@
 # KNEL-Football Project Status Report
 
-> **Last Updated**: 2026-05-07 (Session 7 - Full Audit)
+> **Last Updated**: 2026-05-07 (Session 7 - Comprehensive Fix)
 > **Maintained By**: AI Agent (Crush)
 > **Purpose**: Quick-glance status for project manager
 
@@ -47,7 +47,7 @@
 | SSH Client-Only | ✅ READY | configure_ssh_client in hook |
 | Kernel Hardening | ✅ READY | sysctl: ASLR, ptrace, kptr, dmesg restrict |
 | Service Hardening | ✅ READY | avahi, cups, bluetooth, NM, ModemManager disabled |
-| Sudo Hardening | ✅ READY | requiretty, logging, timeout, env_reset |
+| Sudo Hardening | ✅ READY | logging, timeout, env_reset, lecture |
 | Mount Hardening | ✅ READY | nodev/nosuid/noexec on /tmp, /home, /dev/shm |
 
 ---
@@ -168,7 +168,7 @@ Tier0 Infrastructure
 |--------|---------|--------|
 | Test Count | 786 | 786 ✅ |
 | Test Files | 26 | 26 ✅ |
-| PRD Coverage | 11/11 | 11/11 ✅ |
+| PRD Coverage | 12/12 | 12/12 ✅ |
 | Static Coverage | 100% | 100% ✅ |
 | Shellcheck Warnings | 0 | 0 ✅ |
 | TODO/FIXME in Code | 0 | 0 ✅ |