feat: Complete ISO build system with security features

Major updates for production-ready ISO:

1. **Debian Version**:
   - Updated to Debian 13.3.0 stable (released)
   - No longer using testing/sid
   - Using debian:stable Docker image

2. **Password Complexity Enforcement**:
   - Added libpam-pwquality and libpwquality packages
   - Password complexity enforced during install via PAM
   - Configured in security-config.sh:
     * Minimum 12 characters
     * Mixed case required
     * At least one digit
     * At least one special character
     * 3 character classes required
   - Preseed enforces password checks during installer

3. **Auto-Lock After 1 Minute**:
   - Added xautolock and xscreensaver packages
   - Configured in .xinitrc for auto-lock after 1 minute idle
   - Uses xscreensaver-command -lock for screen locking

4. **USB Drive Mounting**:
   - Added udisks2, gvfs-backends, gvfs-fuse packages
   - Created polkit rules for USB mounting
   - User added to plugdev and cdrom groups
   - USB drives mountable via file manager

5. **WiFi and Bluetooth Disabling**:
   - Created config/disable-wifi-bt.sh script
   - Blacklists all WiFi kernel modules
   - Blacklists all Bluetooth kernel modules
   - Masks bluetooth service
   - Removes bluez packages

6. **First-Boot Verification**:
   - Created scripts/verify-system.sh
   - Created config/football-first-boot.service
   - Verifies all functional requirements
   - Runs once on first boot
   - Prevents re-running via status file

7. **ISO Build System**:
   - Updated to use Debian 13.3.0 stable ISO
   - Scripts and config baked into ISO
   - Docker-based build process
   - Corrected ISO filename throughout

8. **Preseed Configuration**:
   - Manual user creation (not automated)
   - Manual password prompts (enforced via PAM)
   - Late_command applies all security configs
   - Copies verification script to target
   - Enables first-boot verification service

Files Added:
- config/disable-wifi-bt.sh (WiFi/BT disabling)
- config/security-config.sh (password complexity, auto-lock, USB mounting)
- config/football-first-boot.service (first-boot verification systemd service)
- scripts/verify-system.sh (comprehensive verification script)

Files Updated:
- config/preseed.cfg (password enforcement, security packages, late_command)
- scripts/build-iso.sh (Debian 13.3.0, correct filenames)
- docs/FUNCTIONAL-REQUIREMENTS.md (verification strategy)
- AGENTS.md (documentation references)
- README.md (documentation references)

All requirements from this session implemented:
✓ Password complexity enforced during install
✓ Auto-lock after 1 minute idle
✓ USB drive mounting enabled
✓ WiFi/Bluetooth disabled
✓ First-boot verification
✓ Scripts baked into ISO (no internet needed)
✓ All packages in ISO
✓ Debian 13.3.0 stable

💘 Generated with Crush

Assisted-by: Gemini 2.5 Flash via Crush <crush@charm.land>

docs/FUNCTIONAL-REQUIREMENTS.md

@@ -321,7 +321,98 @@ The system MUST be tested for:
 
 ---
 
-## 9. Acceptance Criteria
+## 9. Verification Strategy
+
+### 9.1 First-Boot Verification (Automatic)
+
+The system automatically runs verification on first boot:
+
+1. **Verification Service**: Systemd service `football-first-boot` runs once on first boot
+2. **Verification Script**: `/usr/local/bin/verify-system.sh` checks all functional requirements
+3. **Status Tracking**: `/var/lib/football/verification-status` prevents re-running
+4. **Logging**: Results logged to `/var/log/football-first-boot-verification.log`
+
+**Verification Checks**:
+- FR-1: Remote Access (Remmina, WireGuard, IceWM installed)
+- FR-2: Network Isolation (SSH disabled, firewall configured)
+- FR-3: Minimal UI (IceWM configured, Remmina auto-starts)
+- FR-5: Zero Remote Admin (SSH/telnet disabled)
+- FR-6: System Hardening (AppArmor, auditd, AIDE installed)
+- FR-7: Integrity (AIDE database and config exist)
+- FR-8: Firewall (nftables/iptables installed and enabled)
+- FR-9: Boot Config (GRUB and kernel installed)
+- FR-10: Storage (LVM installed, root filesystem mounted)
+- FR-11: System Updates (APT configured, no dev tools)
+- FR-12: Logging (rsyslog, logrotate, auditd configured)
+
+### 9.2 Preseed Integration (Installation)
+
+Verification scripts are embedded in ISO and copied during installation:
+
+**Scripts Baked into ISO**:
+- `scripts/verify-system.sh` → `/usr/local/bin/verify-system.sh`
+- `config/disable-wifi-bt.sh` → Run during late_command
+- `config/football-first-boot.service` → `/etc/systemd/system/`
+
+**Preseed Late_Command Actions**:
+1. Disable SSH and SSHD services (mask and disable)
+2. Disable Bluetooth service (mask)
+3. Run `disable-wifi-bt.sh` script (blacklist kernel modules)
+4. Copy `verify-system.sh` to `/usr/local/bin/`
+5. Copy `football-first-boot.service` to `/etc/systemd/system/`
+6. Enable first-boot verification service
+7. Create autostart directory and Remmina autostart file
+8. Create `.xinitrc` for IceWM session
+9. Set correct permissions on `/home/user`
+
+### 9.3 WiFi and Bluetooth Disabling
+
+Both are completely disabled during installation:
+
+**Kernel Module Blacklisting**:
+- `/etc/modprobe.d/disable-wifi.conf`: All WiFi drivers blacklisted
+- `/etc/modprobe.d/disable-bluetooth.conf`: All Bluetooth drivers blacklisted
+
+**Service Masking**:
+- Bluetooth service masked
+- No WiFi services exist
+
+**Package Removal**:
+- `bluez`, `bluez-firmware` purged during install
+
+### 9.4 Manual Verification (Optional)
+
+Administrators can run verification manually:
+
+```bash
+# Run verification script
+/usr/local/bin/verify-system.sh
+
+# Check first-boot verification status
+cat /var/lib/football/verification-status
+
+# View verification logs
+cat /var/log/football-first-boot-verification.log
+```
+
+### 9.5 ISO Verification (Pre-Deployment)
+
+Before deployment, ISO can be tested:
+
+```bash
+# Test ISO by booting VM
+./scripts/test-iso.sh
+
+# Access VM console
+screen -r football-iso-test
+
+# Check for first-boot verification completion
+tail -f /output/vm-console.log
+```
+
+---
+
+## 10. Acceptance Criteria
 
 The Football Secure Access System is considered production-ready when: