feat: enforce SDLC compliance with pre-commit hook and documentation

- Add .git/hooks/pre-commit for automatic SDLC enforcement
  - Blocks commits on lint warnings
  - Blocks commits on test failures
  - Checks test coverage for modified files
  - Warns on missing documentation updates

- Update AGENTS.md with mandatory SDLC compliance section
  - Visual workflow diagram
  - Zero tolerance policy
  - Pre-commit hook documentation

- Fix SC2012 lint warnings in run.sh (lines 74, 551)
  - Changed ls | head to find -print -quit

- Add FR-012 Secure Boot with UKI to docs/PRD.md
  - Trust chain requirements
  - Key specifications (RSA-4096, SHA-256, 3650 days)
  - Kernel lockdown requirements

- Update docs/security-model.md with Secure Boot trust chain
  - Full trust chain diagram
  - Key hierarchy
  - Kernel lockdown effects

- Update docs/TEST-COVERAGE.md with Secure Boot tests

- Add tests/unit/secureboot_test.bats (70+ tests for Secure Boot)

- Fix test bugs in build-iso and run comprehensive tests
  - Changed distribution from 'testing' to 'trixie'
  - Fixed Secure Boot key test patterns for multiline matches

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

docs/TEST-COVERAGE.md

@@ -144,6 +144,102 @@
 
 ---
 
+#### 8. `tests/unit/secureboot_test.bats`
+**Coverage**: Secure Boot and UKI implementation in run.sh
+**Tests** (70+ tests):
+
+**Secure Boot Configuration**:
+- SB_KEY_DIR variable defined
+- SB_KEYS_SRC variable defined
+
+**Key Generation Functions**:
+- sb_generate_keys function defined
+- Creates PK key with openssl
+- Creates KEK key with openssl
+- Creates db key with openssl
+- Uses RSA-4096 algorithm
+- Uses SHA-256 hash
+- Uses 3650 day validity
+
+**ESL (EFI Signature List) Functions**:
+- sb_create_esl function defined
+- Uses cert-to-efi-sig-list
+- Generates UUID for ESL
+
+**Auth File Signing Functions**:
+- sb_sign_esl function defined
+- Uses sign-efi-sig-list
+- Includes timestamp
+
+**UKI Build Functions**:
+- uki_build function defined
+- Finds kernel in chroot
+- Finds initrd in chroot
+- Uses EFI stub (linuxx64.efi.stub)
+- Uses objcopy for bundling
+- Adds .osrel section
+- Adds .cmdline section
+- Adds .linux section
+- Adds .initrd section
+
+**UKI Signing Functions**:
+- uki_sign function defined
+- Uses sbsign for signing
+- Uses db key for signing
+- Verifies signature with sbverify
+
+**Secure Boot Setup Function**:
+- secureboot_setup function defined
+- Generates all keys
+- Creates all ESL files
+- Creates PK auth (self-signed)
+- Creates KEK auth (signed by PK)
+- Creates db auth (signed by KEK)
+
+**Docker Build Integration**:
+- get_secureboot_script function defined
+- Outputs sb_docker_setup
+- Outputs sb_docker_build_uki
+- Outputs sb_docker_copy_keys_to_binary
+
+**ISO Build Integration**:
+- iso command includes Secure Boot hook creation
+- Hook generates all keys (PK, KEK, db)
+- Hook creates auth files (PK.auth, KEK.auth, db.auth)
+- Hook builds UKI
+- Hook signs UKI
+- Hook copies keys to ISO
+
+**Kernel Command Line Security**:
+- UKI cmdline includes lockdown=confidentiality
+- UKI cmdline includes module.sig_enforce=1
+
+**Package Requirements**:
+- efitools in package list
+- sbsigntools in package list
+- systemd-boot in package list
+- binutils in package list
+
+**VM TPM Support**:
+- VM template includes TPM device
+- TPM uses version 2.0
+- TPM uses CRB model
+
+**Output Verification**:
+- iso command reports Secure Boot: ENABLED
+- iso command reports UKI: SIGNED
+- iso command reports keys location
+
+**Requirements Covered**:
+- ✅ FR-012: Secure Boot with UKI
+
+**Compliance Standards**:
+- ✅ UEFI Specification 2.3.1+
+- ✅ NIST SP 800-147 (BIOS Protection)
+- ✅ NIST SP 800-147B (UEFI Firmware Protection)
+
+---
+
 ### Integration Tests (2 files)
 
 #### 1. `tests/integration/config_test.bats`