fix: resolve critical build bugs and add missing PRD requirements

Critical fixes:
- Fix security-hardening.sh live hook: removed broken source from
  /build/src/ which doesn't exist during live-build; made hook
  self-contained by inlining all config generation
- Fix firewall-setup.sh live hook: removed broken source from
  /build/src/; hook already had inline nftables config
- Fix install-scripts.sh: replaced /workspace/src/ references with
  embedded inline scripts (installed system has no /workspace)
- Fix UKI cmdline in standalone uki_build(): added
  lockdown=confidentiality and module.sig_enforce=1 to match the
  inline Secure Boot hook
- Fix WiFi blacklist: expanded from 6 entries to 19, now covers all
  PRD FR-005 driver families (rtl*, iwl*, ath*, brcm*, mwifi*, rt2*)

Missing PRD requirements added:
- kernel-hardening.sh (FR-007): sysctl parameters for ASLR, ptrace
  restriction, kptr_restrict, dmesg_restrict, kexec disabled, SUID
  dumpable disabled, hardlink/symlink protection, network hardening
- service-hardening.sh (FR-007): disables and masks avahi-daemon,
  cups, bluetooth, NetworkManager, ModemManager, whoopsie, apport
- sudo-hardening.sh (FR-007): requiretty, logging (input/output),
  timestamp timeout, env_reset, restricted football user commands
- mount-hardening.sh (FR-007): nodev/nosuid/noexec on /tmp,
  nodev/nosuid on /home, /dev/shm hardening

Test improvements:
- Rewrote security-hardening_comprehensive_test.bats: tests now
  source scripts, call functions, and verify generated output files
- Rewrote firewall-setup_comprehensive_test.bats: tests now create
  WireGuard configs, call parse_wg_endpoint, verify nftables output
- Added new-hooks_test.bats: 42 tests for kernel hardening, service
  hardening, sudo hardening, mount hardening, self-containment
  verification, and WiFi blacklist completeness
- Total: 788 tests passing, 0 failures, 0 shellcheck warnings

Reference: docs/PRD.md FR-005, FR-007, security-model.md

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

config/hooks/installed/install-scripts.sh

@@ -4,9 +4,104 @@ set -euo pipefail
 
 echo "Installing source scripts..."
 
-# Install source scripts
-install -m 755 /workspace/src/firewall-setup.sh /usr/local/bin/
-install -m 755 /workspace/src/security-hardening.sh /usr/local/bin/
+# Install firewall-setup script (embedded - /workspace not available in installed system)
+cat >/usr/local/bin/firewall-setup.sh <<'FIREWALL_SCRIPT'
+#!/bin/bash
+set -euo pipefail
+
+parse_wg_endpoint() {
+  local wg_config="${1:-/etc/wireguard/wg0.conf}"
+  if [[ ! -f $wg_config ]]; then
+    echo "Error: WireGuard config not found at $wg_config"
+    return 1
+  fi
+  grep -oP 'Endpoint = \K[0-9.]+:[0-9]+' "$wg_config" || {
+    echo "Error: Could not parse endpoint from WireGuard config"
+    return 1
+  }
+}
+
+generate_nftables_rules() {
+  local endpoint="$1"
+  local ip="${endpoint%:*}"
+  local port="${endpoint#*:}"
+  cat <<NFTCONF
+#!/usr/sbin/nft -f
+flush ruleset
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop
+        iif lo accept comment "Accept loopback"
+        icmp type echo-request accept comment "Accept ping"
+    }
+    chain forward {
+        type filter hook forward priority 0; policy drop
+    }
+    chain output {
+        type filter hook output priority 0; policy drop
+        oif lo accept comment "Accept loopback"
+        udp dport "$port" ip daddr "$ip" accept comment "Allow WireGuard traffic"
+        icmp type echo-request accept comment "Allow ping"
+    }
+}
+NFTCONF
+}
+
+apply_firewall() {
+  local wg_config="${1:-/etc/wireguard/wg0.conf}"
+  if [[ -f $wg_config ]]; then
+    endpoint=$(parse_wg_endpoint "$wg_config")
+    if [[ -n $endpoint ]]; then
+      generate_nftables_rules "$endpoint" >/etc/nftables.conf
+      systemctl enable nftables
+      systemctl restart nftables
+      echo "Firewall configured for endpoint: $endpoint"
+    else
+      echo "Warning: Could not parse WireGuard endpoint, using default deny policy"
+    fi
+  else
+    echo "Warning: WireGuard config not found, using default deny policy"
+  fi
+}
+
+main() {
+  echo "Setting up dynamic firewall..."
+  apply_firewall "$@"
+  echo "Firewall setup completed."
+}
+
+if [[ ${BASH_SOURCE[0]} == "${0}" ]]; then
+  main "$@"
+fi
+FIREWALL_SCRIPT
+chmod +x /usr/local/bin/firewall-setup.sh
+
+# Install security-hardening script (embedded)
+cat >/usr/local/bin/security-hardening.sh <<'HARDENING_SCRIPT'
+#!/bin/bash
+set -euo pipefail
+
+check_encryption_status() {
+  echo "Checking encryption status..."
+  if command -v cryptsetup >/dev/null 2>&1; then
+    for dev in /dev/mapper/*; do
+      if [ -e "$dev" ]; then
+        echo "Encrypted device: $dev"
+      fi
+    done
+  fi
+}
+
+main() {
+  echo "KNEL-Football Security Hardening Utility"
+  check_encryption_status
+}
+
+if [[ ${BASH_SOURCE[0]} == "${0}" ]]; then
+  main "$@"
+fi
+HARDENING_SCRIPT
+chmod +x /usr/local/bin/security-hardening.sh
 
 # Create VPN configuration apply script
 cat >/usr/local/bin/apply-vpn-config.sh <<'EOF'

config/hooks/installed/mount-hardening.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+# Mount point hardening - PRD FR-007, CIS Benchmark 1.1
+# Reference: CIS Benchmark for Debian, NIST SP 800-53 CM-7
+set -euo pipefail
+
+echo "Applying mount point hardening..."
+
+# Create fstab security entries for temporary filesystems
+# These are added via a systemd mount helper or tmpfiles.d
+# since fstab is managed by the installer for the main partitions
+
+# Harden /tmp via tmpfiles.d (systemd-tmpfiles)
+mkdir -p /etc/tmpfiles.d
+
+cat >/etc/tmpfiles.d/knel-mount-hardening.conf <<'EOF'
+# KNEL-Football Mount Hardening
+# Ensure /tmp is mounted with nodev, nosuid, noexec
+# This supplements the installer-created fstab
+d /tmp 1777 root root 0d
+EOF
+
+# Add security mount options to fstab if entries exist
+if [ -f /etc/fstab ]; then
+    # Harden /tmp if present
+    if grep -q '/tmp' /etc/fstab 2>/dev/null; then
+        sed -i '/\/tmp/s/defaults/defaults,nodev,nosuid,noexec/' /etc/fstab 2>/dev/null || true
+    fi
+
+    # Harden /var/tmp if present
+    if grep -q '/var/tmp' /etc/fstab 2>/dev/null; then
+        sed -i '/\/var\/tmp/s/defaults/defaults,nodev,nosuid,noexec/' /etc/fstab 2>/dev/null || true
+    fi
+
+    # Harden /home if present
+    if grep -q '/home' /etc/fstab 2>/dev/null; then
+        sed -i '/\/home/s/defaults/defaults,nodev,nosuid/' /etc/fstab 2>/dev/null || true
+    fi
+
+    # Harden /dev/shm if present
+    if grep -q '/dev/shm' /etc/fstab 2>/dev/null; then
+        sed -i '/\/dev\/shm/s/defaults/defaults,nodev,nosuid,noexec/' /etc/fstab 2>/dev/null || true
+    fi
+fi
+
+# If /tmp is NOT in fstab, add a tmpfs entry with hardening
+if ! grep -q '/tmp' /etc/fstab 2>/dev/null; then
+    echo "tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec,size=2G 0 0" >> /etc/fstab
+fi
+
+echo "Mount hardening completed."

config/hooks/live/firewall-setup.sh

@@ -4,11 +4,6 @@ set -euo pipefail
 
 echo "Setting up firewall configuration..."
 
-# Load firewall setup functions from proper volume path
-# Note: Source path exists at build time in Docker container
-# shellcheck disable=SC1091
-source /build/src/firewall-setup.sh
-
 # Install nftables rules (default deny policy)
 cat >/etc/nftables.conf <<'EOF'
 #!/usr/sbin/nft -f

config/hooks/live/kernel-hardening.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+# Kernel parameter hardening - PRD FR-007
+# Reference: CIS Benchmark, NIST SP 800-53, PRD security-model.md
+set -euo pipefail
+
+echo "Applying kernel hardening parameters..."
+
+# Configure sysctl security parameters
+mkdir -p /etc/sysctl.d
+
+cat >/etc/sysctl.d/99-knel-security.conf <<'EOF'
+# KNEL-Football Kernel Security Parameters
+# Reference: PRD FR-007, CIS Benchmark 3.1-3.4, NIST SP 800-53
+
+# Enable ASLR (Address Space Layout Randomization)
+kernel.randomize_va_space = 2
+
+# Restrict ptrace (prevent process inspection by unprivileged users)
+kernel.yama.ptrace_scope = 2
+
+# Restrict access to kernel pointer addresses
+kernel.kptr_restrict = 2
+
+# Restrict dmesg to privileged users
+kernel.dmesg_restrict = 1
+
+# Restrict unprivileged use of BPF
+kernel.unprivileged_bpf_disabled = 1
+
+# Enable ExecShield-like protection
+kernel.exec-shield = 1
+
+# Restrict kernel profiling
+kernel.perf_event_paranoid = 3
+
+# Disable kexec (prevent kernel replacement)
+kernel.kexec_load = 0
+
+# Restrict access to kernel logs
+dev.tty.ldisc_autoload = 0
+
+# Restrict user namespaces
+user.max_user_namespaces = 0
+
+# Disable core dumps for SUID binaries
+fs.suid_dumpable = 0
+
+# Protect hardlinks and symlinks
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+fs.protected_fifos = 2
+fs.protected_regular = 2
+
+# Network security
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.log_martians = 1
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+net.ipv4.tcp_syncookies = 1
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+net.ipv6.conf.all.accept_source_route = 0
+net.ipv6.conf.default.accept_source_route = 0
+EOF
+
+# Apply sysctl settings
+sysctl --system 2>/dev/null || true
+
+echo "Kernel hardening completed."

config/hooks/live/security-hardening.sh

@@ -1,34 +1,191 @@
 #!/bin/bash
-# Security hardening hook for live system
+# Security hardening hook for live system (self-contained)
+# Reference: PRD FR-005, FR-006, FR-007
 set -euo pipefail
 
 echo "Applying security hardening..."
 
-# Apply security hardening functions from proper volume path
-# Note: Source path exists at build time in Docker container
-# shellcheck disable=SC1091
-source /build/src/security-hardening.sh
+# WiFi module blacklist
+cat >/etc/modprobe.d/blacklist-wifi.conf <<'EOF'
+# WiFi module blacklisting - PRD FR-005
+blacklist cfg80211
+blacklist mac80211
+blacklist brcmfmac
+blacklist iwlwifi
+blacklist ath9k
+blacklist ath9k_htc
+blacklist ath10k_pci
+blacklist rtl8188ee
+blacklist rtl8192ce
+blacklist rtl8192se
+blacklist rtl8723ae
+blacklist rtl8821ae
+blacklist rt73usb
+blacklist rt2800usb
+blacklist rt2x00lib
+blacklist rt2x00usb
+blacklist mwifiex
+blacklist mwifiex_pcie
+blacklist mwifiex_sdio
+EOF
 
-# Create WiFi module blacklist
-create_wifi_blacklist
+# Bluetooth module blacklist
+cat >/etc/modprobe.d/blacklist-bluetooth.conf <<'EOF'
+# Bluetooth module blacklisting - PRD FR-005
+blacklist btusb
+blacklist bluetooth
+blacklist btrtl
+blacklist btintel
+blacklist btbcm
+blacklist bnep
+blacklist rfcomm
+blacklist hidp
+EOF
 
-# Create Bluetooth module blacklist
-create_bluetooth_blacklist
+# SSH client configuration (client only - no server per PRD FR-006)
+mkdir -p /etc/ssh
+cat >/etc/ssh/ssh_config <<'EOF'
+# SSH Client Configuration
+# Reference: PRD FR-006 - Client-only, no inbound SSH services
 
-# Configure SSH client (client only - no server per security requirements)
-configure_ssh_client
+Host *
+    PasswordAuthentication no
+    PubkeyAuthentication yes
+    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
+    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+    ConnectTimeout 30
+    ServerAliveInterval 300
+    ServerAliveCountMax 2
+    StrictHostKeyChecking ask
+    UserKnownHostsFile ~/.ssh/known_hosts
+EOF
 
-# Configure password policy
-configure_password_policy
+# SSH server config (defense-in-depth - sshd not installed per PRD FR-006)
+cat >/etc/ssh/sshd_config <<'EOF'
+# SSH Server Hardening (defense-in-depth)
+# Reference: PRD FR-006 - Client-only system, sshd not installed
+Protocol 2
+PermitRootLogin no
+PermitEmptyPasswords no
+MaxAuthTries 3
+ClientAliveInterval 300
+ClientAliveCountMax 2
+X11Forwarding no
+EOF
 
-# Configure File Integrity Monitoring (AIDE)
-configure_fim
+# Password policy - PRD FR-007, NIST SP 800-63B
+mkdir -p /etc/security
+cat >/etc/security/pwquality.conf <<'EOF'
+# KNEL-Football Password Quality Requirements
+# Reference: NIST SP 800-63B, CIS Benchmarks for Debian
+minlen = 14
+dcredit = -1
+ucredit = -1
+lcredit = -1
+ocredit = -1
+difok = 4
+maxrepeat = 2
+maxclassrepeat = 2
+maxsequence = 2
+usercheck = 1
+dictcheck = 1
+gecoscheck = 1
+enforcing = 1
+badwords = password secret admin root knel football tier0 12345 qwerty
+minclass = 3
+EOF
 
-# Configure system limits
-configure_system_limits
+# File Integrity Monitoring (AIDE) - CIS 1.4, FedRAMP AU-7, CMMC AU.3.059
+mkdir -p /etc/aide
+cat >/etc/aide/aide.conf <<'EOF'
+# AIDE Configuration - CIS/FedRAMP/CMMC Compliance
+database_out=file:/var/lib/aide/aide.db.new
+database=file:/var/lib/aide/aide.db
+report_url=stdout
+SECURITY = p+u+g+s+m+c+md5+sha256+sha512
+/etc SECURITY
+/boot SECURITY
+/usr SECURITY
+/bin SECURITY
+/sbin SECURITY
+/lib SECURITY
+/lib64 SECURITY
+/etc/ssh SECURITY
+/etc/wireguard SECURITY
+/etc/security SECURITY
+/etc/audit SECURITY
+/etc/modprobe.d SECURITY
+/etc/nftables.conf SECURITY
+/etc/sudoers SECURITY
+/etc/sudoers.d SECURITY
+/etc/pam.d SECURITY
+!/proc
+!/sys
+!/dev
+!/run
+!/tmp
+!/var/log
+!/var/cache
+!/var/lib/aide
+!/var/tmp
+EOF
 
-# Configure audit rules
-configure_audit_rules
+# System resource limits
+mkdir -p /etc/security/limits.d
+cat >/etc/security/limits.d/security.conf <<'EOF'
+* hard core 0
+* soft nproc 1024
+* hard nproc 2048
+EOF
+
+# Audit rules - CIS 6.2, FedRAMP AU-2, CMMC AU.2.042
+mkdir -p /etc/audit/rules.d
+cat >/etc/audit/rules.d/audit.rules <<'EOF'
+# Comprehensive Audit Rules - CIS 6.2, FedRAMP AU-2, CMMC AU.2.042
+-w /etc/passwd -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/group -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/sudoers -p wa -k privilege_escalation
+-w /etc/sudoers.d/ -p wa -k privilege_escalation
+-w /etc/pam.d/ -p wa -k authentication
+-w /etc/security/ -p wa -k authentication
+-w /etc/login.defs -p wa -k authentication
+-w /var/log/faillog -p wa -k authentication
+-w /var/log/lastlog -p wa -k authentication
+-w /var/log/tallylog -p wa -k authentication
+-w /etc/network/ -p wa -k network_config
+-w /etc/hosts -p wa -k network_config
+-w /etc/hostname -p wa -k network_config
+-w /etc/resolv.conf -p wa -k network_config
+-w /etc/nftables.conf -p wa -k firewall
+-w /etc/wireguard/ -p wa -k wireguard_config
+-w /etc/ssh/ssh_config -p wa -k ssh_config
+-w /etc/fstab -p wa -k filesystem
+-w /etc/crypttab -p wa -k encryption
+-w /etc/modprobe.d/ -p wa -k kernel_modules
+-w /etc/sysctl.conf -p wa -k kernel_parameters
+-w /etc/sysctl.d/ -p wa -k kernel_parameters
+-w /boot/ -p wa -k boot_config
+-w /efi/ -p wa -k boot_config
+-w /etc/default/grub -p wa -k boot_config
+-w /etc/grub.d/ -p wa -k boot_config
+-w /etc/audit/ -p wa -k audit_config
+-w /var/log/audit/ -p wa -k audit_logs
+-w /etc/chrony/ -p wa -k time_sync
+-w /etc/ntp.conf -p wa -k time_sync
+-w /usr/bin/sudo -p x -k privilege_escalation
+-w /usr/bin/su -p x -k privilege_escalation
+-w /usr/bin/passwd -p x -k password_change
+-w /usr/bin/chsh -p x -k user_modification
+-w /usr/bin/usermod -p x -k user_modification
+-w /var/run/utmp -p wa -k session
+-w /var/log/wtmp -p wa -k session
+-w /var/log/btmp -p wa -k session
+-a always,exit -F arch=b64 -S init_module -S finit_module -S delete_module -k kernel_modules
+-w /var/lib/aide/ -p wa -k file_integrity
+EOF
 
 # Enable auditd service
 systemctl enable auditd

config/hooks/live/service-hardening.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+# Disable unnecessary services - PRD FR-007
+# Reference: PRD "Disabled Services" list, CIS Benchmark 2.1
+set -euo pipefail
+
+echo "Disabling unnecessary services..."
+
+# List of services to disable per PRD FR-007
+SERVICES_TO_DISABLE=(
+    avahi-daemon
+    cups
+    bluetooth
+    NetworkManager
+    ModemManager
+    whoopsie
+    apport
+    speech-dispatcher
+    PackageKit
+)
+
+for service in "${SERVICES_TO_DISABLE[@]}"; do
+    if systemctl is-enabled "$service" 2>/dev/null | grep -q "enabled"; then
+        systemctl disable "$service" 2>/dev/null || true
+        systemctl stop "$service" 2>/dev/null || true
+        echo "Disabled service: $service"
+    elif systemctl list-unit-files "$service.service" 2>/dev/null | grep -q "$service"; then
+        systemctl disable "$service" 2>/dev/null || true
+        systemctl mask "$service" 2>/dev/null || true
+        echo "Masked service: $service"
+    else
+        echo "Service not found (OK): $service"
+    fi
+done
+
+# Mask services to prevent re-enabling
+for service in avahi-daemon cups bluetooth ModemManager whoopsie apport; do
+    systemctl mask "$service" 2>/dev/null || true
+done
+
+echo "Service hardening completed."

config/hooks/live/sudo-hardening.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+# Sudo hardening - PRD FR-007 Access Control Layer
+# Reference: CIS Benchmark 5.4, NIST SP 800-53 AC-6
+set -euo pipefail
+
+echo "Configuring sudo access controls..."
+
+# Create sudoers configuration for restricted access
+mkdir -p /etc/sudoers.d
+chmod 750 /etc/sudoers.d
+
+# Default sudoers hardening
+cat >/etc/sudoers.d/99-knel-hardening <<'EOF'
+# KNEL-Football Sudo Configuration
+# Reference: PRD FR-007, CIS Benchmark 5.4, NIST SP 800-53 AC-6
+
+# Require tty for sudo (prevents script injection)
+Defaults requiretty
+
+# Lecture user on first sudo use
+Defaults lecture = always
+Defaults lecture_file = /etc/sudo.lecture
+
+# Logging and timeout
+Defaults logfile = "/var/log/sudo.log"
+Defaults log_input
+Defaults log_output
+Defaults timestamp_timeout = 15
+
+# Restrict which environment variables are preserved
+Defaults env_reset
+Defaults env_delete += "HOME"
+Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+# football user can run specific admin commands
+football ALL=(root) /usr/local/bin/apply-vpn-config.sh, /usr/local/bin/convert-luks-kdf.sh, /usr/bin/systemctl restart nftables, /usr/bin/systemctl restart wg-quick@wg0, /usr/local/bin/check-encryption.sh
+
+# Root can run anything (standard)
+root ALL=(ALL:ALL) ALL
+EOF
+
+chmod 440 /etc/sudoers.d/99-knel-hardening
+
+# Create sudo lecture file
+cat >/etc/sudo.lecture <<'EOF'
+====================================================================
+  KNEL-Football Secure OS - Privileged Access Warning
+====================================================================
+
+You are about to execute a command with elevated privileges.
+
+All sudo commands are logged and audited.
+Unauthorized use of privileged access is a security violation.
+
+If you did not intend to run a privileged command, press Ctrl+C now.
+====================================================================
+EOF
+
+# Ensure sudo.log exists with correct permissions
+touch /var/log/sudo.log 2>/dev/null || true
+chmod 600 /var/log/sudo.log 2>/dev/null || true
+
+echo "Sudo hardening completed."