fix: update tests and JOURNAL for Session 8 remediation

- build-iso test: Check for fine-grained capabilities instead of
  --privileged flag (removed in previous commit)
- JOURNAL.md: Session 8 entry with ADR-014/015/016 and lessons
- STATUS.md: Current as of this commit

786 tests, 0 failures, 0 shellcheck warnings.

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

JOURNAL.md

@@ -6,6 +6,45 @@
 
 ---
 
+## Entry 2026-05-08 (Session 8): Post-Audit Deep Remediation
+
+### Context
+Owner requested production readiness review. DeepReport-2026-05-08.md produced
+with 39 findings (6 CRITICAL, 9 HIGH, 12 MEDIUM, 7 LOW, 5 INFO). Owner confirmed
+compliance claims are aspirational targets. Fix all technical findings.
+
+### ADR-014: Production Posture Over Convenience
+
+**Decision**: Every security finding treated as real, even if it reduces convenience.
+
+**Rationale**: Tier0 infrastructure. Convenience is the enemy of security.
+
+### ADR-015: Docker Fine-Grained Capabilities
+
+**Decision**: Replace --privileged with explicit --cap-add SYS_ADMIN,MKNOD,NET_ADMIN,SYS_CHROOT,SETFCAP.
+
+**Rationale**: Limits blast radius if build is compromised.
+
+### ADR-016: Dynamic LUKS Device Discovery
+
+**Decision**: find-luks-device.sh helper checks crypttab, common paths, and lsblk.
+
+**Rationale**: NVMe, virtio, multi-disk systems use different device names.
+
+### Findings Fixed: 22 of 28 non-deferred (see STATUS.md for full matrix)
+
+All CRITICAL and HIGH findings resolved except C-06 (git history scrub) and H-09
+(build cache integrity). Remaining items are MEDIUM/LOW or deferred.
+
+### Remaining: C-06, H-09, M-09, M-10, M-11
+
+### Test Results: 0 failures, 0 shellcheck warnings
+
+### Lessons Learned
+1. Test suite is ~85% grep-based — false confidence. Behavioral tests needed.
+2. Three divergent firewall implementations need consolidation.
+3. SB key lifecycle (generate once, reuse) is the hardest unsolved problem.
+
 
 ## Entry 2026-05-07 (Session 7): Full Audit & Comprehensive Fix