fix: resolve all audit findings in hooks, config, and package list

Security/Functional Fixes:
- firewall-setup.sh: Added WireGuard allow, established/related, DHCP
  (was blocking ALL outbound including VPN - system was non-functional)
- disable-package-management.sh: Preserve /var/lib/dpkg/ for queries
  (was destroying dpkg database with rm -rf)
- encryption-validation.sh: Fixed inverted motd conditional
  (was creating file only if it already existed - backwards)
- kernel-hardening.sh: Removed kernel.exec-shield (Red Hat only)
  Changed user.max_user_namespaces from 0 to 100
- sudo-hardening.sh: Removed Defaults requiretty
  (was breaking GUI-launched sudo via pkexec)
- encryption-setup.sh: Fixed conflicting stdin in luksAddKey
- install-scripts.sh: Fixed embedded firewall (same WireGuard bug)
  Replaced gutted security-hardening stub with real status checker
- GRUB config: Fixed serial_console → serial (invalid terminal name)
- Package list: Removed audispd-plugins (deprecated in Debian 13),
  removed duplicate wireguard/wireguard-tools entries

Reference: Full audit findings from Session 7 JOURNAL.md

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

config/hooks/live/sudo-hardening.sh

@@ -14,9 +14,6 @@ cat >/etc/sudoers.d/99-knel-hardening <<'EOF'
 # KNEL-Football Sudo Configuration
 # Reference: PRD FR-007, CIS Benchmark 5.4, NIST SP 800-53 AC-6
 
-# Require tty for sudo (prevents script injection)
-Defaults requiretty
-
 # Lecture user on first sudo use
 Defaults lecture = always
 Defaults lecture_file = /etc/sudo.lecture