docs: add architecture diagram and fix FR-001 links

README.md

@@ -41,7 +41,7 @@
 ### PRD → Code → Tests Alignment
 | PRD Requirement | Code | Tests |
 |-----------------|------|-------|
-| [FR-001: Full Disk Encryption](src/encryption-setup.sh) | [encryption-setup.sh](src/encryption-setup.sh), [encryption-validation.sh](src/encryption-validation.sh) | ✅ 10 test files |
+| [FR-001: Full Disk Encryption](config/hooks/installed/encryption-setup.sh) | [encryption-setup.sh](config/hooks/installed/encryption-setup.sh), [encryption-validation.sh](config/hooks/installed/encryption-validation.sh) | ✅ 10 test files |
 | [FR-002: Debian Base](config/includes.installer/preseed.cfg) | [preseed.cfg](config/includes.installer/preseed.cfg), [package-lists](config/package-lists/) | ✅ config tests |
 | [FR-003: Desktop Environment](config/hooks/live/desktop-environment.sh) | [desktop-environment.sh](config/hooks/live/desktop-environment.sh) | ✅ 5 test files |
 | [FR-004: Network/Firewall](src/firewall-setup.sh) | [firewall-setup.sh](src/firewall-setup.sh) | ✅ 7 test files |
@@ -126,9 +126,39 @@ Build KNEL-Football secure ISO with Docker-only workflow following AGENTS.md req
 - QR code import for WireGuard
 
 ### Architecture
-**IMPORTANT**: KNEL-Football OS serves as a **secure remote terminal** for accessing tier0 infrastructure. It does NOT directly access tier0 infrastructure.
 
-**Access Model**:
+**See [docs/architecture.md](docs/architecture.md) for complete system architecture.**
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                    Development Environment                      │
+│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐     │
+│  │     Git     │  │   Docker    │  │     Libvirt         │     │
+│  │   (VCS)     │  │ (Builder)   │  │ (Virtualization)    │     │
+│  └─────────────┘  └─────────────┘  └─────────────────────┘     │
+└─────────────────────────────────────────────────────────────────┘
+                              │
+                              ▼
+┌─────────────────────────────────────────────────────────────────┐
+│                   Build Container                               │
+│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐              │
+│  │ live-build  │  │ debootstrap │  │  shellcheck │              │
+│  │   (ISO)     │  │ (Bootstrap) │  │  (Linting)  │              │
+│  └─────────────┘  └─────────────┘  └─────────────┘              │
+└─────────────────────────────────────────────────────────────────┘
+                              │
+                              ▼
+┌─────────────────────────────────────────────────────────────────┐
+│                   Output: KNEL-Football ISO                     │
+│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐              │
+│  │   IceWM     │  │  WireGuard  │  │   LUKS2     │              │
+│  │  (Desktop)  │  │    (VPN)    │  │ (Encryption)│              │
+│  └─────────────┘  └─────────────┘  └─────────────┘              │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+**Access Model**: KNEL-Football OS serves as a **secure remote terminal** for accessing tier0 infrastructure:
+
 1. User boots KNEL-Football OS on secure laptop (FDE required)
 2. OS connects via WireGuard VPN to secure network
 3. User uses SSH/Remmina to access privileged workstation