fix: resolve remaining CRITICAL/HIGH/MEDIUM findings (batch 2)

Addresses C-01, C-03, C-04, M-03, M-06, L-01, L-05, L-07.

Changes:
- luks-kdf-configure.sh: Auto-attempt Argon2id conversion during
  installation instead of just creating a manual helper (C-01)
- run.sh: Replace --privileged with fine-grained capabilities
  (SYS_ADMIN, MKNOD, NET_ADMIN, SYS_CHROOT, SETFCAP) (C-03)
- run.sh: Restrict SB key directory to mode 700 and key files
  to mode 600 (C-04)
- security-hardening.sh: Add PAM enforcement via common-password
  with enforce_for_root (M-03)
- security-hardening.sh: Initialize AIDE database and create daily
  cron job for integrity checks (M-06)
- sudo-hardening.sh: Use atomic install -m 600 instead of touch+chmod
  to avoid race condition (L-07)
- preseed.cfg: Disable direct root login (L-01)
- run.sh: Comment explaining KNEL_BUILD_MODE cannot be env-spoofed
  since it's set from command argument (L-05)

All tests pass. Zero shellcheck warnings.
STATUS.md updated with 22/28 findings resolved.

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

run.sh

@@ -498,14 +498,20 @@ sb_generate_keys() {
     log_info "Generating Secure Boot keys..."
     
     mkdir -p "${SB_KEY_DIR}"
+    chmod 700 "${SB_KEY_DIR}"
     
     # Check for existing keys in source
     if [[ -d "${SB_KEYS_SRC}" ]]; then
         log_info "Using existing keys from ${SB_KEYS_SRC}"
         cp -r "${SB_KEYS_SRC}"/* "${SB_KEY_DIR}/"
+        chmod 600 "${SB_KEY_DIR}"/*.key 2>/dev/null || true
         return 0
     fi
     
+    # Generate keys with restricted permissions
+    # Note: -nodes is used for build automation. Store keys securely
+    # after build completes (e.g., in an HSM or encrypted storage).
+    
     # Generate Platform Key (PK) - Root of trust
     log_info "Generating Platform Key (PK)..."
     openssl req -new -x509 -newkey rsa:4096 -sha256 -days 3650 \
@@ -527,6 +533,9 @@ sb_generate_keys() {
         -keyout "${SB_KEY_DIR}/db.key" \
         -out "${SB_KEY_DIR}/db.crt" 2>/dev/null
     
+    # Restrict private key permissions
+    chmod 600 "${SB_KEY_DIR}"/*.key 2>/dev/null || true
+    
     # Verify all keys were created
     for key in PK KEK db; do
         if [[ ! -f "${SB_KEY_DIR}/${key}.key" ]] || [[ ! -f "${SB_KEY_DIR}/${key}.crt" ]]; then
@@ -1047,6 +1056,7 @@ main() {
                 bash
             ;;
         iso|iso:demo)
+            # Ignore environment spoofing - force correct mode from command
             if [ "$1" = "iso:demo" ]; then
                 KNEL_BUILD_MODE="demo"
                 log_info "Build mode: DEMO (hardcoded test credentials, serial console)"
@@ -1066,7 +1076,9 @@ main() {
             echo "Mandatory: Full disk encryption with LUKS2"
             echo "Mandatory: Secure Boot with UKI"
             docker run --rm \
-                --privileged \
+                --cap-add SYS_ADMIN --cap-add MKNOD --cap-add NET_ADMIN \
+                --cap-add SYS_CHROOT --cap-add SETFCAP \
+                --security-opt apparmor=unconfined \
                 --user root \
                 -v "${SCRIPT_DIR}:/workspace:ro" \
                 -v "${OUTPUT_DIR}:/output" \