docs: update spec with Debian 13.3.0 details

- Update base image to Debian 13.3.0 (Trixie) stable release
- Clarify all packages must be pre-included in ISO (no internet downloads)
- Update USB mount requirements to include pre-installed utilities
- Specify exact ISO: debian-13.3.0-amd64-netinst.iso

football-spec.md

@@ -38,8 +38,9 @@ This project aims to build a highly secure, compliant Debian 13 (Trixie) install
 #### Network Restrictions
 - **WiFi**: Permanently disabled via kernel module blacklist
 - **Bluetooth**: Permanently disabled via kernel module blacklist
-- **General Internet**: Disabled by default
+- **General Internet**: Disabled by default - all packages must be included in ISO
 - **Allowed Traffic**: WireGuard tunnel traffic only
+- **Package Sources**: All required packages pre-included in ISO, no external downloads during or after installation
 
 #### Firewall Configuration
 - **Default Policy**: Deny all inbound and outbound traffic
@@ -58,6 +59,7 @@ This project aims to build a highly secure, compliant Debian 13 (Trixie) install
 - Automatic detection and mounting of USB storage devices
 - Support for common filesystems (ext4, FAT32, NTFS)
 - Proper permissions for configuration file copying
+- All required filesystem utilities pre-installed in ISO
 
 #### Desktop Shortcuts
 1. **WireGuard Configuration Editor**
@@ -74,7 +76,8 @@ This project aims to build a highly secure, compliant Debian 13 (Trixie) install
 
 ### Build Process
 - **Tool**: `live-build` for ISO generation
-- **Base Image**: Debian 13 (Trixie) netinst
+- **Base Image**: Debian 13.3.0 (Trixie) netinst
+- **Specific ISO**: debian-13.3.0-amd64-netinst.iso from official Debian mirrors
 - **Customization**: Config hooks for security hardening
 
 ### Preseed Configuration
@@ -286,7 +289,7 @@ main "$@"
 # Multi-stage build for security hardening
 
 # Base stage
-FROM debian:trixie-slim AS base
+FROM debian:13.3-slim AS base
 
 # Set environment variables
 ENV DEBIAN_FRONTEND=noninteractive