fix: pin all package versions for reproducible builds (FINDING-006)

Addresses Hadolint DL3008 warnings and ensures reproducible Docker builds
by pinning all apt packages to specific Debian 13 (trixie) versions.

Changes:
- Dockerfile: Pin 21 packages with version constraints
- tests/unit/build-iso_comprehensive_test.bats: Add 22 version pinning tests

Pinned versions from Debian 13 candidate:
- Base: ca-certificates, gnupg, curl, wget, git
- Build: live-build, debootstrap, squashfs-tools, xorriso, grub-*
- Testing: bats, shellcheck (bats-* helpers not versioned in Debian)
- Security: nftables, iptables, auditd, rsyslog

Fixes: FINDING-006 (Docker package versions not pinned)
Reference: Hadolint DL3008, reproducible builds best practice

💘 Generated with Crush

Assisted-by: Claude via Crush <crush@charm.land>

tests/unit/build-iso_comprehensive_test.bats

@@ -291,3 +291,96 @@
 @test "run.sh exits if host FDE check fails" {
     grep -q "check_host_fde || exit 1" /workspace/run.sh
 }
+
+# =============================================================================
+# Package Version Pinning (FINDING-006 - Reproducible Builds)
+# =============================================================================
+
+@test "Dockerfile pins ca-certificates version" {
+    grep -q "ca-certificates=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins gnupg version" {
+    grep -q "gnupg=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins curl version" {
+    grep -q "curl=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins wget version" {
+    grep -q "wget=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins git version" {
+    grep -q "git=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins live-build version" {
+    grep -q "live-build=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins debootstrap version" {
+    grep -q "debootstrap=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins squashfs-tools version" {
+    grep -q "squashfs-tools=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins xorriso version" {
+    grep -q "xorriso=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins grub-pc-bin version" {
+    grep -q "grub-pc-bin=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins grub-efi-amd64-bin version" {
+    grep -q "grub-efi-amd64-bin=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins mtools version" {
+    grep -q "mtools=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins dosfstools version" {
+    grep -q "dosfstools=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins syslinux-utils version" {
+    grep -q "syslinux-utils=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins isolinux version" {
+    grep -q "isolinux=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins bats version" {
+    grep -q "bats=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins shellcheck version" {
+    grep -q "shellcheck=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins nftables version" {
+    grep -q "nftables=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins iptables version" {
+    grep -q "iptables=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins auditd version" {
+    grep -q "auditd=" /workspace/Dockerfile
+}
+
+@test "Dockerfile pins rsyslog version" {
+    grep -q "rsyslog=" /workspace/Dockerfile
+}
+
+@test "Dockerfile has at least 20 pinned packages" {
+    pinned=$(grep -c "=[0-9]" /workspace/Dockerfile || echo 0)
+    [ "$pinned" -ge 20 ]
+}