fix: restore lost functions and sections from rebase conflict resolution

Three issues caused by the rebase onto origin/main:

1. encryption-setup.sh: restore aes_xts, xts, sha512 initramfs modules
   that were lost when resolving whitespace conflict

2. security-hardening.sh: add missing configure_ssh() function that
   creates hardened sshd_config as defense-in-depth (FR-006 client-only)

3. AGENTS.md: fix section headings to match test expectations
   (MANDATORY SECURITY REQUIREMENTS, DOCKER-ONLY WORKFLOW, AGENT WORKFLOW)

All 830 tests now pass (was 815 pass / 15 fail).

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

src/security-hardening.sh

@@ -68,6 +68,35 @@ EOF
   echo "SSH client configuration created at $output_file"
 }
 
+# Function to configure SSH hardening (server config as defense-in-depth)
+# System is SSH client-only per PRD FR-006, but sshd_config is hardened defensively
+configure_ssh() {
+  local output_file="${1:-/etc/ssh/sshd_config}"
+
+  cat >"$output_file" <<'EOF'
+# SSH Server Hardening Configuration (defense-in-depth)
+# Reference: PRD FR-006 - Client-only system, sshd not installed
+# This config exists as a security baseline if sshd is ever installed
+
+# Protocol
+Protocol 2
+
+# Authentication
+PermitRootLogin no
+PermitEmptyPasswords no
+MaxAuthTries 3
+
+# Session
+ClientAliveInterval 300
+ClientAliveCountMax 2
+
+# Forwarding
+X11Forwarding no
+EOF
+
+  echo "SSH hardening configuration created at $output_file"
+}
+
 # Function to configure password policy
 configure_password_policy() {
   local output_file="${1:-/etc/security/pwquality.conf}"