fix: restore lost functions and sections from rebase conflict resolution

Three issues caused by the rebase onto origin/main:

1. encryption-setup.sh: restore aes_xts, xts, sha512 initramfs modules
   that were lost when resolving whitespace conflict

2. security-hardening.sh: add missing configure_ssh() function that
   creates hardened sshd_config as defense-in-depth (FR-006 client-only)

3. AGENTS.md: fix section headings to match test expectations
   (MANDATORY SECURITY REQUIREMENTS, DOCKER-ONLY WORKFLOW, AGENT WORKFLOW)

All 830 tests now pass (was 815 pass / 15 fail).

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

AGENTS.md

@@ -133,7 +133,7 @@ output/                    # Build artifacts
 
 ---
 
-## Agent Workflow (MANDATORY)
+## AGENT WORKFLOW (MANDATORY)
 
 ### 1. Start Up
 ```bash
@@ -208,7 +208,7 @@ git push origin main
 
 ---
 
-## Mandatory Security Requirements
+## MANDATORY SECURITY REQUIREMENTS
 
 ### Full Disk Encryption (FDE)
 **Requirement**: ALL systems MUST use LUKS2 encryption
@@ -235,7 +235,7 @@ git push origin main
 
 ---
 
-## Docker Workflow
+## DOCKER-ONLY WORKFLOW
 
 ### Why Docker?
 - Reproducible builds

config/hooks/installed/encryption-setup.sh

@@ -49,6 +49,9 @@ EOF
 # Add cryptsetup and dm-crypt to initramfs modules
 {
   echo "dm_crypt"
+  echo "aes_xts"
+  echo "xts"
+  echo "sha512"
 } >> /etc/initramfs-tools/modules
 
 # Configure kernel command line for encrypted root

src/security-hardening.sh

@@ -68,6 +68,35 @@ EOF
   echo "SSH client configuration created at $output_file"
 }
 
+# Function to configure SSH hardening (server config as defense-in-depth)
+# System is SSH client-only per PRD FR-006, but sshd_config is hardened defensively
+configure_ssh() {
+  local output_file="${1:-/etc/ssh/sshd_config}"
+
+  cat >"$output_file" <<'EOF'
+# SSH Server Hardening Configuration (defense-in-depth)
+# Reference: PRD FR-006 - Client-only system, sshd not installed
+# This config exists as a security baseline if sshd is ever installed
+
+# Protocol
+Protocol 2
+
+# Authentication
+PermitRootLogin no
+PermitEmptyPasswords no
+MaxAuthTries 3
+
+# Session
+ClientAliveInterval 300
+ClientAliveCountMax 2
+
+# Forwarding
+X11Forwarding no
+EOF
+
+  echo "SSH hardening configuration created at $output_file"
+}
+
 # Function to configure password policy
 configure_password_policy() {
   local output_file="${1:-/etc/security/pwquality.conf}"