docs: fix PRD consistency and align all docs with SSH client-only (FR-006)

PRD fixes: - Remove duplicate 'Installation Behavior' section - Fix malformed terminology table (missing pipe separator) Documentation alignment with FR-006: - README.md: Change SSH/firewall to client-only, no inbound access - TEST-COVERAGE.md: Remove 'Firewall allows SSH inbound' - VERIFICATION-REPORT.md: Fix password config docs to match preseed.cfg - COMPLIANCE.md: Change 'SSH Hardening' to 'SSH Client-Only' Test enhancements: - Expand unit tests for encryption, firewall, security hardening - Add comprehensive coverage for FR-001 through FR-009 requirements All changes ensure documentation and tests align with PRD.md FR-006 which requires SSH client-only with no server or inbound access. 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-02-19 16:04:38 -05:00
parent f13bb8577a
commit d4c64b85fa
17 changed files with 335 additions and 85 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -492,9 +492,9 @@ Container Side    Host Side          Purpose
 ### Security Layers
 1. **Full Disk Encryption** - LUKS2 (mandatory)
 2. **Password Complexity** - PAM pwquality (mandatory)
-3. **Firewall** - nftables (inbound SSH, outbound VPN only)
+3. **Firewall** - nftables (all inbound denied, outbound VPN only)
 4. **WiFi/Bluetooth** - Blacklisted (permanently disabled)
-5. **SSH** - WireGuard key authentication
+5. **SSH** - Client-only (no server, outbound connections only)
 6. **Package Management** - Disabled for security

 ---