docs: fix PRD consistency and align all docs with SSH client-only (FR-006)

PRD fixes:
- Remove duplicate 'Installation Behavior' section
- Fix malformed terminology table (missing pipe separator)

Documentation alignment with FR-006:
- README.md: Change SSH/firewall to client-only, no inbound access
- TEST-COVERAGE.md: Remove 'Firewall allows SSH inbound'
- VERIFICATION-REPORT.md: Fix password config docs to match preseed.cfg
- COMPLIANCE.md: Change 'SSH Hardening' to 'SSH Client-Only'

Test enhancements:
- Expand unit tests for encryption, firewall, security hardening
- Add comprehensive coverage for FR-001 through FR-009 requirements

All changes ensure documentation and tests align with PRD.md FR-006
which requires SSH client-only with no server or inbound access.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

docs/football-spec.md

@@ -623,7 +623,7 @@ cat > /etc/audit/rules.d/audit.rules << EOF
 -w /etc/passwd -p wa -k identity
 -w /etc/shadow -p wa -k identity
 -w /etc/sudoers -p wa -k identity
--w /etc/ssh/sshd_config -p wa -k sshd_config
+-w /etc/ssh/ssh_config -p wa -k ssh_config
 -w /var/log/audit/ -p wa -k log_audit
 -w /var/log/secure -p wa -k log_secure
 -w /etc/wireguard/ -p wa -k wireguard_config
@@ -822,20 +822,8 @@ configure_system_security() {
     systemctl disable avahi-daemon
     systemctl disable bluetooth
     
-    # Secure SSH configuration
-    cat > /etc/ssh/sshd_config << EOF
-# SSH Security Configuration
-Protocol 2
-PermitRootLogin no
-PasswordAuthentication yes
-PubkeyAuthentication yes
-PermitEmptyPasswords no
-ChallengeResponseAuthentication no
-X11Forwarding no
-MaxAuthTries 3
-ClientAliveInterval 300
-ClientAliveCountMax 2
-EOF
+    # Secure SSH client configuration (no server - outbound only)
+    # See configure_ssh_client() in src/security-hardening.sh for full config
     
     # Configure system limits
     cat > /etc/security/limits.d/security.conf << EOF