docs: fix PRD consistency and align all docs with SSH client-only (FR-006)

PRD fixes:
- Remove duplicate 'Installation Behavior' section
- Fix malformed terminology table (missing pipe separator)

Documentation alignment with FR-006:
- README.md: Change SSH/firewall to client-only, no inbound access
- TEST-COVERAGE.md: Remove 'Firewall allows SSH inbound'
- VERIFICATION-REPORT.md: Fix password config docs to match preseed.cfg
- COMPLIANCE.md: Change 'SSH Hardening' to 'SSH Client-Only'

Test enhancements:
- Expand unit tests for encryption, firewall, security hardening
- Add comprehensive coverage for FR-001 through FR-009 requirements

All changes ensure documentation and tests align with PRD.md FR-006
which requires SSH client-only with no server or inbound access.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

tests/unit/encryption-validation_test.bats

@@ -1,6 +1,20 @@
 #!/usr/bin/env bats
-# Minimal unit test
+# Unit tests for encryption-validation.sh hook
+# Reference: PRD.md FR-001 (Full Disk Encryption)
 
-@test "test file is working" {
-    true
+@test "encryption-validation.sh exists and is executable" {
+    [ -f "/workspace/config/hooks/installed/encryption-validation.sh" ]
+    [ -x "/workspace/config/hooks/installed/encryption-validation.sh" ]
+}
+
+@test "Validation checks for LUKS2 format" {
+    grep -q "LUKS\|luks" /workspace/config/hooks/installed/encryption-validation.sh
+}
+
+@test "Validation checks for encryption status" {
+    grep -q "crypt\|Crypt" /workspace/config/hooks/installed/encryption-validation.sh
+}
+
+@test "Validation script uses set -e for error handling" {
+    grep -q "set -e" /workspace/config/hooks/installed/encryption-validation.sh
 }