fix: remove host FDE requirement, fix remaining audit partials

Host FDE is no longer required — only guest (ISO) FDE matters per owner
direction. The build host's security posture is the owner's responsibility.
The Docker container already isolates the build process.

Changes:
- run.sh: Removed check_host_fde() function and its call in iso build path
- run.sh: Fixed SB key chmod in inline SECUREBOOT_HOOK (C-04 complete)
- run.sh: Fixed cache manifest format — no longer capped at 20 files (H-09)
- docs/PRD.md: Removed FR-011 Host FDE, renumbered FR-011 = Secure Boot/UKI
- docs/COMPLIANCE.md: Replaced fraudulent ✅ summary with honest aspirational
- config/hooks/installed/encryption-validation.sh: lsblk discovery (H-06)
- src/security-hardening.sh: Synced WiFi blacklist with live hook (M-12)
- tests/: Updated 3 test files for guest encryption instead of host FDE
- AGENTS.md, README.md, audit docs: Removed host FDE references
- STATUS.md: Updated for current state
- JOURNAL.md: Added ADR-017 (host FDE not required)

782 tests pass, 0 fail, 0 shellcheck warnings.

Reference: DeepReport-2026-05-08.md C-02, C-04, H-06, H-09, M-12

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

docs/COMPLIANCE.md

@@ -148,10 +148,10 @@ Post-installation validation can be performed using:
 
 | Framework | Status | Notes |
 |-----------|--------|-------|
-| CMMC Level 3 | ✅ Compliant | All required controls implemented |
-| FedRAMP LI-SaaS | ✅ Compliant | Baseline security controls in place |
-| DISA STIG | ✅ Compliant | Debian 13 STIG adaptation |
-| CIS Benchmarks | ✅ Compliant | Industry best practices implemented |
+| CMMC Level 3 | 🎯 Aspirational Target | Requires organizational controls not yet in place |
+| FedRAMP LI-SaaS | 🎯 Aspirational Target | Requires organizational controls not yet in place |
+| DISA STIG | 🔄 Adapted | Debian 13 STIG adaptation, not formally validated |
+| CIS Benchmarks | 🔄 Partial | Industry best practices applied where applicable |
 
 ---
 

docs/PRD.md

@@ -291,39 +291,7 @@ The system MUST implement full disk encryption using LUKS (Linux Unified Key Set
 - MD5 checksum file
 - Build report (optional)
 
-### FR-011: Host System Full Disk Encryption (MANDATORY)
-
-**Priority:** P0 (Critical)
-**Status:** Required
-
-**Description:**
-The host system used to build or test KNEL-Football ISO images MUST have full disk encryption enabled. Building a secure operating system on an unencrypted host defeats the entire security model and creates a supply chain risk.
-
-**Requirements:**
-1. **LUKS Encryption Required** - Host must use LUKS for disk encryption
-2. **Build Enforcement** - `./run.sh iso` command MUST fail if host FDE not detected
-3. **VM Test Enforcement** - `./run.sh test:iso` commands MUST fail if host FDE not detected
-4. **No Bypass** - This check cannot be disabled or bypassed
-5. **Clear Error Message** - Users receive clear guidance on how to enable FDE
-
-**Detection Methods:**
-- Check for LUKS devices via `lsblk -o TYPE,FSTYPE`
-- Check `/etc/crypttab` for configured encrypted partitions
-- Check if root filesystem is on a dm-crypt device
-- Check for dm-crypt devices in `/sys/block/dm-*`
-
-**Rationale:**
-- An unencrypted build host could be compromised, affecting all built ISOs
-- An unencrypted test host exposes the secure OS to attacks during testing
-- Supply chain security requires securing the entire build pipeline
-- Defense in depth requires protection at every layer
-
-**User Guidance (if FDE not detected):**
-1. Backup all data
-2. Reinstall with "Guided - use entire disk and set up encrypted LVM"
-3. Or use tools like encrypt-existing-debian for in-place encryption
-
-### FR-012: Secure Boot with Unified Kernel Image (UKI) (MANDATORY)
+### FR-011: Secure Boot with Unified Kernel Image (UKI) (MANDATORY)
 
 **Priority:** P0 (Critical)
 **Status:** Required

docs/audit/2026-02-20/SUMMARY.md

@@ -65,7 +65,7 @@ The strict OUTPUT DROP policy was confirmed as **intentional** for an immutable
 3. **Defense in Depth** - Multiple layers: FDE, firewall, audit, FIM, hardening
 4. **No SSH Server** - Correctly implements client-only SSH per requirements
 5. **Clean Code Quality** - All scripts pass shellcheck with zero warnings
-6. **Host FDE Enforcement** - Build system refuses to run without host encryption
+6. **Guest FDE (LUKS2)** - ISO images configured with LUKS2 + Argon2id encryption
 
 ---
 

docs/audit/2026-02-20/findings.md

@@ -28,7 +28,7 @@
 3. **Defense in Depth**: Multiple security layers (FDE, firewall, audit, FIM, hardening)
 4. **No SSH Server**: Correctly implements client-only SSH per PRD FR-006
 5. **Clean Shellcheck**: All scripts pass shellcheck with zero warnings
-6. **Host FDE Enforcement**: Build system refuses to run without host encryption
+6. **Guest FDE (LUKS2)**: ISO images configured with LUKS2 + Argon2id encryption
 
 ### Areas Requiring Attention
 
@@ -406,8 +406,8 @@ The auditd configuration is thorough and covers security-critical files and oper
 ### OBSERVATION-004: SSH Client Only
 Correctly implements client-only SSH (no sshd installed) per PRD FR-006.
 
-### OBSERVATION-005: Host FDE Enforcement
-Build system validates host encryption before allowing ISO builds - prevents data leakage via build artifacts.
+### OBSERVATION-005: Guest FDE (LUKS2 + Argon2id)
+ISO images configured with LUKS2 encryption and Argon2id KDF for guest disk encryption.
 
 ---