fix: remove host FDE requirement, fix remaining audit partials

Host FDE is no longer required — only guest (ISO) FDE matters per owner
direction. The build host's security posture is the owner's responsibility.
The Docker container already isolates the build process.

Changes:
- run.sh: Removed check_host_fde() function and its call in iso build path
- run.sh: Fixed SB key chmod in inline SECUREBOOT_HOOK (C-04 complete)
- run.sh: Fixed cache manifest format — no longer capped at 20 files (H-09)
- docs/PRD.md: Removed FR-011 Host FDE, renumbered FR-011 = Secure Boot/UKI
- docs/COMPLIANCE.md: Replaced fraudulent ✅ summary with honest aspirational
- config/hooks/installed/encryption-validation.sh: lsblk discovery (H-06)
- src/security-hardening.sh: Synced WiFi blacklist with live hook (M-12)
- tests/: Updated 3 test files for guest encryption instead of host FDE
- AGENTS.md, README.md, audit docs: Removed host FDE references
- STATUS.md: Updated for current state
- JOURNAL.md: Added ADR-017 (host FDE not required)

782 tests pass, 0 fail, 0 shellcheck warnings.

Reference: DeepReport-2026-05-08.md C-02, C-04, H-06, H-09, M-12

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

docs/COMPLIANCE.md

@@ -148,10 +148,10 @@ Post-installation validation can be performed using:
 
 | Framework | Status | Notes |
 |-----------|--------|-------|
-| CMMC Level 3 | ✅ Compliant | All required controls implemented |
-| FedRAMP LI-SaaS | ✅ Compliant | Baseline security controls in place |
-| DISA STIG | ✅ Compliant | Debian 13 STIG adaptation |
-| CIS Benchmarks | ✅ Compliant | Industry best practices implemented |
+| CMMC Level 3 | 🎯 Aspirational Target | Requires organizational controls not yet in place |
+| FedRAMP LI-SaaS | 🎯 Aspirational Target | Requires organizational controls not yet in place |
+| DISA STIG | 🔄 Adapted | Debian 13 STIG adaptation, not formally validated |
+| CIS Benchmarks | 🔄 Partial | Industry best practices applied where applicable |
 
 ---