fix: remove host FDE requirement, fix remaining audit partials

Host FDE is no longer required — only guest (ISO) FDE matters per owner
direction. The build host's security posture is the owner's responsibility.
The Docker container already isolates the build process.

Changes:
- run.sh: Removed check_host_fde() function and its call in iso build path
- run.sh: Fixed SB key chmod in inline SECUREBOOT_HOOK (C-04 complete)
- run.sh: Fixed cache manifest format — no longer capped at 20 files (H-09)
- docs/PRD.md: Removed FR-011 Host FDE, renumbered FR-011 = Secure Boot/UKI
- docs/COMPLIANCE.md: Replaced fraudulent ✅ summary with honest aspirational
- config/hooks/installed/encryption-validation.sh: lsblk discovery (H-06)
- src/security-hardening.sh: Synced WiFi blacklist with live hook (M-12)
- tests/: Updated 3 test files for guest encryption instead of host FDE
- AGENTS.md, README.md, audit docs: Removed host FDE references
- STATUS.md: Updated for current state
- JOURNAL.md: Added ADR-017 (host FDE not required)

782 tests pass, 0 fail, 0 shellcheck warnings.

Reference: DeepReport-2026-05-08.md C-02, C-04, H-06, H-09, M-12

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

tests/unit/build-iso_comprehensive_test.bats

@@ -282,15 +282,15 @@
 }
 
 # =============================================================================
-# Host FDE Requirement (FR-011)
+# Guest FDE Requirement (LUKS2 + Argon2id)
 # =============================================================================
 
-@test "run.sh iso references host FDE" {
-    grep -A 10 -F 'iso|iso:demo)' /workspace/run.sh | grep -qi "fde\|encryption"
+@test "run.sh iso references guest encryption" {
+    grep "LUKS2\|encryption" /workspace/run.sh | grep -qi "mandatory\|full disk"
 }
 
-@test "run.sh has check_host_fde function defined" {
-    grep -q "check_host_fde()" /workspace/run.sh
+@test "preseed configures argon2id KDF" {
+    grep -q "argon2id" /workspace/config/includes.installer/preseed.cfg
 }
 
 # =============================================================================

tests/unit/run_comprehensive_test.bats

@@ -287,33 +287,25 @@
 }
 
 # =============================================================================
-# Host FDE Requirements (FR-011)
+# Guest FDE Requirements (FR-011 - removed, guest-only via FR-001)
 # =============================================================================
 
-@test "run.sh has check_host_fde function" {
-    grep -q "check_host_fde()" /workspace/run.sh
+@test "run.sh has LUKS2 encryption support for guest" {
+    grep -q "luksFormat\|luks2\|LUKS" /workspace/run.sh || grep -q "argon2id" /workspace/config/includes.installer/preseed.cfg
 }
 
-@test "run.sh checks for LUKS devices" {
-    grep -q "lsblk.*crypt" /workspace/run.sh || grep -q "CRYPT-LUKS" /workspace/run.sh
+@test "run.sh references encryption for guest LUKS2" {
+    grep -qi "luks\|encryption" /workspace/run.sh
 }
 
-@test "run.sh checks /etc/crypttab" {
-    grep -q "/etc/crypttab" /workspace/run.sh
+@test "preseed configures guest encryption" {
+    grep -qi "crypto\|encrypt\|luks" /workspace/config/includes.installer/preseed.cfg
 }
 
-@test "run.sh checks root filesystem encryption" {
-    grep -q "findmnt" /workspace/run.sh || grep -q "dm-crypt" /workspace/run.sh
+@test "run.sh iso command references guest encryption" {
+    grep -A 15 -F 'iso|iso:demo)' /workspace/run.sh | grep -qi "encryption"
 }
 
-@test "run.sh iso command references host FDE" {
-    grep -A 15 -F 'iso|iso:demo)' /workspace/run.sh | grep -qi "fde\|encryption"
-}
-
-@test "run.sh provides clear FDE error message" {
-    grep -q "SECURITY REQUIREMENT VIOLATION" /workspace/run.sh
-}
-
-@test "run.sh provides FDE setup guidance" {
-    grep -q "encrypted LVM" /workspace/run.sh || grep -q "Full Disk Encryption" /workspace/run.sh
+@test "preseed patches partman for argon2id" {
+    grep -q "argon2id" /workspace/config/includes.installer/preseed.cfg
 }

tests/unit/run_test.bats

@@ -127,14 +127,6 @@
 # Security Requirements
 # =============================================================================
 
-@test "run.sh has host FDE check" {
-    grep -q "check_host_fde" /workspace/run.sh
-}
-
-@test "run.sh references host FDE for iso command" {
-    grep -A 15 -F 'iso|iso:demo)' /workspace/run.sh | grep -qi "fde\|encryption"
-}
-
-@test "run.sh has check_host_fde function" {
-    grep -q "check_host_fde()" /workspace/run.sh
+@test "run.sh references guest FDE (LUKS2) for iso command" {
+    grep -A 15 -F 'iso|iso:demo)' /workspace/run.sh | grep -qi "luks\|encryption"
 }