feat: add security hardening, AppArmor, and ARM64 Raspberry Pi support (Phase 6)

Security hardening: bind kubeconfig server to localhost, mount hardening
(noexec/nosuid/nodev on tmpfs), sysctl network hardening, kernel module
loading lock after boot, SHA256 checksum verification for downloads,
kernel AppArmor + Audit support, complain-mode AppArmor profiles for
containerd and kubelet, and security integration test.

ARM64 Raspberry Pi support: piCore64 base extraction, RPi kernel build
from raspberrypi/linux fork, RPi firmware fetch, SD card image with 4-
partition GPT and tryboot A/B mechanism, BootEnv Go interface abstracting
GRUB vs RPi boot environments, architecture-aware build scripts, QEMU
aarch64 dev VM and boot test.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

init/lib/10-parse-cmdline.sh

@@ -11,9 +11,14 @@ for arg in $(cat /proc/cmdline); do
         kubesolo.flags=*)     KUBESOLO_EXTRA_FLAGS="${arg#kubesolo.flags=}" ;;
         kubesolo.edge_id=*)   KUBESOLO_PORTAINER_EDGE_ID="${arg#kubesolo.edge_id=}" ;;
         kubesolo.edge_key=*)  KUBESOLO_PORTAINER_EDGE_KEY="${arg#kubesolo.edge_key=}" ;;
+        kubesolo.nomodlock)   KUBESOLO_NOMODLOCK=1 ;;
+        kubesolo.noapparmor)  KUBESOLO_NOAPPARMOR=1 ;;
     esac
 done
 
+export KUBESOLO_NOMODLOCK
+export KUBESOLO_NOAPPARMOR
+
 if [ -z "$KUBESOLO_DATA_DEV" ] && [ "$KUBESOLO_NOPERSIST" != "1" ]; then
     log_warn "No kubesolo.data= specified and kubesolo.nopersist not set"
     log_warn "Attempting auto-detection of data partition (label: KSOLODATA)"