feat: add security hardening, AppArmor, and ARM64 Raspberry Pi support (Phase 6)

Security hardening: bind kubeconfig server to localhost, mount hardening
(noexec/nosuid/nodev on tmpfs), sysctl network hardening, kernel module
loading lock after boot, SHA256 checksum verification for downloads,
kernel AppArmor + Audit support, complain-mode AppArmor profiles for
containerd and kubelet, and security integration test.

ARM64 Raspberry Pi support: piCore64 base extraction, RPi kernel build
from raspberrypi/linux fork, RPi firmware fetch, SD card image with 4-
partition GPT and tryboot A/B mechanism, BootEnv Go interface abstracting
GRUB vs RPi boot environments, architecture-aware build scripts, QEMU
aarch64 dev VM and boot test.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

update/pkg/bootenv/bootenv.go

@@ -0,0 +1,27 @@
+// Package bootenv provides a platform-independent interface for managing
+// A/B boot environments. It abstracts GRUB (x86_64) and RPi firmware
+// (ARM64) behind a common interface.
+package bootenv
+
+// BootEnv provides read/write access to A/B boot environment variables.
+type BootEnv interface {
+	// ActiveSlot returns the currently active boot slot ("A" or "B").
+	ActiveSlot() (string, error)
+	// PassiveSlot returns the currently passive boot slot.
+	PassiveSlot() (string, error)
+	// BootCounter returns the current boot counter value.
+	BootCounter() (int, error)
+	// BootSuccess returns whether the last boot was marked successful.
+	BootSuccess() (bool, error)
+	// MarkBootSuccess marks the current boot as successful.
+	MarkBootSuccess() error
+	// ActivateSlot switches the active boot slot and resets the counter.
+	ActivateSlot(slot string) error
+	// ForceRollback switches to the other slot immediately.
+	ForceRollback() error
+}
+
+const (
+	SlotA = "A"
+	SlotB = "B"
+)