feat(cis): add selectable profile and per-rule hardening toggles

roles/cis/tasks/packages.yml

@@ -0,0 +1,29 @@
+---
+# CIS L1 names legacy cleartext clients (telnet) for removal. They are absent on
+# a fresh minimal install; query first and remove only when present so the run
+# stays idempotent (a chroot package-manager remove cannot use the package module).
+- name: Check for insecure cleartext clients
+  when: cis_strict | default(false)
+  ansible.builtin.command: >-
+    {{ chroot_command }}
+    {{ 'dpkg -s' if is_debian | bool else 'pacman -Q' if os == 'archlinux' else 'rpm -q' }}
+    {{ item }}
+  loop: "{{ cis_cfg.insecure_packages }}"
+  register: cis_insecure_present
+  changed_when: false
+  failed_when: false
+  loop_control:
+    label: "{{ item }}"
+
+- name: Remove insecure cleartext clients (CIS L1+)
+  when:
+    - cis_strict | default(false)
+    - item.rc == 0
+  ansible.builtin.command: >-
+    {{ chroot_command }}
+    {{ 'apt-get remove -y' if is_debian | bool else 'pacman -R --noconfirm' if os == 'archlinux' else 'dnf remove -y' }}
+    {{ item.item }}
+  loop: "{{ cis_insecure_present.results | default([]) }}"
+  changed_when: true
+  loop_control:
+    label: "{{ item.item }}"