Drop legacy non-container builders

PLAN.md

@@ -272,13 +272,10 @@ ISO image bootable via BMC virtual media or USB. Runs boot services automaticall
 
 ### 2.1 — Builder environment
 
-`iso/builder/setup-builder.sh` prepares a Debian 12 host/VM with:
-- `live-build`, `debootstrap`, bootloader tooling, kernel headers
-- Go toolchain
-- everything needed to compile the `bee` binary and NVIDIA modules
-
-`iso/builder/build-in-container.sh` offers the same builder stack in a Debian 12 container image.
-The container run is privileged because `live-build` needs mount/chroot/loop capabilities.
+`iso/builder/build-in-container.sh` is the only supported builder entrypoint.
+It builds a Debian 12 builder image with `live-build`, toolchains, and pinned kernel headers,
+then runs the ISO assembly in a privileged container because `live-build` needs
+mount/chroot/loop capabilities.
 
 `iso/builder/build.sh` orchestrates the full ISO build:
 1. compile the Go `bee` binary
@@ -392,7 +389,7 @@ No "works on my Mac" drift.
 
 --- BUILDER + BEE ISO (unblock real-hardware testing) ---
 
-2.1  builder setup                 → Debian host/VM or privileged container with build deps
+2.1  builder setup                 → privileged container with build deps
 2.2  debug ISO profile             → minimal Debian ISO: `bee` binary + OpenSSH + all packages
 2.3  boot on real server           → SSH in, verify packages present, run audit manually