boma/STATUS.md

# Project status — what's real vs planned

This repo is partly aspirational: the ADRs in `docs/decisions/` describe the
*intended* design, and some of it is **not built yet**. This file is the ground
truth. **Before relying on a role, provider, or pipeline existing, check here.**
If something is listed as "designed, not built", do not assume it works.

_Last reviewed: 2026-05-30._

## Real and working today

| Thing | State |
|---|---|
| `playbooks/bootstrap.yml` | Works — self-contained (installs Python, creates the `ansible` user + sudoers) |
| `scripts/tf_to_inventory.py` | Works — stdlib only; `terraform output -json` → `hosts.yml` |
| `.docker/molecule-debian13/Dockerfile` | Present — custom Molecule test image (ADR-008) |
| `docs/decisions/*`, `docs/runbooks/*` | Current and mutually reconciled |
| `Makefile`, lint config (`.ansible-lint`, `.yamllint`), `.gitignore` | Present and used |
| `git` | Initialized, trunk-based on `main`, pushed to `origin` (`forgejo.nyumbani.baobab.band:7577`). |
| Pre-commit hooks | Configured: lint, gitleaks, vault-encryption guard. Activate with `pre-commit install` after `make setup`. |
| Vault password client | `scripts/vault-pass-client.sh` fetches the master password from Vaultwarden via `rbw` (wired as `vault_password_file`). Requires `rbw` installed + `rbw unlock`. |
| `/review-repo` | Repo audit: `scripts/repo-scan.py` (Phase 0) + `.claude/commands/review-repo.md`, reports to `docs/reviews/`. On-demand only; cron + email deferred (`docs/TODO.md`). |
| Terraform HCL (`terraform/`) | Written (proxmox VM module + envs) — but never run; see below |
| `docs/hardware/reference.md` + `scripts/capacity-scan.py` | Present — reference doc (skeleton until real hardware) + stdlib scan; emits capacity JSON |
| `/capacity-review` | Works — on-demand capacity evaluation → `docs/hardware/reviews/`. Intent-based (no live usage yet) |
| ADR-002 security strategy + `docs/security/{accepted-risks,service-checklist}.md` | Present — threat model, principles, governance frame; checklist + risk register are docs, enforced manually in review |

## Scaffolded but empty — NOT implemented

| Thing | State |
|---|---|
| `roles/base/` | Not in git — only an empty dir on disk (untracked). `site.yml` references it, so a clean clone errors on `make deploy PLAYBOOK=site` until it is built. |
| `roles/docker_host/` | Not in git. Same. |
| `inventories/*/hosts.yml` | Structured stubs with empty host maps (`hosts: {}`); regenerated by `make tf-inventory` once Terraform has hosts |
| `inventories/production/group_vars/{docker_hosts,proxmox_hosts}/` | Empty dirs |

So `make deploy PLAYBOOK=site` currently **fails** on a clean clone — the `base` and
`docker_host` roles it calls do not exist yet.

## Designed but not built

| Thing | Designed in | Notes |
|---|---|---|
| `dns` role (renders the internal zone) | ADR-007 / ADR-009 | Does not exist. Internal DNS ownership is assigned to it by design. |
| Terraform actually provisioning | ADR-006 / ADR-009 | Never `terraform init`ed: no `.terraform.lock.hcl`, no state, no real `local.vms` entries |
| CI (Forgejo Actions) | ADR-003 / ADR-008 | Pipeline described; not implemented |
| Level 2 / 3 testing (staging, `askari` smoke) | ADR-008 | Depends on real VMs / `askari`, which don't exist yet |
| Per-service roles | ADR-004 | Model defined; no service roles built |
| Forgejo Actions CI | ADR-003 / ADR-008 | Remote is live (pushed); Actions/`act_runner` pipeline not yet built |
| Live usage stats for `/capacity-review` | ADR-012 / TODO 8.4 | `gather_usage()` stubbed; source undecided (Proxmox RRD vs PLG stack); needs the cluster |
| `/security-review` skill | ADR-002 / TODO 8.5 | Periodic posture re-check + accepted-risk re-challenge; planned, not built |
| CIS hardening (Debian L1+L2 + Docker) | ADR-002 / TODO 15 | Implemented by the (unbuilt) `base`/`docker_host` roles; brings AppArmor + AIDE as baseline. L2 partitions affect VM provisioning (ADR-006) |
| Network IDS + security alerting | ADR-002 / TODO 15 | Suricata on OPNsense + AIDE/`auditd`/`fail2ban` alerting into the monitoring stack; not built |

## Keeping this honest

Update this file whenever you build, stub, or remove something. It is the first
place an AI tool or new contributor should look to learn what they can actually
rely on. When a row moves from "designed" to "working", move it up — don't leave
stale optimism here.
Add project orientation and contributor docs Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00			`# Project status — what's real vs planned`

			This repo is partly aspirational: the ADRs in `docs/decisions/` describe the
			`intended design, and some of it is not built yet. This file is the ground`
			`truth. Before relying on a role, provider, or pipeline existing, check here.`
			`If something is listed as "designed, not built", do not assume it works.`

			`_Last reviewed: 2026-05-30._`

			`## Real and working today`

			`\| Thing \| State \|`
			`\|---\|---\|`
			\| `playbooks/bootstrap.yml` \| Works — self-contained (installs Python, creates the `ansible` user + sudoers) \|
			\| `scripts/tf_to_inventory.py` \| Works — stdlib only; `terraform output -json` → `hosts.yml` \|
			\| `.docker/molecule-debian13/Dockerfile` \| Present — custom Molecule test image (ADR-008) \|
			\| `docs/decisions/`, `docs/runbooks/` \| Current and mutually reconciled \|
			\| `Makefile`, lint config (`.ansible-lint`, `.yamllint`), `.gitignore` \| Present and used \|
Source vault password from Vaultwarden via rbw; nest vault structure Master vault password is fetched from Vaultwarden via the rbw agent (scripts/vault-pass-client.sh, wired as vault_password_file) instead of a plaintext .vault_pass. Vault secrets use a nested vault.<service>.<key> map. Encrypted vault.yml files are excluded from lint. Includes the host rename in Makefile and STATUS.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 18:16:35 +02:00			\| `git` \| Initialized, trunk-based on `main`, pushed to `origin` (`forgejo.nyumbani.baobab.band:7577`). \|
Add project orientation and contributor docs Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00			\| Pre-commit hooks \| Configured: lint, gitleaks, vault-encryption guard. Activate with `pre-commit install` after `make setup`. \|
Source vault password from Vaultwarden via rbw; nest vault structure Master vault password is fetched from Vaultwarden via the rbw agent (scripts/vault-pass-client.sh, wired as vault_password_file) instead of a plaintext .vault_pass. Vault secrets use a nested vault.<service>.<key> map. Encrypted vault.yml files are excluded from lint. Includes the host rename in Makefile and STATUS.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 18:16:35 +02:00			\| Vault password client \| `scripts/vault-pass-client.sh` fetches the master password from Vaultwarden via `rbw` (wired as `vault_password_file`). Requires `rbw` installed + `rbw unlock`. \|
Rename backlog to docs/TODO.md and fix references Match the uppercase convention of the other top-level docs; includes the new Scheduled-work and sanity-check items, and repoints references in STATUS.md and the /review-repo command. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 19:01:22 +02:00			\| `/review-repo` \| Repo audit: `scripts/repo-scan.py` (Phase 0) + `.claude/commands/review-repo.md`, reports to `docs/reviews/`. On-demand only; cron + email deferred (`docs/TODO.md`). \|
Add project orientation and contributor docs Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00			\| Terraform HCL (`terraform/`) \| Written (proxmox VM module + envs) — but never run; see below \|
Record ADR-012 + STATUS/CLAUDE/scripts docs for capacity tooling Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-06-01 10:34:38 +02:00			\| `docs/hardware/reference.md` + `scripts/capacity-scan.py` \| Present — reference doc (skeleton until real hardware) + stdlib scan; emits capacity JSON \|
			\| `/capacity-review` \| Works — on-demand capacity evaluation → `docs/hardware/reviews/`. Intent-based (no live usage yet) \|
Expand ADR-002 into a security baseline + strategy Add a managerial security frame on top of the host baseline: explicit threat model (opportunistic external, lateral movement/blast radius, operator/agent error; supply chain accepted-lower-priority), security principles, and four governance mechanisms that ADR-002 establishes and links out to: - docs/security/service-checklist.md — per-service security bar (referenced from the new-role runbook) - docs/security/accepted-risks.md — living accepted-risk register (R1-R4) - planned /security-review skill (TODO 8.5) - agent guardrails in CLAUDE.md "what Claude must not do" STATUS.md records the frame as present (manual enforcement) and /security-review as planned-not-built. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-04 14:39:51 +02:00			\| ADR-002 security strategy + `docs/security/{accepted-risks,service-checklist}.md` \| Present — threat model, principles, governance frame; checklist + risk register are docs, enforced manually in review \|
Add project orientation and contributor docs Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00
			`## Scaffolded but empty — NOT implemented`

			`\| Thing \| State \|`
			`\|---\|---\|`
Reconcile CI to trunk-based; mark base/docker_host not-built (R6-R8,R15-R16) R6/R7: ADR-003 & ADR-008 CI pipelines rewritten trunk-based (push to main -> test -> staging -> [manual gate] production); CLAUDE.md no longer forbids pushing to main. R8: STATUS/roles-README/site.yml now say base & docker_host are not built (not in git), so a clean clone errors. R15/R16: ADR-001 table flagged as intended design; dropped the unbuilt 'monitoring agent' from the baseline. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 19:32:37 +02:00			\| `roles/base/` \| Not in git — only an empty dir on disk (untracked). `site.yml` references it, so a clean clone errors on `make deploy PLAYBOOK=site` until it is built. \|
			\| `roles/docker_host/` \| Not in git. Same. \|
review-repo: harden scanner, apply safe fixes, record first review First /review-repo run on boma. Hardened repo-scan.py (no TODO.md/prose false positives). Applied 7 safe fixes (DNS staleness x2, STATUS factual correction, hosts.yml path generalisation, trunk-based wording x2, scripts/README). Recorded the run and 17 open findings in docs/reviews/2026-05-30-*. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 19:10:58 +02:00			\| `inventories/*/hosts.yml` \| Structured stubs with empty host maps (`hosts: {}`); regenerated by `make tf-inventory` once Terraform has hosts \|
Add project orientation and contributor docs Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00			\| `inventories/production/group_vars/{docker_hosts,proxmox_hosts}/` \| Empty dirs \|

Reconcile CI to trunk-based; mark base/docker_host not-built (R6-R8,R15-R16) R6/R7: ADR-003 & ADR-008 CI pipelines rewritten trunk-based (push to main -> test -> staging -> [manual gate] production); CLAUDE.md no longer forbids pushing to main. R8: STATUS/roles-README/site.yml now say base & docker_host are not built (not in git), so a clean clone errors. R15/R16: ADR-001 table flagged as intended design; dropped the unbuilt 'monitoring agent' from the baseline. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 19:32:37 +02:00			So `make deploy PLAYBOOK=site` currently fails on a clean clone — the `base` and
			`docker_host` roles it calls do not exist yet.
Add project orientation and contributor docs Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00
			`## Designed but not built`

			`\| Thing \| Designed in \| Notes \|`
			`\|---\|---\|---\|`
			\| `dns` role (renders the internal zone) \| ADR-007 / ADR-009 \| Does not exist. Internal DNS ownership is assigned to it by design. \|
			\| Terraform actually provisioning \| ADR-006 / ADR-009 \| Never `terraform init`ed: no `.terraform.lock.hcl`, no state, no real `local.vms` entries \|
			`\| CI (Forgejo Actions) \| ADR-003 / ADR-008 \| Pipeline described; not implemented \|`
			\| Level 2 / 3 testing (staging, `askari` smoke) \| ADR-008 \| Depends on real VMs / `askari`, which don't exist yet \|
			`\| Per-service roles \| ADR-004 \| Model defined; no service roles built \|`
Source vault password from Vaultwarden via rbw; nest vault structure Master vault password is fetched from Vaultwarden via the rbw agent (scripts/vault-pass-client.sh, wired as vault_password_file) instead of a plaintext .vault_pass. Vault secrets use a nested vault.<service>.<key> map. Encrypted vault.yml files are excluded from lint. Includes the host rename in Makefile and STATUS.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 18:16:35 +02:00			\| Forgejo Actions CI \| ADR-003 / ADR-008 \| Remote is live (pushed); Actions/`act_runner` pipeline not yet built \|
Record ADR-012 + STATUS/CLAUDE/scripts docs for capacity tooling Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-06-01 10:34:38 +02:00			\| Live usage stats for `/capacity-review` \| ADR-012 / TODO 8.4 \| `gather_usage()` stubbed; source undecided (Proxmox RRD vs PLG stack); needs the cluster \|
Expand ADR-002 into a security baseline + strategy Add a managerial security frame on top of the host baseline: explicit threat model (opportunistic external, lateral movement/blast radius, operator/agent error; supply chain accepted-lower-priority), security principles, and four governance mechanisms that ADR-002 establishes and links out to: - docs/security/service-checklist.md — per-service security bar (referenced from the new-role runbook) - docs/security/accepted-risks.md — living accepted-risk register (R1-R4) - planned /security-review skill (TODO 8.5) - agent guardrails in CLAUDE.md "what Claude must not do" STATUS.md records the frame as present (manual enforcement) and /security-review as planned-not-built. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-04 14:39:51 +02:00			\| `/security-review` skill \| ADR-002 / TODO 8.5 \| Periodic posture re-check + accepted-risk re-challenge; planned, not built \|
Re-challenge accepted risks; adopt CIS hardening + IDS Walked the seeded accepted-risk register (R1-R4) and turned inherited gaps into deliberate decisions: - Supply chain (R1): tightened to required baseline hygiene (digest pinning, official/verified images); active scanning deferred — stays an accepted risk - CIS (R2): adopted as a positive decision — CIS Debian L1+L2 (base role) + CIS Docker (docker_host + service checklist); app layer via the checklist - SELinux/AppArmor (R3): AppArmor becomes a baseline control (CIS-enforced); register keeps a clean "no SELinux" accept - IDS (R4): adopt AIDE (baseline via CIS) + Suricata on OPNsense + active alerting Register shrinks from 4 inherited gaps to 2 deliberate accepts. ADR-002 gains a Hardening standard section; STATUS + TODO 15 track the (unbuilt) implementation, including the CIS L2 partition impact on VM provisioning (ADR-006). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-04 15:15:39 +02:00			\| CIS hardening (Debian L1+L2 + Docker) \| ADR-002 / TODO 15 \| Implemented by the (unbuilt) `base`/`docker_host` roles; brings AppArmor + AIDE as baseline. L2 partitions affect VM provisioning (ADR-006) \|
			\| Network IDS + security alerting \| ADR-002 / TODO 15 \| Suricata on OPNsense + AIDE/`auditd`/`fail2ban` alerting into the monitoring stack; not built \|
Add project orientation and contributor docs Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00
			`## Keeping this honest`

			`Update this file whenever you build, stub, or remove something. It is the first`
			`place an AI tool or new contributor should look to learn what they can actually`
			`rely on. When a row moves from "designed" to "working", move it up — don't leave`
			`stale optimism here.`