feat(integration): outcome-based verify playbook (DNAT-survives-reboot)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/integration/verify.yml

@@ -0,0 +1,41 @@
+---
+# Integration verify (ADR-025). Outcome-based: proves Docker forwarding survives the
+# reboot. The load-bearing check probes the VM's published :443 FROM the controller
+# (ubongo) — if base's forward-drop killed DNAT, this times out (the FRICTION #1 bug).
+- name: Verify the rebooted host
+  hosts: all
+  become: true
+  gather_facts: false
+  tasks:
+    - name: Gather service facts
+      ansible.builtin.service_facts:
+
+    - name: Docker daemon is active
+      ansible.builtin.assert:
+        that: "ansible_facts.services['docker.service'].state == 'running'"
+        fail_msg: "docker.service is not running"
+
+    - name: Forward chain permits container traffic (drop-in loaded)
+      ansible.builtin.command: nft list chain inet filter forward
+      register: _fwd
+      changed_when: false
+
+    - name: Assert container forwarding is allowed (not pure drop)
+      ansible.builtin.assert:
+        that: "'accept' in _fwd.stdout"
+        fail_msg: >-
+          forward chain is pure drop — container forwarding will die on reboot
+          (FRICTION 2026-06-17 #1). docker_host container-forward drop-in missing.
+
+    - name: Published HTTPS port answers from the controller (DNAT + forward alive)
+      delegate_to: localhost
+      become: false
+      ansible.builtin.uri:
+        url: "https://{{ ansible_host }}/"
+        validate_certs: false
+        status_code: [200, 308, 404, 502, 503]
+        timeout: 10
+      register: _probe
+      retries: 5
+      delay: 6
+      until: _probe is succeeded