docs(access): gate ACCESS.md in checklist + new-role runbook (ADR-021)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docs/runbooks/new-role.md

@@ -91,7 +91,19 @@ For a **service** role, copy `docs/testing/service-verify-template.md` to
 Level 4 `/verify-service` check (ADR-008 / ADR-017) and is part of the pre-production
 service-clearance gate (`docs/security/service-checklist.md`).
 
-### 11. Commit
+### 11. Write the per-service operational-access record (services)
+
+For a **service** role, copy `docs/access/service-access-template.md` to
+`roles/<rolename>/ACCESS.md` and populate the role's `access__*` data
+(`access__service`, `access__compose_project`/`_path`, `access__containers`,
+`access__log.loki_labels`, and `access__api` — `enabled` + endpoint + `firewall_ref` +
+`auth.vault_ref` + `health_path`, or `enabled: false` with a reason). `ACCESS.md` is
+rendered from that data; the admin-API path must `firewall_ref` an entry in the
+`group_vars` firewall catalog, never open a port itself (ADR-020/021). Once hosts exist,
+`/check-access <rolename>` proves the documented paths are live — part of the
+service-clearance gate (`docs/security/service-checklist.md`).
+
+### 12. Commit
 
 ```bash
 git checkout -b role/<rolename>

docs/security/service-checklist.md

@@ -51,6 +51,10 @@ This checklist is the generic **bar**. Each service answers it in its own
 - [ ] Passed Level 4 service-UI verification (`/verify-service`) against staging — the
       service has a populated `roles/<service>/VERIFY.md` and its critical journeys
       verified (ADR-008 Level 4 / ADR-017)
+- [ ] Operational access recorded and verifiable (ADR-021): the role carries `access__*`
+      data, `roles/<service>/ACCESS.md` is rendered, and `/check-access` reports the
+      documented paths green — or a deviation is recorded in
+      `docs/security/accepted-risks.md`
 
 > Deviations are allowed but must be **conscious**: record them in
 > `docs/security/accepted-risks.md`, don't leave them implicit.