docs: record base firewall concern built (ADR-020 host layer)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

STATUS.md

@@ -31,7 +31,7 @@ _Last reviewed: 2026-06-06._
 
 | Thing | State |
 |---|---|
-| `roles/base/` | Not in git — only an empty dir on disk (untracked). `site.yml` references it, so a clean clone errors on `make deploy PLAYBOOK=site` until it is built. |
+| `roles/base/` | **Partially built.** The `firewall` concern is implemented (nftables: catalog-driven default-deny + east-west allowlist + auto-rollback apply; ADR-020) with pytest + Molecule render/syntax tests. Other concerns (SSH hardening, fail2ban, auditd, packages, users) are **not** built yet, so `make deploy PLAYBOOK=site` is still incomplete. |
 | `roles/docker_host/` | Not in git. Same. |
 | `inventories/*/hosts.yml` | Structured stubs with empty host maps (`hosts: {}`); regenerated by `make tf-inventory` once Terraform has hosts |
 | `inventories/production/group_vars/{docker_hosts,proxmox_hosts}/` | Empty dirs |

docs/CAPABILITIES.md

@@ -33,7 +33,8 @@ _(DHCP, firewall, mDNS reflection live on OPNsense — Ansible-managed, not cont
 
 _Firewalling is two-layer (ADR-020): OPNsense at the perimeter + inter-VLAN, plus
 per-host `nftables` (default-deny inbound + east-west allowlist) rendered by the `base`
-role from a shared `group_vars` service catalog. Both layers are still to be built._
+role from a shared `group_vars` service catalog. The host `nftables` layer is built (the
+`base` firewall concern); the OPNsense layer is still to be built._
 
 ## 2. Identity & access — [P]