Reconcile CI to trunk-based; mark base/docker_host not-built (R6-R8,R15-R16)

R6/R7: ADR-003 & ADR-008 CI pipelines rewritten trunk-based (push to main ->
test -> staging -> [manual gate] production); CLAUDE.md no longer forbids pushing
to main. R8: STATUS/roles-README/site.yml now say base & docker_host are not built
(not in git), so a clean clone errors. R15/R16: ADR-001 table flagged as intended
design; dropped the unbuilt 'monitoring agent' from the baseline.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

CLAUDE.md

@@ -147,7 +147,7 @@ Single-contributor, trunk-based (no merge requests / approval gates):
 - Run `make tf-apply` — always run `make tf-plan` first and show output
 - Modify `inventories/<env>/hosts.yml` directly — regenerate via `make tf-inventory`
 - Edit vault-encrypted files directly — decrypt first, re-encrypt after
-- Push to `main` branch
+- Force-push or rewrite already-pushed history on `main`
 - Add a collection to `requirements.yml` without a specific module need in existing role tasks
 
 ---

STATUS.md

@@ -26,13 +26,13 @@ _Last reviewed: 2026-05-30._
 
 | Thing | State |
 |---|---|
-| `roles/base/` | Empty directory. `site.yml` references it, but it applies nothing. |
-| `roles/docker_host/` | Empty directory. Same. |
+| `roles/base/` | Not in git — only an empty dir on disk (untracked). `site.yml` references it, so a clean clone errors on `make deploy PLAYBOOK=site` until it is built. |
+| `roles/docker_host/` | Not in git. Same. |
 | `inventories/*/hosts.yml` | Structured stubs with empty host maps (`hosts: {}`); regenerated by `make tf-inventory` once Terraform has hosts |
 | `inventories/production/group_vars/{docker_hosts,proxmox_hosts}/` | Empty dirs |
 
-So `make deploy PLAYBOOK=site` currently does effectively nothing — the roles it
-calls are empty.
+So `make deploy PLAYBOOK=site` currently **fails** on a clean clone — the `base` and
+`docker_host` roles it calls do not exist yet.
 
 ## Designed but not built
 

docs/decisions/001-architecture.md

@@ -25,7 +25,8 @@ and the boundaries of what this Ansible monorepo manages.
 | Service deployment | Ansible per-service roles | Compose rendered from templates      |
 | Secrets            | Ansible Vault      | Encrypted `vault.yml` files in repo        |
 
-The Terraform↔Ansible boundary and handoff are defined in ADR-009.
+The Terraform↔Ansible boundary and handoff are defined in ADR-009. This table
+describes the *intended* design — see STATUS.md for what is actually built.
 
 ## Host groups
 
@@ -38,8 +39,8 @@ all
 
 The `control` group holds the single manually-provisioned control node; it is
 managed for baseline config (SSH, firewall, updates) but never runs the
-`docker_host` role. Proxmox nodes are managed only for basic baseline tasks (SSH,
-monitoring agent). Proxmox configuration itself (storage, clustering, networking)
+`docker_host` role. Proxmox nodes are managed only for basic baseline tasks (SSH).
+Proxmox configuration itself (storage, clustering, networking)
 is out of scope.
 
 ## Service interaction model

docs/decisions/003-toolchain.md

@@ -77,10 +77,10 @@ Config files: `.ansible-lint`, `.yamllint` in repo root.
 
 **Not chosen**: GitHub Actions (external), Jenkins (heavy)
 
-**Pipeline**:
-1. Push to any branch → lint + Molecule tests
-2. Merge to `main` → lint + Molecule tests + manual approval gate
-3. After approval → deploy to staging, then production
+**Pipeline** (trunk-based — no pull requests; see CLAUDE.md git conventions):
+1. Push to `main` → lint + Molecule tests
+2. On green → deploy to staging
+3. [manual promote gate] → deploy to production
 
 `act_runner` runs as a Docker container on the control node or a dedicated runner VM.
 

docs/decisions/008-testing.md

@@ -141,18 +141,15 @@ Behavioural correctness is confirmed on staging.
 ## CI pipeline
 
 ```
-push to any branch
+push to main
   ├── yamllint + ansible-lint          (fast gate, ~1 min)
-  └── molecule test (changed roles)   (parallel, ~5 min per role)
+  └── molecule test (all roles)        (parallel, ~5 min per role)
 
-pull request to main
-  ├── yamllint + ansible-lint
-  ├── molecule test (all roles)        (parallel)
-  └── [manual gate] review tf-plan and make check on staging
+on green (main)
+  ├── review tf-plan if infra changed; make check on staging
+  └── [manual approval] make deploy PLAYBOOK=site on staging
 
-merge to main
-  ├── yamllint + ansible-lint + molecule test (final gate)
-  ├── [manual approval] make deploy PLAYBOOK=site on staging
+promote to production
   └── [manual approval] make deploy PLAYBOOK=site on production
 ```
 

playbooks/site.yml

@@ -1,6 +1,8 @@
 ---
 # site.yml — apply full standard state to all hosts
 # Run via: make deploy PLAYBOOK=site
+# NOTE: the `base` and `docker_host` roles are not built yet (see STATUS.md), so this
+# playbook fails on a clean clone until they exist.
 
 - name: Apply base configuration to all hosts
   hosts: all

roles/README.md

@@ -8,5 +8,6 @@ Each role must have: a `molecule/default/` scenario (Debian 13), a populated
 `README.md`, and a filled-in `meta/main.yml`. Conventions: CLAUDE.md and
 `docs/runbooks/new-role.md`.
 
-Current state: `base/` and `docker_host/` are scaffolded directories but **empty /
-not implemented** — see `STATUS.md`.
+Current state: `base` and `docker_host` are **not built yet** — they exist only as
+empty, untracked dirs, so `site.yml` would fail on a clean clone. Build them with
+`make new-role` when defining the baseline. See `STATUS.md`.