feat(inventory): ubongo gets INPUT-only host firewall + mamba LAN SSH

Enables base__firewall_input_only on the control group (forward chain stays
permissive so Docker egress + the integration-test libvirt NAT survive) and
allows the operator workstations' LAN IPs (mamba 10.20.10.50 + 10.20.10.17;
raw leases, backstopped by wt0). Mesh-hardening 2/3.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

inventories/production/group_vars/control/vars.yml

@@ -19,3 +19,15 @@ base__ai_worker_user: claude
 # Enrollment only; the host firewall default-deny stays deferred (the mesh-hardening
 # follow-on), so this brings up wt0 without changing SSH exposure.
 base__mesh_enabled: true
+
+# Mesh-hardening 2/3 (2026-06-19, ADR-020/021): apply base's host firewall to ubongo as
+# INPUT-only default-deny — harden the inbound surface, leave the forward chain permissive so
+# Docker egress + the libvirt-NAT integration harness keep working. sshd is unchanged
+# (nftables scopes inbound), so there is no boot-race. Reach ubongo over wt0 (mesh), the
+# ssh-from-control self-path (base__firewall_control_addr, group_vars/all = 10.20.10.151), or
+# mamba on the LAN. Break-glass: the physical console. (base__firewall_apply defaults true.)
+base__firewall_input_only: true
+base__firewall_admin_addrs:
+  - "10.20.10.50"   # mamba over the LAN (NetBird off). Raw DHCP lease — revisit with an
+                    # OPNsense reservation when OPNsense-as-code lands; backstopped by wt0.
+  - "10.20.10.17"   # 2nd operator workstation (MAC bc:0f:f3:c8:4a:8a). Raw lease — ditto.