plan: record ubongo build outcome (done/deferred/follow-ups)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

docs/superpowers/plans/2026-06-11-ubongo-build.md

@@ -124,3 +124,27 @@ claude 2.1.173. Terraform is absent on `fisi` (TF un-init'd) — install deferre
 - **Full `base` hardening** — SSH/fail2ban/auditd concerns not built (only `firewall`).
 - **Recovery wiring (G)** — TF-state backup to `mamba`, rbw mirror — no TF state yet
   (TF un-init'd). `mamba` as break-glass clone tracked separately.
+
+---
+
+## Outcome (2026-06-11)
+
+`STATUS.md` is the live source of truth; this is the session record.
+
+**Done:** A (toolchain — Docker 29.5.3, rbw 1.15.0, Claude Code 2.1.173; Node deferred),
+B (dedicated `claude` user — docker group, no sudo), C (repo cloned, `make setup` +
+`collections`, git identity; plugins install on first interactive launch), D (vault via
+rbw + **offline-cache decryption verified**), E1/E2 (inventory + `ssh-from-control`
+knob), F1 (key-only SSH), F2 (temp NOPASSWD removed), H1–H4 (docs reconciled).
+
+**Deferred, with reason:**
+- **E3 — apply `base` to `ubongo`:** would push nftables default-deny with SSH allowed
+  *only on the mesh interface*, but no mesh exists yet → would deny inbound SSH on `eno1`
+  and strand the box. Wait for NetBird (ADR-016). `base` is also firewall-concern-only.
+- **F3 — OPNsense DHCP reservation** for `10.20.10.151` (MAC `88:a4:c2:e0:ee:da`): operator action.
+- **Mesh enrollment, full `base` hardening, recovery wiring (G):** out of scope (above).
+
+**Follow-ups flagged:** (1) `ubongo` sits in `10.20.10.0/24`, which doesn't match
+ADR-007's zone map (`srv: 10.20.0.0/24`) — network-design drift to reconcile. (2) The
+hardware reference previously assumed `ubongo` had 1 TB NVMe for an ADR-022 "restore-verify"
+role; the real disk is 256 GB — check ADR-022 doesn't bank on the larger size.