From e24aab28b2bdbec19bb0e10680f7137f08a926e5 Mon Sep 17 00:00:00 2001 From: sjat Date: Sat, 6 Jun 2026 15:59:47 +0200 Subject: [PATCH] docs: link ADR-020; harden firewall guardrail to the service catalog --- CLAUDE.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CLAUDE.md b/CLAUDE.md index 115d2b5..21a3ec5 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -169,7 +169,7 @@ Single-contributor, trunk-based (no merge requests / approval gates): - Edit vault-encrypted files directly — decrypt first, re-encrypt after - Force-push or rewrite already-pushed history on `main` - Add a collection to `requirements.yml` without a specific module need in existing role tasks -- Open a firewall port anywhere but the `group_vars` firewall definitions — never ad-hoc on a host (ADR-002) +- Open a firewall port anywhere but the `group_vars` service catalog — never ad-hoc on a host. If it's not in the catalog, it doesn't exist (ADR-002, ADR-020) - Disable or weaken a baseline control from ADR-002 (SSH hardening, nftables default-deny, fail2ban, auditd) - Expose a service to the LAN/WAN without it sitting behind the reverse proxy with authentication (ADR-002) - Deploy a service that hasn't cleared `docs/security/service-checklist.md` (record any deviation in `docs/security/accepted-risks.md`) @@ -223,6 +223,7 @@ Single-contributor, trunk-based (no merge requests / approval gates): | Hardware & capacity | `docs/decisions/012-hardware-capacity.md` | | Logging & log integrity | `docs/decisions/018-logging.md` | | Tagging & run-targeting | `docs/decisions/019-tagging.md` | +| Firewall strategy | `docs/decisions/020-firewall.md` | | Adding a new role | `docs/runbooks/new-role.md` | | Adding a new host | `docs/runbooks/new-host.md` | | Rotating vault secrets | `docs/runbooks/rotate-secrets.md` |