docs(roadmap): Phase 1 complete — point Next step at mesh-hardening follow-on

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

docs/ROADMAP.md

@@ -13,7 +13,7 @@ as ordering changes, or as new milestones appear. Each milestone gets its own
 spec → plan → implementation cycle (`docs/superpowers/specs/` then `…/plans/`) when it
 comes up; this file stays high-level.
 
-_Last updated: 2026-06-11._
+_Last updated: 2026-06-17._
 
 ---
 
@@ -206,6 +206,14 @@ Canonical dependency order:
 
 ## Next step
 
-**M1 (Gandi DNS migration, IaC)** design is written —
-`docs/superpowers/specs/2026-06-11-public-dns-gandi-migration-design.md`. Next: user
-review → implementation plan.
+**Phase 1 is complete (M1–M5).** The next build is the **mesh-hardening follow-on**
+(deferred from M5, now safe because the `wt0` mesh path exists):
+
+1. apply `base`'s nftables **default-deny** to `ubongo` + set `base__firewall_control_addr`
+   (ADR-021 `ssh-from-control`, built/dormant) — lockout-risky on the control node itself,
+   so it relies on the firewall's auto-rollback;
+2. tighten the NetBird ACL **off Allow-All** to scoped policies;
+3. move `askari`'s SSH onto `wt0`, retiring the Hetzner-firewall WAN allow.
+
+Needs its own spec → plan → implementation cycle. **Then** the Procurement gate
+(`/capacity-review` → buy Proxmox hardware) opens Phase 2.