diff --git a/docs/ROADMAP.md b/docs/ROADMAP.md index 3fdbc7e..0266a68 100644 --- a/docs/ROADMAP.md +++ b/docs/ROADMAP.md @@ -13,7 +13,7 @@ as ordering changes, or as new milestones appear. Each milestone gets its own spec → plan → implementation cycle (`docs/superpowers/specs/` then `…/plans/`) when it comes up; this file stays high-level. -_Last updated: 2026-06-11._ +_Last updated: 2026-06-17._ --- @@ -206,6 +206,14 @@ Canonical dependency order: ## Next step -**M1 (Gandi DNS migration, IaC)** design is written — -`docs/superpowers/specs/2026-06-11-public-dns-gandi-migration-design.md`. Next: user -review → implementation plan. +**Phase 1 is complete (M1–M5).** The next build is the **mesh-hardening follow-on** +(deferred from M5, now safe because the `wt0` mesh path exists): + +1. apply `base`'s nftables **default-deny** to `ubongo` + set `base__firewall_control_addr` + (ADR-021 `ssh-from-control`, built/dormant) — lockout-risky on the control node itself, + so it relies on the firewall's auto-rollback; +2. tighten the NetBird ACL **off Allow-All** to scoped policies; +3. move `askari`'s SSH onto `wt0`, retiring the Hetzner-firewall WAN allow. + +Needs its own spec → plan → implementation cycle. **Then** the Procurement gate +(`/capacity-review` → buy Proxmox hardware) opens Phase 2.