From e5a8e5d3b9265d98038eb41b00d61c3061a5c3de Mon Sep 17 00:00:00 2001 From: sjat Date: Wed, 17 Jun 2026 18:39:08 +0200 Subject: [PATCH] =?UTF-8?q?docs(roadmap):=20Phase=201=20complete=20?= =?UTF-8?q?=E2=80=94=20point=20Next=20step=20at=20mesh-hardening=20follow-?= =?UTF-8?q?on?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Opus 4.8 (1M context) --- docs/ROADMAP.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/docs/ROADMAP.md b/docs/ROADMAP.md index 3fdbc7e..0266a68 100644 --- a/docs/ROADMAP.md +++ b/docs/ROADMAP.md @@ -13,7 +13,7 @@ as ordering changes, or as new milestones appear. Each milestone gets its own spec → plan → implementation cycle (`docs/superpowers/specs/` then `…/plans/`) when it comes up; this file stays high-level. -_Last updated: 2026-06-11._ +_Last updated: 2026-06-17._ --- @@ -206,6 +206,14 @@ Canonical dependency order: ## Next step -**M1 (Gandi DNS migration, IaC)** design is written — -`docs/superpowers/specs/2026-06-11-public-dns-gandi-migration-design.md`. Next: user -review → implementation plan. +**Phase 1 is complete (M1–M5).** The next build is the **mesh-hardening follow-on** +(deferred from M5, now safe because the `wt0` mesh path exists): + +1. apply `base`'s nftables **default-deny** to `ubongo` + set `base__firewall_control_addr` + (ADR-021 `ssh-from-control`, built/dormant) — lockout-risky on the control node itself, + so it relies on the firewall's auto-rollback; +2. tighten the NetBird ACL **off Allow-All** to scoped policies; +3. move `askari`'s SSH onto `wt0`, retiring the Hetzner-firewall WAN allow. + +Needs its own spec → plan → implementation cycle. **Then** the Procurement gate +(`/capacity-review` → buy Proxmox hardware) opens Phase 2.