docs(roadmap): Phase 1 complete — point Next step at mesh-hardening follow-on
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
5947ba8756
commit
e5a8e5d3b9
1 changed files with 12 additions and 4 deletions
|
|
@ -13,7 +13,7 @@ as ordering changes, or as new milestones appear. Each milestone gets its own
|
||||||
spec → plan → implementation cycle (`docs/superpowers/specs/` then `…/plans/`) when it
|
spec → plan → implementation cycle (`docs/superpowers/specs/` then `…/plans/`) when it
|
||||||
comes up; this file stays high-level.
|
comes up; this file stays high-level.
|
||||||
|
|
||||||
_Last updated: 2026-06-11._
|
_Last updated: 2026-06-17._
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
@ -206,6 +206,14 @@ Canonical dependency order:
|
||||||
|
|
||||||
## Next step
|
## Next step
|
||||||
|
|
||||||
**M1 (Gandi DNS migration, IaC)** design is written —
|
**Phase 1 is complete (M1–M5).** The next build is the **mesh-hardening follow-on**
|
||||||
`docs/superpowers/specs/2026-06-11-public-dns-gandi-migration-design.md`. Next: user
|
(deferred from M5, now safe because the `wt0` mesh path exists):
|
||||||
review → implementation plan.
|
|
||||||
|
1. apply `base`'s nftables **default-deny** to `ubongo` + set `base__firewall_control_addr`
|
||||||
|
(ADR-021 `ssh-from-control`, built/dormant) — lockout-risky on the control node itself,
|
||||||
|
so it relies on the firewall's auto-rollback;
|
||||||
|
2. tighten the NetBird ACL **off Allow-All** to scoped policies;
|
||||||
|
3. move `askari`'s SSH onto `wt0`, retiring the Hetzner-firewall WAN allow.
|
||||||
|
|
||||||
|
Needs its own spec → plan → implementation cycle. **Then** the Procurement gate
|
||||||
|
(`/capacity-review` → buy Proxmox hardware) opens Phase 2.
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue