Thread the VERIFY.md convention through ADR-004/new-role/README

Review O1-O3: ADR-017's per-service VERIFY.md requirement now appears in the ADR-004 service-role file table, as a new-role runbook step, and the README docs index/tree are refreshed (ADRs 010-017, security/testing/hardware dirs). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-05 18:52:42 +02:00 · 2026-06-05 18:52:42 +02:00 · f0d189ca09
commit f0d189ca09
parent 3dd03d4198
3 changed files with 27 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -57,7 +57,11 @@ See `Makefile` for the full list of targets.
 │
 ├── docs/
 │   ├── decisions/          # Architecture decision records (ADRs)
-│   └── runbooks/           # Step-by-step operational procedures
+│   ├── runbooks/           # Step-by-step operational procedures
+│   ├── security/           # Per-service security checklist + templates + accepted risks
+│   ├── testing/            # VERIFY.md template + service-UI verification reports
+│   ├── hardware/           # Physical capacity reference + reviews
+│   └── reviews/            # /review-repo reports
 │
 ├── inventories/
 │   ├── production/         # Live hosts — edit carefully
@ -92,6 +96,17 @@ See `Makefile` for the full list of targets.
 - Network topology: `docs/decisions/007-network.md`
 - Testing methodology: `docs/decisions/008-testing.md`
 - Terraform ↔ Ansible handoff: `docs/decisions/009-provisioning-handoff.md`
+- Forgejo & CI: `docs/decisions/010-forgejo-ci.md`
+- Update management: `docs/decisions/011-update-management.md`
+- Hardware & capacity: `docs/decisions/012-hardware-capacity.md`
+- Heritage / V4 policy: `docs/decisions/013-heritage-v4.md`
+- Sourcing technical knowledge: `docs/decisions/014-knowledge-sourcing.md`
+- Control / AI-worker host (`ubongo`): `docs/decisions/015-control-host.md`
+- Mesh VPN (NetBird): `docs/decisions/016-mesh-vpn.md`
+- Service-UI verification (Level 4): `docs/decisions/017-service-ui-verification.md`
+
+(CLAUDE.md carries the full cross-referenced table, including the runbooks and
+security/testing docs.)

 ## Contributing

--- a/docs/decisions/004-docker-model.md
+++ b/docs/decisions/004-docker-model.md
@ -42,6 +42,7 @@ below). Each service role contains a standard set of files:
 | `defaults/main.yml` | Tuneables, `rolename__` namespace |
 | `README.md` | Purpose, variables, usage (role convention) |
 | `SECURITY.md` | Per-service security record — see ADR-002 and `docs/security/service-security-template.md` |
+| `VERIFY.md` | Per-service UI acceptance spec — see ADR-008 Level 4 / ADR-017 and `docs/testing/service-verify-template.md` |
 | `meta/main.yml`, `molecule/default/` | Metadata + Debian 13 test scenario |

 ### Standard deploy mechanics
--- a/docs/runbooks/new-role.md
+++ b/docs/runbooks/new-role.md
@ -82,7 +82,16 @@ service clears the security bar — record any conscious deviation in
 manual in review today, with the planned `/security-review` aggregating every
 `roles/*/SECURITY.md` to automate it.

-### 10. Commit
+### 10. Write the per-service verification spec (services)
+
+For a **service** role, copy `docs/testing/service-verify-template.md` to
+`roles/<rolename>/VERIFY.md` and fill it in: the critical user journeys that define
+"working" for this service, what good looks like, what is not browser-verifiable
+(→ manual handoff), and the test data needed. This is the per-service backbone for the
+Level 4 `/verify-service` check (ADR-008 / ADR-017) and is part of the pre-production
+service-clearance gate (`docs/security/service-checklist.md`).
+
+### 11. Commit

 ```bash
 git checkout -b role/<rolename>