diff --git a/docs/access/service-access-template.md b/docs/access/service-access-template.md index 0a83947..9b2892b 100644 --- a/docs/access/service-access-template.md +++ b/docs/access/service-access-template.md @@ -15,7 +15,7 @@ Delete this preamble in the copy and start from the heading below. ## Access paths -The mesh-reachable ways in, by tier (rendered from `access__*`): +The documented ways in, by tier (rendered from `access__*`): | Tier | Path | Invocation | |---|---|---| diff --git a/docs/decisions/021-operational-access.md b/docs/decisions/021-operational-access.md index 1e8676e..6b12f3e 100644 --- a/docs/decisions/021-operational-access.md +++ b/docs/decisions/021-operational-access.md @@ -156,10 +156,12 @@ so the verifier confirms the fallback *exists* without disrupting anything. Desi Three light touches, mirroring how `SECURITY.md`/`VERIFY.md` are enforced: the service checklist (`docs/security/service-checklist.md`) gains an access item; the `new-role` -runbook gains a fill/render/`check-access` step; and the `make new-role` scaffold drops a -stub `access__*` block + the `ACCESS.md` template into every service role — so it is -structurally impossible to ship one with no access record (deviations go in -`accepted-risks.md`). +runbook gains a fill/render/`check-access` step (step 11: copy +`docs/access/service-access-template.md` into `roles//ACCESS.md` and populate the +`access__*` data); and a service-checklist gate item blocks clearance until the record +exists and `/check-access` is green (or a deviation is recorded in `accepted-risks.md`). +No scaffold change — same manual-copy-plus-review pattern the sibling records +(`SECURITY.md`/`VERIFY.md`) use. ## Consequences @@ -169,7 +171,7 @@ structurally impossible to ship one with no access record (deviations go in - The management plane gains exactly one extra trusted LAN source (`ubongo`); attack surface grows by one keys-only + fail2ban-gated SSH path, no new exposed ports. - Cost: per-service `access__*` declarations and a rendered `ACCESS.md` to maintain - (mitigated by the uniform host baseline + scaffold), plus `/check-access` to build. + (mitigated by the uniform host baseline + the new-role runbook step + checklist gate), plus `/check-access` to build. ## Scope @@ -184,8 +186,7 @@ management plane* (the always-allowed block that already holds the `wt0` SSH/Ans and is explicitly independent of the service catalog), not added to the catalog itself (the catalog owns service ingress only) — via the `base__firewall_control_addr` knob and its nftables rule, both of which do **not** exist in `roles/base` yet and land with the -`firewall` concern of `base`; and the governance wiring (checklist item, runbook step, -scaffold stub). ADR-016 and ADR-020 are amended to reference the ladder. +`firewall` concern of `base`; and the governance wiring (checklist item, new-role runbook step). ADR-016 and ADR-020 are amended to reference the ladder. **Build-pending on infra:** per-service `access__*` data and rendered `ACCESS.md` files (wait on service roles), `/check-access` *running* (waits on live hosts + staging + vault),