docs(access): correct ADR-021 governance (runbook+gate, not scaffold)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docs/access/service-access-template.md

@@ -15,7 +15,7 @@ Delete this preamble in the copy and start from the heading below.
 
 ## Access paths
 
-The mesh-reachable ways in, by tier (rendered from `access__*`):
+The documented ways in, by tier (rendered from `access__*`):
 
 | Tier | Path | Invocation |
 |---|---|---|

docs/decisions/021-operational-access.md

@@ -156,10 +156,12 @@ so the verifier confirms the fallback *exists* without disrupting anything. Desi
 
 Three light touches, mirroring how `SECURITY.md`/`VERIFY.md` are enforced: the service
 checklist (`docs/security/service-checklist.md`) gains an access item; the `new-role`
-runbook gains a fill/render/`check-access` step; and the `make new-role` scaffold drops a
+runbook gains a fill/render/`check-access` step (step 11: copy
-stub `access__*` block + the `ACCESS.md` template into every service role — so it is
+`docs/access/service-access-template.md` into `roles/<service>/ACCESS.md` and populate the
-structurally impossible to ship one with no access record (deviations go in
+`access__*` data); and a service-checklist gate item blocks clearance until the record
-`accepted-risks.md`).
+exists and `/check-access` is green (or a deviation is recorded in `accepted-risks.md`).
+No scaffold change — same manual-copy-plus-review pattern the sibling records
+(`SECURITY.md`/`VERIFY.md`) use.
 
 ## Consequences
 
@@ -169,7 +171,7 @@ structurally impossible to ship one with no access record (deviations go in
 - The management plane gains exactly one extra trusted LAN source (`ubongo`); attack
   surface grows by one keys-only + fail2ban-gated SSH path, no new exposed ports.
 - Cost: per-service `access__*` declarations and a rendered `ACCESS.md` to maintain
-  (mitigated by the uniform host baseline + scaffold), plus `/check-access` to build.
+  (mitigated by the uniform host baseline + the new-role runbook step + checklist gate), plus `/check-access` to build.
 
 ## Scope
 
@@ -184,8 +186,7 @@ management plane* (the always-allowed block that already holds the `wt0` SSH/Ans
 and is explicitly independent of the service catalog), not added to the catalog itself (the
 catalog owns service ingress only) — via the `base__firewall_control_addr` knob and its
 nftables rule, both of which do **not** exist in `roles/base` yet and land with the
-`firewall` concern of `base`; and the governance wiring (checklist item, runbook step,
+`firewall` concern of `base`; and the governance wiring (checklist item, new-role runbook step). ADR-016 and ADR-020 are amended to reference the ladder.
-scaffold stub). ADR-016 and ADR-020 are amended to reference the ladder.
 
 **Build-pending on infra:** per-service `access__*` data and rendered `ACCESS.md` files
 (wait on service roles), `/check-access` *running* (waits on live hosts + staging + vault),