docs(access): correct ADR-021 governance (runbook+gate, not scaffold)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
sjat 2026-06-09 17:52:24 +02:00
parent 13f0d482bd
commit f151e99d04
2 changed files with 9 additions and 8 deletions

View file

@ -15,7 +15,7 @@ Delete this preamble in the copy and start from the heading below.
## Access paths ## Access paths
The mesh-reachable ways in, by tier (rendered from `access__*`): The documented ways in, by tier (rendered from `access__*`):
| Tier | Path | Invocation | | Tier | Path | Invocation |
|---|---|---| |---|---|---|

View file

@ -156,10 +156,12 @@ so the verifier confirms the fallback *exists* without disrupting anything. Desi
Three light touches, mirroring how `SECURITY.md`/`VERIFY.md` are enforced: the service Three light touches, mirroring how `SECURITY.md`/`VERIFY.md` are enforced: the service
checklist (`docs/security/service-checklist.md`) gains an access item; the `new-role` checklist (`docs/security/service-checklist.md`) gains an access item; the `new-role`
runbook gains a fill/render/`check-access` step; and the `make new-role` scaffold drops a runbook gains a fill/render/`check-access` step (step 11: copy
stub `access__*` block + the `ACCESS.md` template into every service role — so it is `docs/access/service-access-template.md` into `roles/<service>/ACCESS.md` and populate the
structurally impossible to ship one with no access record (deviations go in `access__*` data); and a service-checklist gate item blocks clearance until the record
`accepted-risks.md`). exists and `/check-access` is green (or a deviation is recorded in `accepted-risks.md`).
No scaffold change — same manual-copy-plus-review pattern the sibling records
(`SECURITY.md`/`VERIFY.md`) use.
## Consequences ## Consequences
@ -169,7 +171,7 @@ structurally impossible to ship one with no access record (deviations go in
- The management plane gains exactly one extra trusted LAN source (`ubongo`); attack - The management plane gains exactly one extra trusted LAN source (`ubongo`); attack
surface grows by one keys-only + fail2ban-gated SSH path, no new exposed ports. surface grows by one keys-only + fail2ban-gated SSH path, no new exposed ports.
- Cost: per-service `access__*` declarations and a rendered `ACCESS.md` to maintain - Cost: per-service `access__*` declarations and a rendered `ACCESS.md` to maintain
(mitigated by the uniform host baseline + scaffold), plus `/check-access` to build. (mitigated by the uniform host baseline + the new-role runbook step + checklist gate), plus `/check-access` to build.
## Scope ## Scope
@ -184,8 +186,7 @@ management plane* (the always-allowed block that already holds the `wt0` SSH/Ans
and is explicitly independent of the service catalog), not added to the catalog itself (the and is explicitly independent of the service catalog), not added to the catalog itself (the
catalog owns service ingress only) — via the `base__firewall_control_addr` knob and its catalog owns service ingress only) — via the `base__firewall_control_addr` knob and its
nftables rule, both of which do **not** exist in `roles/base` yet and land with the nftables rule, both of which do **not** exist in `roles/base` yet and land with the
`firewall` concern of `base`; and the governance wiring (checklist item, runbook step, `firewall` concern of `base`; and the governance wiring (checklist item, new-role runbook step). ADR-016 and ADR-020 are amended to reference the ladder.
scaffold stub). ADR-016 and ADR-020 are amended to reference the ladder.
**Build-pending on infra:** per-service `access__*` data and rendered `ACCESS.md` files **Build-pending on infra:** per-service `access__*` data and rendered `ACCESS.md` files
(wait on service roles), `/check-access` *running* (waits on live hosts + staging + vault), (wait on service roles), `/check-access` *running* (waits on live hosts + staging + vault),