docs(access): correct ADR-021 governance (runbook+gate, not scaffold)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
13f0d482bd
commit
f151e99d04
2 changed files with 9 additions and 8 deletions
|
|
@ -15,7 +15,7 @@ Delete this preamble in the copy and start from the heading below.
|
|||
|
||||
## Access paths
|
||||
|
||||
The mesh-reachable ways in, by tier (rendered from `access__*`):
|
||||
The documented ways in, by tier (rendered from `access__*`):
|
||||
|
||||
| Tier | Path | Invocation |
|
||||
|---|---|---|
|
||||
|
|
|
|||
|
|
@ -156,10 +156,12 @@ so the verifier confirms the fallback *exists* without disrupting anything. Desi
|
|||
|
||||
Three light touches, mirroring how `SECURITY.md`/`VERIFY.md` are enforced: the service
|
||||
checklist (`docs/security/service-checklist.md`) gains an access item; the `new-role`
|
||||
runbook gains a fill/render/`check-access` step; and the `make new-role` scaffold drops a
|
||||
stub `access__*` block + the `ACCESS.md` template into every service role — so it is
|
||||
structurally impossible to ship one with no access record (deviations go in
|
||||
`accepted-risks.md`).
|
||||
runbook gains a fill/render/`check-access` step (step 11: copy
|
||||
`docs/access/service-access-template.md` into `roles/<service>/ACCESS.md` and populate the
|
||||
`access__*` data); and a service-checklist gate item blocks clearance until the record
|
||||
exists and `/check-access` is green (or a deviation is recorded in `accepted-risks.md`).
|
||||
No scaffold change — same manual-copy-plus-review pattern the sibling records
|
||||
(`SECURITY.md`/`VERIFY.md`) use.
|
||||
|
||||
## Consequences
|
||||
|
||||
|
|
@ -169,7 +171,7 @@ structurally impossible to ship one with no access record (deviations go in
|
|||
- The management plane gains exactly one extra trusted LAN source (`ubongo`); attack
|
||||
surface grows by one keys-only + fail2ban-gated SSH path, no new exposed ports.
|
||||
- Cost: per-service `access__*` declarations and a rendered `ACCESS.md` to maintain
|
||||
(mitigated by the uniform host baseline + scaffold), plus `/check-access` to build.
|
||||
(mitigated by the uniform host baseline + the new-role runbook step + checklist gate), plus `/check-access` to build.
|
||||
|
||||
## Scope
|
||||
|
||||
|
|
@ -184,8 +186,7 @@ management plane* (the always-allowed block that already holds the `wt0` SSH/Ans
|
|||
and is explicitly independent of the service catalog), not added to the catalog itself (the
|
||||
catalog owns service ingress only) — via the `base__firewall_control_addr` knob and its
|
||||
nftables rule, both of which do **not** exist in `roles/base` yet and land with the
|
||||
`firewall` concern of `base`; and the governance wiring (checklist item, runbook step,
|
||||
scaffold stub). ADR-016 and ADR-020 are amended to reference the ladder.
|
||||
`firewall` concern of `base`; and the governance wiring (checklist item, new-role runbook step). ADR-016 and ADR-020 are amended to reference the ladder.
|
||||
|
||||
**Build-pending on infra:** per-service `access__*` data and rendered `ACCESS.md` files
|
||||
(wait on service roles), `/check-access` *running* (waits on live hosts + staging + vault),
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue