plan: record ubongo build outcome (done/deferred/follow-ups)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

STATUS.md

@@ -5,7 +5,7 @@ This repo is partly aspirational: the ADRs in `docs/decisions/` describe the
 truth. **Before relying on a role, provider, or pipeline existing, check here.**
 If something is listed as "designed, not built", do not assume it works.
 
-_Last reviewed: 2026-06-06._
+_Last reviewed: 2026-06-11._
 
 ## Real and working today
 
@@ -26,6 +26,7 @@ _Last reviewed: 2026-06-06._
 | ADR-002 security strategy + `docs/security/{accepted-risks,service-checklist}.md` | Present — threat model, principles, governance frame; checklist + risk register are docs, enforced manually in review |
 | Service-role standard + per-service `SECURITY.md` convention | Defined (ADR-004 + `docs/security/service-security-template.md`); not yet applied — no service roles exist |
 | Tag standard + enforcement (ADR-019) | Works — `tests/tags.yml` (closed vocabulary) + `scripts/check-tags.py` (run by `make lint`, unit-tested): enforces the tag vocabulary and that each role import in a play's `roles:` block carries its role-name tag. Governs mostly-unbuilt roles, but the linter is live now. Proxmox VM tag convention (`<env>`, group, `managed-by=terraform`) is in the Terraform HCL but unprovisioned. |
+| `ubongo` — physical control / AI-worker host (ADR-015) | **Built (partial).** Debian 13.5 on a Lenovo M70q (i3-10100T, 16 GB, 256 GB SSD; no disk encryption — accepted risk). Full toolchain installed + pinned to `fisi` (Docker 29.5.3, rbw 1.15.0, Claude Code 2.1.173, ansible-core 2.17.14 + molecule via `make setup`/`make collections`). Repo cloned under a dedicated `claude` user (docker group, no sudo). Vault works via rbw (offline-cache decryption verified). SSH key-only (password + root login disabled). In the production inventory `control` group at 10.20.10.151. **Pending:** NetBird mesh enrollment (so SSH is LAN-only); full `base` hardening (only the `firewall` concern exists, and it is NOT applied here — applying default-deny with no mesh would lock out inbound SSH on the physical NIC); OPNsense DHCP reservation for 10.20.10.151 (MAC `88:a4:c2:e0:ee:da`); Terraform state backup (no TF state yet). |
 
 ## Scaffolded but empty — NOT implemented
 
@@ -53,7 +54,6 @@ So `make deploy PLAYBOOK=site` is still incomplete — `base` is only partially
 | `/security-review` skill | ADR-002 / TODO 8.5 | Periodic posture re-check + accepted-risk re-challenge; planned, not built |
 | CIS hardening (Debian L1+L2 + Docker) | ADR-002 / TODO 15 | Implemented by the (unbuilt) `base`/`docker_host` roles; brings AppArmor + AIDE as baseline. L2 partitions affect VM provisioning (ADR-006) |
 | Network IDS + security alerting | ADR-002 / TODO 15 | Suricata on OPNsense + AIDE/`auditd`/`fail2ban` alerting into the monitoring stack; not built |
-| `ubongo` — physical control / AI-worker host | ADR-015 | **Design RESOLVED** (ADR-015 + spec + plan). Replaces the cluster control VM with a dedicated always-on x86 box outside the cluster. **Build pending:** box not yet acquired/installed, not in inventory. |
 | NetBird mesh — coordinator on `askari` | ADR-016 | **Design RESOLVED** (ADR-016 + spec + plan); resolves ADR-015 deferred #1. Self-hosted NetBird control plane (management/signal/relay) on askari; replaces ADR-007 WireGuard. **Build pending:** not deployed (askari + service-role machinery not built). |
 | NetBird agent enrollment in `base` | ADR-016 | **Design RESOLVED** (ADR-016). Every Linux host joins the mesh via the base role (setup keys in vault); SSH allowed only on `wt0`. **Build pending:** base role not built. |
 | Service-UI verification (Level 4) | ADR-017 / ADR-008 | **Design RESOLVED** (ADR-017 + spec + plan); resolves ADR-015 deferred #2. `/verify-service` skill + `VERIFY.md` template + standards are authorable and present. **Build pending:** running needs ubongo + `playwright` plugin + Authentik + a staging deploy. |

docs/decisions/015-control-host.md

@@ -79,6 +79,22 @@ Manual, on bare metal:
 - `ubongo` runs the `base` role: SSH hardening, nftables default-deny, fail2ban,
   auditd, unattended-upgrades. Inbound SSH is allowed **only on the mesh interface**,
   denied on the physical NIC.
+- **Operational reality (until the mesh exists):** the "SSH only on the mesh interface"
+  target above is the end state, not yet in force. Today remote access is **LAN SSH
+  only** — key-only, with password auth and root login disabled — until the NetBird mesh
+  (ADR-016) is stood up.
+- **AI-worker identity:** `ubongo` runs the AI worker under a dedicated,
+  password-locked `claude` user (in the `docker` group for Molecule; **no local sudo** —
+  boma deploys reach the fleet over SSH as the `ansible` user, not via local root). It is
+  reached via `sudo -iu claude` or its own SSH key. The rationale is **attribution +
+  revocation, not containment**: auditd/Loki (ADR-018) can separate human from agent
+  actions, and the account/key can be revoked without touching the operator's access.
+  (ADR-021 left the on-`ubongo` agent identity unspecified; this records it.)
+- **Disk encryption:** `ubongo`'s SSD is **not encrypted at rest** — the SanDisk X600 is
+  TCG-Opal-capable but Opal is unused. This is an accepted risk recorded in
+  `docs/security/accepted-risks.md` (control-node disk not encrypted at rest),
+  compensated by physical security, a BIOS supervisor password, and disabled
+  external/USB boot.
 
 ### Recovery model
 
@@ -100,8 +116,9 @@ Vaultwarden master password. Mirroring Vaultwarden onto `ubongo` is rejected: it
 would make the control node run a service (against its remit) and still need that
 master password.
 
-> verified: rbw offline-cache decryption · TO VERIFY before relying on the recovery
-> model · rbw docs · (ADR-014, security-relevant — confirm during build)
+> verified: rbw offline-cache decryption · rbw 1.15.0 on ubongo · with the Vaultwarden
+> host blocked, `rbw sync` failed but `rbw get` decrypted the cached vault offline ·
+> 2026-06-11
 
 ## Consequences
 
@@ -121,8 +138,9 @@ master password.
    exploratory service-UI verification (`/verify-service`, ADR-008 Level 4), against
    staging with test users in Authentik. Design + skill + standards complete; running
    deferred on the stack.
-3. **`rbw` offline-cache verification** — still open: confirm offline decryption before
-   relying on it (ADR-014).
+3. **`rbw` offline-cache verification — RESOLVED (2026-06-11 build):** confirmed offline
+   cache decryption on rbw 1.15.0 — `rbw sync` fails with Vaultwarden unreachable while
+   `rbw get` still decrypts from the local cache (ADR-014).
 
 ## What was ruled out
 

docs/hardware/reference.md

@@ -19,12 +19,13 @@
 - **Notes:** _warranty, quirks_
 
 ### ubongo (control node — outside the cluster)
-- **Model / form factor:** _TBD (x86-64 mini-PC / USFF, e.g. N100 or refurb micro)_
-- **CPU:** _TBD (target 4 cores, x86-64)_
-- **RAM:** _TBD (target 16 GB)_
-- **Storage:** 1 TB NVMe (ThinkCentre M70q Tiny; i3-10100T, 16 GB) — over-spec for Tier-1 restore-verify (ADR-022)
-- **NICs:** _wired GbE_
-- **Notes:** _always-on; control plane + AI-worker + local test runner (ADR-015); not a Proxmox guest_
+- **Model / form factor:** Lenovo ThinkCentre M70q Tiny (machine type 11DUS7XP00); 1-litre tiny/USFF
+- **CPU:** Intel Core i3-10100T — 4 cores / 8 threads, 35 W TDP
+- **RAM:** 16 GB DDR4-3200 (2×8 GB SODIMM)
+- **Storage:** 256 GB SanDisk X600 SATA 2.5" SSD (model SD9TB8W256G1001; TCG Opal-capable, Opal unused — no disk encryption)
+- **NICs:** wired GbE, interface eno1, MAC 88:a4:c2:e0:ee:da
+- **BIOS:** Lenovo M2WKT5AA (2023-06-20)
+- **Notes:** always-on; control plane + AI-worker (dedicated `claude` user) + local test runner (Molecule/Docker) per ADR-015; not a Proxmox guest; remote access currently LAN SSH only (mesh deferred)
 
 ### fisi (backup node — outside the cluster; provisional)
 - **Model / form factor:** HP Elite 600 G9 (tower)
@@ -64,7 +65,7 @@ Physical totals per node. Integers; `ram_gb` and `disk_gb` may be decimals.
 |------|-------|--------|---------|
 | pve0 | 20    | 64     | 4000    |
 | pve1 | 20    | 64     | 4000    |
-| ubongo | 4   | 16     | 1000    |
+| ubongo | 4   | 16     | 250     |
 | fisi   | 4   | 16     | 8000    |
 
 ## 5. Capacity notes

docs/runbooks/rotate-secrets.md

@@ -46,8 +46,9 @@ entries it has already synced. The recovery design therefore requires:
 There is always exactly one irreducible offline root secret; here it is the
 Vaultwarden master password. Keep it recoverable without the cluster.
 
-> **To verify (ADR-014, security-relevant):** confirm `rbw` actually decrypts its
-> local cache fully offline on your pinned `rbw` version before relying on this.
+> **Verified (2026-06-11, ADR-014):** confirmed on `ubongo` with rbw 1.15.0 — with
+> the Vaultwarden host unreachable, `rbw sync` fails but `rbw get boma-ansible-vault`
+> still decrypts from the local cache. Re-verify after an `rbw` major-version bump.
 
 ---
 

docs/security/accepted-risks.md

@@ -17,8 +17,9 @@ revisit (trigger).
 | R2 | **SELinux not used** — no SELinux mandatory access control | AppArmor — Debian-native and enforced via the CIS baseline — already provides MAC; adding SELinux means two MAC systems, non-native to Debian, for no real gain | A service that ships and requires its own SELinux policy; threat model shifts toward targeted attackers |
 | R3 | **Self-hosted mesh control plane is a public target on `askari`** — the NetBird coordinator (ADR-016) exposes a management API + dashboard (TCP 80/443) and Coturn (UDP 3478) on `askari`'s public IP; the management API controls the whole mesh | Self-hosting means **no third-party trust** and an off-site control plane that survives a homelab outage (boma's sovereignty ethos). Residual surface is on `askari` (already a public VPS) and is mitigated: TLS + embedded-IdP login, source-IP restriction where practical, `base` hardening, version-pinned NetBird (ADR-011) patched on boma's cadence | A coordinator compromise or unpatched NetBird CVE; the management plane is reachable without auth/IP-limits; the operational burden makes a hosted coordinator worth reconsidering |
 | R4 | **No cryptographic WORM for logs** — shipped logs are append-only via Loki's push API and copied off-site to `askari` (ADR-018), but the stored chunks are not object-locked/immutable; a root-on-`askari` attacker could edit history | Append-only push + off-site copy already defeats the realistic threat (a host attacker covering tracks survives even full-cluster compromise). True WORM (object-lock) is forensic-grade cost for boma's opportunistic threat model (R1) | Threat model shifts toward targeted/forensic; a regulatory/evidentiary need appears; `askari` itself is assessed as a likely target |
+| R5 | **No disk encryption on `ubongo`** — the control node's SSD (SanDisk X600 256 GB, TCG-Opal-capable but Opal unused) is unencrypted at rest, so it holds recovery-critical secrets in plaintext: the Ansible Vault password's `rbw` local cache and (future) Terraform state. Physical theft of the box would expose them | `ubongo` is always-on in a physically controlled location; compensating controls are a **BIOS supervisor password** and **disabled external/USB + PXE boot** (an attacker cannot trivially boot another OS to read the disk), and the offline-recoverable design means the irreducible root secret (Vaultwarden master password) is never stored on the box anyway. Full-disk encryption was weighed against the always-on/unattended-reboot requirement (LUKS+TPM auto-unlock or passphrase) and deferred for simplicity at this trust level | `ubongo` is relocated to a less-trusted physical location; the box starts holding additional high-value secrets; or a reinstall onto LUKS (TPM-sealed) is undertaken |
 
-_Last reviewed: 2026-06-06. The prior gaps (full CIS hardening, SELinux/AppArmor,
+_Last reviewed: 2026-06-11. The prior gaps (full CIS hardening, SELinux/AppArmor,
 IDS) were re-challenged and **adopted rather than accepted**: CIS Debian L1+L2 + CIS
 Docker, AppArmor (enforce), AIDE file-integrity, and Suricata network IDS are now
 part of the security strategy (ADR-002). See STATUS.md / `docs/TODO.md` for build

docs/superpowers/plans/2026-06-11-ubongo-build.md

@@ -0,0 +1,150 @@
+# Ubongo Physical Build — Implementation Plan
+
+> **For agentic workers:** Execute task-by-task. This is the **physical bring-up** of
+> `ubongo`. The 2026-06-05 plan (`2026-06-05-ubongo-control-host.md`) was
+> *documentation-only* (it authored ADR-015); this is its sequel — taking the actual
+> box from bare Debian 13 to a working control / AI-worker node.
+
+**Goal:** Bring the Lenovo ThinkCentre M70q from a fresh Debian 13 install to a working
+control node: toolchain, dedicated `claude` identity, repo + Claude Code, vault access,
+inventory wiring, keys-only SSH, and reconciliation of the docs to "built."
+
+**Spec / decisions of record:** ADR-015 + `docs/superpowers/specs/2026-06-05-ubongo-control-host-design.md`,
+plus the interactive build decisions captured below (2026-06-11 session).
+
+---
+
+## Decisions made this session (2026-06-11)
+
+- **Hardware:** Lenovo ThinkCentre M70q Tiny · i3-10100T (4c/8t) · 16 GB · 256 GB
+  SanDisk X600 SATA SSD (TCG **Opal**-capable; Opal **unused**, see encryption).
+- **BIOS:** auto-power-on after loss; Wake-on-LAN on; ErP/deep-S5 off; **supervisor
+  password set**; external/USB + PXE boot **disabled**; Secure Boot on; TPM (PTT) on;
+  VT-x/VT-d on; Better-Thermal cooling.
+- **Disk encryption: NONE.** Accepted risk — compensated by physical security + BIOS
+  supervisor password + disabled external boot. Recorded in `accepted-risks.md` (Task H1).
+- **Partitioning:** simple single ext4 root (`/dev/sda2`, 221 G) + 12 G swap, no LVM.
+  Revisit via reinstall onto LVM/bigger drive only if the layout bites.
+- **Identity:** dedicated **`claude`** user — for **attribution + revocation, not
+  containment**. In the `docker` group (Molecule); **no local sudo** (boma deploys run
+  over SSH as `ansible`; the agent needs Docker, not root). Reached via `sudo -iu claude`
+  from `sjat`. Own `ed25519` key for Forgejo. ADR-021 leaves this identity open — note it.
+- **Access:** LAN SSH only for now — the NetBird mesh (ADR-016) is deferred (`askari` +
+  service machinery unbuilt). Keys-only enforced after bootstrap.
+- **Address:** `10.20.10.151/24` on `eno1`. Make stable via an OPNsense DHCP reservation.
+
+**Pinned versions (match `fisi`):** docker 29.5.2 · rbw 1.15.0 · node 20.19.2 ·
+claude 2.1.173. Terraform is absent on `fisi` (TF un-init'd) — install deferred.
+
+---
+
+## Pre-flight
+
+- **Temp passwordless sudo** for `sjat` during the build (`/etc/sudoers.d/99-boma-build`);
+  **removed in Task F2**. Without it, non-interactive SSH `sudo` hangs.
+- **`rbw unlock`** on `fisi` before any commit (pre-commit decrypts `vault.yml`).
+- **Commit style:** one commit per logical unit; imperative subject ≤72 chars; trailer
+  `Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>`.
+- Drive the live box (`ubongo`) directly over SSH; do repo/doc tasks (H) as clean commits.
+
+---
+
+## Stage A — Toolchain (on `ubongo`, via `sjat` sudo)
+
+- [ ] **A1.** apt base: `git make build-essential python3-venv python3-pip curl
+  ca-certificates gnupg jq` (+ `apt update`).
+- [ ] **A2.** Docker Engine from Docker's official apt repo (Debian 13/trixie); enable +
+  start; confirm `docker --version` ≈ 29.5.2.
+- [ ] **A3.** `rbw` 1.15.0 — try `apt install rbw`; if the version doesn't match, install
+  the pinned release binary to `/usr/local/bin` (match `fisi`).
+- [ ] **A4.** Node 20.19.2 (nodesource or distro) — only if Claude Code needs it; the
+  native installer bundles its runtime, so Node may be optional.
+- [ ] **A5.** Claude Code via the **native installer** (matches `fisi`'s
+  `~/.local/share/claude/versions/`), installed under the `claude` user in Stage C.
+- [ ] Defer Terraform (absent on `fisi`).
+
+## Stage B — Identity (`claude` user)
+
+- [ ] **B1.** `useradd -m -s /bin/bash claude`; lock the password (`passwd -l claude`) —
+  reached only via `sudo -iu claude` from `sjat` or its own key.
+- [ ] **B2.** Add `claude` to the `docker` group.
+- [ ] **B3.** No sudo for `claude` (explicit decision). Confirm `sudo -iu claude` works.
+
+## Stage C — Repo + Claude Code (as `claude`)
+
+- [ ] **C1.** Generate `claude`'s `ed25519` key; **[USER]** register the public key in
+  Forgejo (Settings → SSH keys).
+- [ ] **C2.** Clone `ssh://git@forgejo.nyumbani.baobab.band:7577/sjat/boma.git` into
+  `/home/claude/Projects/boma`.
+- [ ] **C3.** `make setup` (venv + `requirements.txt`); `make collections`.
+- [ ] **C4.** Install Claude Code (native installer) for `claude`; set up plugins/MCP/
+  settings per `docs/runbooks/claude-code-setup.md`. Set git `user.name`/`user.email`.
+
+## Stage D — Vault (`rbw`)
+
+- [ ] **D1.** `rbw config set base_url https://vaultwarden.baobab.band`; set email.
+- [ ] **D2. [USER]** `rbw login` (master password) on `ubongo`; then `rbw sync`,
+  `rbw unlock`; verify `rbw get boma-ansible-vault` returns the vault password.
+- [ ] **D3.** **Offline-cache verification (ADR-015 open item, security-relevant):**
+  confirm `rbw` decrypts its local cache with Vaultwarden unreachable. Stamp the result
+  into ADR-015 / `rotate-secrets.md` (replaces the `TO VERIFY` note).
+
+## Stage E — Inventory + base (partial)
+
+- [ ] **E1.** Add `ubongo` to `inventories/production/hosts.yml` under `control`
+  (manual exception; note `tf-inventory` will overwrite — re-add after).
+- [ ] **E2.** Set `base__firewall_control_addr` to `10.20.10.151` in the appropriate
+  `group_vars` (the dormant `ssh-from-control` knob, ADR-020/021).
+- [ ] **E3.** `make check PLAYBOOK=site` against `control`; apply the built `firewall`
+  concern only (SSH-hardening/fail2ban/auditd concerns are unbuilt — note the gap).
+
+## Stage F — Hardening / address
+
+- [ ] **F1.** Disable SSH password auth (keys-only) via `/etc/ssh/sshd_config.d/`;
+  `PermitRootLogin no`; reload `sshd` (we're on a key, so safe).
+- [ ] **F2.** **Remove the temp NOPASSWD** drop-in (`/etc/sudoers.d/99-boma-build`).
+- [ ] **F3. [USER]** OPNsense DHCP reservation for `10.20.10.151`.
+
+## Stage H — Docs reconciliation (repo commits)
+
+- [ ] **H1.** `accepted-risks.md`: add the plaintext-disk accepted risk (compensations:
+  physical security, BIOS supervisor password, no external boot).
+- [ ] **H2.** `docs/hardware/reference.md`: fill `ubongo`'s real specs (M70q, i3-10100T,
+  16 GB, 256 GB SanDisk X600) into the TBD skeleton; node-capacity row already present.
+- [ ] **H3.** `STATUS.md`: move `ubongo` from "Designed but not built" toward built
+  (note what's live vs. still pending — mesh, full `base`).
+- [ ] **H4.** Note the dedicated-`claude` identity decision (short amendment to ADR-021
+  or ADR-015) and the LAN address.
+
+---
+
+## Out of scope this session
+
+- **Mesh VPN** (NetBird) — needs `askari` + service roles (ADR-016). SSH stays LAN-only.
+- **Full `base` hardening** — SSH/fail2ban/auditd concerns not built (only `firewall`).
+- **Recovery wiring (G)** — TF-state backup to `mamba`, rbw mirror — no TF state yet
+  (TF un-init'd). `mamba` as break-glass clone tracked separately.
+
+---
+
+## Outcome (2026-06-11)
+
+`STATUS.md` is the live source of truth; this is the session record.
+
+**Done:** A (toolchain — Docker 29.5.3, rbw 1.15.0, Claude Code 2.1.173; Node deferred),
+B (dedicated `claude` user — docker group, no sudo), C (repo cloned, `make setup` +
+`collections`, git identity; plugins install on first interactive launch), D (vault via
+rbw + **offline-cache decryption verified**), E1/E2 (inventory + `ssh-from-control`
+knob), F1 (key-only SSH), F2 (temp NOPASSWD removed), H1–H4 (docs reconciled).
+
+**Deferred, with reason:**
+- **E3 — apply `base` to `ubongo`:** would push nftables default-deny with SSH allowed
+  *only on the mesh interface*, but no mesh exists yet → would deny inbound SSH on `eno1`
+  and strand the box. Wait for NetBird (ADR-016). `base` is also firewall-concern-only.
+- **F3 — OPNsense DHCP reservation** for `10.20.10.151` (MAC `88:a4:c2:e0:ee:da`): operator action.
+- **Mesh enrollment, full `base` hardening, recovery wiring (G):** out of scope (above).
+
+**Follow-ups flagged:** (1) `ubongo` sits in `10.20.10.0/24`, which doesn't match
+ADR-007's zone map (`srv: 10.20.0.0/24`) — network-design drift to reconcile. (2) The
+hardware reference previously assumed `ubongo` had 1 TB NVMe for an ADR-022 "restore-verify"
+role; the real disk is 256 GB — check ADR-022 doesn't bank on the larger size.

inventories/production/group_vars/all/vars.yml

@@ -36,3 +36,6 @@ services__base_dir: /opt/services
 
 # Unattended upgrades — security patches only
 base__unattended_upgrades_enabled: true
+
+# Management plane — activates the dormant ssh-from-control firewall rule
+base__firewall_control_addr: "10.20.10.151"  # ubongo (control node) LAN address — ADR-021 ssh-from-control source

inventories/production/hosts.yml

@@ -7,7 +7,9 @@
 all:
   children:
     control:
-      hosts: {}
+      hosts:
+        ubongo:
+          ansible_host: 10.20.10.151
     docker_hosts:
       hosts: {}
     proxmox_hosts: