boma/docs/security
sjat cc772ff845 docs(adr/security): record claude NOPASSWD sudo model (ADR-015 amend + R7)
The integration-testing shakedown reversed ADR-015's "no local sudo" sub-decision:
the claude AI-worker now has NOPASSWD:ALL sudo on ubongo — without it, virsh,
nft, and journalctl all block during VM diagnosis. Compensating controls:
password-locked account, auditd/Loki attribution, repo-managed revocable drop-in.

ADR-015: dated amendment note in Status + expanded AI-worker identity section.
ADR-021: new §Sudo model (amendment 2026-06-18) — claude=NOPASSWD, sjat=password
required; former sjat NOPASSWD drop-in removed 2026-06-18 (least-privilege cleanup).
accepted-risks.md: R7 added (claude NOPASSWD:ALL on ubongo); last-reviewed updated.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-18 21:39:20 +02:00
..
accepted-risks.md docs(adr/security): record claude NOPASSWD sudo model (ADR-015 amend + R7) 2026-06-18 21:39:20 +02:00
service-checklist.md docs(backup): gate BACKUP.md in service checklist (ADR-022) 2026-06-10 11:20:55 +02:00
service-security-template.md Add per-service SECURITY.md convention; one role per service 2026-06-04 16:09:33 +02:00