boma/docs/superpowers/specs
sjat 24a1d909c9 docs(spec): mesh-hardening 2/3 — ubongo INPUT-only default-deny
Sub-project 2 of the mesh-hardening follow-on (the post-incident roadmap
ordering puts ubongo first). Harden the control node's inbound surface via
base's nftables firewall as INPUT-only default-deny: the forward chain stays
permissive (new base__firewall_input_only knob) so Docker egress + the
libvirt-NAT integration harness keep working, and there is no sshd ListenAddress
change — sidestepping the ip_nonlocal_bind boot-race that sank askari. SSH
allowed from wt0, ssh-from-control (Ansible self), and mamba on the LAN (new
base__firewall_admin_addrs). Harness-validated before an operator-supervised
cutover; the physical console is the permanent break-glass.

Design maps to the four relevant 2026-06-17 incident lessons (FRICTION signals
1/2/3/6).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-19 09:12:58 +02:00
..
2026-06-01-hardware-capacity-design.md Add hardware reference & capacity-evaluation design spec 2026-06-01 09:59:16 +02:00
2026-06-05-logging-log-integrity-design.md Add design spec for logging + log integrity (ship all to Loki) 2026-06-05 22:03:31 +02:00
2026-06-05-mesh-vpn-netbird-design.md Add design spec for mesh VPN (NetBird self-hosted on askari) 2026-06-05 10:58:35 +02:00
2026-06-05-service-ui-verification-design.md Add design spec for service-UI verification (ADR-008 Level 4) 2026-06-05 13:05:11 +02:00
2026-06-05-ubongo-control-host-design.md Add design spec for ubongo control/AI-worker host 2026-06-05 09:19:02 +02:00
2026-06-06-firewall-strategy-design.md docs(spec): firewall strategy design (TODO 3.5 → ADR-020) 2026-06-06 15:36:24 +02:00
2026-06-06-host-nftables-firewall-design.md docs(spec): host nftables firewall design (ADR-020 build #1) 2026-06-06 18:40:50 +02:00
2026-06-06-tagging-strategy-design.md docs(spec): tagging standard design (TODO 3.7/3.11 → ADR-019) 2026-06-06 09:15:44 +02:00
2026-06-09-operational-access-design.md docs(access): design operational-access doctrine (ADR-021) 2026-06-09 17:10:54 +02:00
2026-06-10-adr-structure-design.md docs(adr): add Proposed lifecycle state; mark ADR-011 Proposed 2026-06-10 14:48:55 +02:00
2026-06-10-backup-strategy-design.md docs(backup): final-review fixes — stateless BACKUP.md, dump-step wording, spec sync 2026-06-10 11:32:06 +02:00
2026-06-11-public-dns-gandi-migration-design.md docs(spec): note project (boma) vs domain (wingu.me) in the naming scheme 2026-06-14 09:47:13 +02:00
2026-06-14-askari-provisioning-design.md docs(spec): M2 — provision askari via Terraform + Hetzner Cloud 2026-06-14 10:12:10 +02:00
2026-06-14-base-ssh-fail2ban-m3-design.md docs(spec,plan): M3 — base ssh hardening + fail2ban 2026-06-14 16:38:38 +02:00
2026-06-14-kaizen-command-design.md docs(spec): /kaizen — kaizen-loop command (TODO 11) 2026-06-14 21:05:09 +02:00
2026-06-14-netbird-coordinator-m4-design.md docs(spec): M4 — NetBird coordinator on askari + Caddy reverse proxy 2026-06-14 17:19:21 +02:00
2026-06-17-m5-mesh-enrollment-design.md docs(spec): M5 mesh-enrollment design (reachability-only) 2026-06-17 15:44:13 +02:00
2026-06-17-mesh-hardening-askari-ssh-wt0-design.md docs(spec): mesh-hardening 1/3 — move askari SSH onto wt0 2026-06-17 20:15:12 +02:00
2026-06-18-local-vm-integration-testing-design.md docs(spec): design local VM integration testing on ubongo (2.4) 2026-06-18 11:35:51 +02:00
2026-06-19-mesh-hardening-ubongo-default-deny-design.md docs(spec): mesh-hardening 2/3 — ubongo INPUT-only default-deny 2026-06-19 09:12:58 +02:00