boma/docs/decisions
sjat 3b029352b6 Add per-service SECURITY.md convention; one role per service
Revise ADR-004 to a service-role standard: every service is its own
self-contained role with a required file set including SECURITY.md, uniform
deploy mechanics, and a deferred shared-engine option (with revisit trigger)
recorded in the ADR.

Add the per-service security record:
- docs/security/service-security-template.md — canonical SECURITY.md template
  (exposure, checklist status, service-specific hardening, residual risks)
- roles/<service>/SECURITY.md is where each service records how it meets the bar;
  /security-review aggregates roles/*/SECURITY.md and cross-checks against config
- service-checklist.md noted as the generic bar the record answers

Wire-up: new-role runbook step writes SECURITY.md from the template; ADR-002
governance bullet points at it; CLAUDE.md role conventions require it and mandate
one-role-per-service; STATUS records the convention as defined-not-yet-applied.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 16:09:33 +02:00
..
001-architecture.md Reconcile CI to trunk-based; mark base/docker_host not-built (R6-R8,R15-R16) 2026-05-30 19:32:37 +02:00
002-security.md Add per-service SECURITY.md convention; one role per service 2026-06-04 16:09:33 +02:00
003-toolchain.md Reconcile CI to trunk-based; mark base/docker_host not-built (R6-R8,R15-R16) 2026-05-30 19:32:37 +02:00
004-docker-model.md Add per-service SECURITY.md convention; one role per service 2026-06-04 16:09:33 +02:00
005-bootstrapping.md Purge residual .vault_pass references (review R1-R5) 2026-05-30 19:17:25 +02:00
006-terraform.md Use local Terraform state; drop unworkable Forgejo HTTP backend (R10b) 2026-05-30 21:34:05 +02:00
007-network.md Correct Forgejo host to forgejo.nyumbani.baobab.band 2026-05-30 18:16:38 +02:00
008-testing.md Fix Forgejo registry path to owner/image format (review R10a) 2026-05-30 21:34:02 +02:00
009-provisioning-handoff.md Correct Forgejo host to forgejo.nyumbani.baobab.band 2026-05-30 18:16:38 +02:00
010-forgejo-ci.md Record the Vaultwarden item name for the Forgejo token in ADR-010 2026-05-30 21:35:24 +02:00
012-hardware-capacity.md Note latest.md report mirror in ADR-012 2026-06-01 10:40:16 +02:00