boma/docs/superpowers/specs
sjat a178729587 docs(spec): mesh-hardening redesign — askari wt0-primary + WAN break-glass
Redesign of the backed-out 2026-06-17 askari SSH->wt0 attempt. Mirrors the proven ubongo 2/3 pattern (INPUT-only default-deny, SSH scoped by iifname wt0, no sshd ListenAddress change -> no boot-race) and adds the coordinator-host exception the incident demanded: a permanent non-mesh break-glass (WAN :22 from ubongo's static WAN IP + the Hetzner console), WAN :22 deliberately left open. Folds in the netbird_coordinator geo-DB robustness fix (FRICTION #4) so a transient egress blip can't FATAL the control plane. Harness-GREEN gate before a supervised live cutover.

Operator decision (2026-06-19): do this redesign first, then a separate sub-project to reduce askari's SPOF role.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-19 16:25:26 +02:00
..
2026-06-01-hardware-capacity-design.md Add hardware reference & capacity-evaluation design spec 2026-06-01 09:59:16 +02:00
2026-06-05-logging-log-integrity-design.md Add design spec for logging + log integrity (ship all to Loki) 2026-06-05 22:03:31 +02:00
2026-06-05-mesh-vpn-netbird-design.md Add design spec for mesh VPN (NetBird self-hosted on askari) 2026-06-05 10:58:35 +02:00
2026-06-05-service-ui-verification-design.md Add design spec for service-UI verification (ADR-008 Level 4) 2026-06-05 13:05:11 +02:00
2026-06-05-ubongo-control-host-design.md Add design spec for ubongo control/AI-worker host 2026-06-05 09:19:02 +02:00
2026-06-06-firewall-strategy-design.md docs(spec): firewall strategy design (TODO 3.5 → ADR-020) 2026-06-06 15:36:24 +02:00
2026-06-06-host-nftables-firewall-design.md docs(spec): host nftables firewall design (ADR-020 build #1) 2026-06-06 18:40:50 +02:00
2026-06-06-tagging-strategy-design.md docs(spec): tagging standard design (TODO 3.7/3.11 → ADR-019) 2026-06-06 09:15:44 +02:00
2026-06-09-operational-access-design.md docs(access): design operational-access doctrine (ADR-021) 2026-06-09 17:10:54 +02:00
2026-06-10-adr-structure-design.md docs(adr): add Proposed lifecycle state; mark ADR-011 Proposed 2026-06-10 14:48:55 +02:00
2026-06-10-backup-strategy-design.md docs(backup): final-review fixes — stateless BACKUP.md, dump-step wording, spec sync 2026-06-10 11:32:06 +02:00
2026-06-11-public-dns-gandi-migration-design.md docs(spec): note project (boma) vs domain (wingu.me) in the naming scheme 2026-06-14 09:47:13 +02:00
2026-06-14-askari-provisioning-design.md docs(spec): M2 — provision askari via Terraform + Hetzner Cloud 2026-06-14 10:12:10 +02:00
2026-06-14-base-ssh-fail2ban-m3-design.md docs(spec,plan): M3 — base ssh hardening + fail2ban 2026-06-14 16:38:38 +02:00
2026-06-14-kaizen-command-design.md docs(spec): /kaizen — kaizen-loop command (TODO 11) 2026-06-14 21:05:09 +02:00
2026-06-14-netbird-coordinator-m4-design.md docs(spec): M4 — NetBird coordinator on askari + Caddy reverse proxy 2026-06-14 17:19:21 +02:00
2026-06-17-m5-mesh-enrollment-design.md docs(spec): M5 mesh-enrollment design (reachability-only) 2026-06-17 15:44:13 +02:00
2026-06-17-mesh-hardening-askari-ssh-wt0-design.md docs(spec): mesh-hardening 1/3 — move askari SSH onto wt0 2026-06-17 20:15:12 +02:00
2026-06-18-local-vm-integration-testing-design.md docs(spec): design local VM integration testing on ubongo (2.4) 2026-06-18 11:35:51 +02:00
2026-06-19-mesh-hardening-askari-redesign-design.md docs(spec): mesh-hardening redesign — askari wt0-primary + WAN break-glass 2026-06-19 16:25:26 +02:00
2026-06-19-mesh-hardening-ubongo-default-deny-design.md docs: ubongo admin-addrs add 10.20.10.17 + flag raw-lease follow-up 2026-06-19 09:26:04 +02:00