boma/docs
sjat f338bccd46 Expand ADR-002 into a security baseline + strategy
Add a managerial security frame on top of the host baseline: explicit threat
model (opportunistic external, lateral movement/blast radius, operator/agent
error; supply chain accepted-lower-priority), security principles, and four
governance mechanisms that ADR-002 establishes and links out to:

- docs/security/service-checklist.md — per-service security bar (referenced
  from the new-role runbook)
- docs/security/accepted-risks.md — living accepted-risk register (R1-R4)
- planned /security-review skill (TODO 8.5)
- agent guardrails in CLAUDE.md "what Claude must not do"

STATUS.md records the frame as present (manual enforcement) and /security-review
as planned-not-built.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 14:39:51 +02:00
..
decisions Expand ADR-002 into a security baseline + strategy 2026-06-04 14:39:51 +02:00
hardware Add hardware reference doc skeleton + reviews dir 2026-06-01 10:14:53 +02:00
reviews review-repo: harden scanner, apply safe fixes, record first review 2026-05-30 19:10:58 +02:00
runbooks Expand ADR-002 into a security baseline + strategy 2026-06-04 14:39:51 +02:00
security Expand ADR-002 into a security baseline + strategy 2026-06-04 14:39:51 +02:00
superpowers Add implementation plan for hardware capacity tooling 2026-06-01 10:04:59 +02:00
FRICTION.md Log Forgejo no-PR-workflow friction in FRICTION.md 2026-06-01 11:22:26 +02:00
README.md Add architecture decision records and runbooks 2026-05-30 14:10:01 +02:00
TODO.md Expand ADR-002 into a security baseline + strategy 2026-06-04 14:39:51 +02:00

docs/

Project documentation.

  • decisions/ — Architecture Decision Records (ADRs): the "why" behind the design. Numbered from 001; each records context, the decision, and what was ruled out.
  • runbooks/ — step-by-step operational procedures (add a host, add a role, rotate secrets).

For what is actually built vs only designed, see STATUS.md at the repo root — the ADRs describe intent, not necessarily current reality.