Add a managerial security frame on top of the host baseline: explicit threat model (opportunistic external, lateral movement/blast radius, operator/agent error; supply chain accepted-lower-priority), security principles, and four governance mechanisms that ADR-002 establishes and links out to: - docs/security/service-checklist.md — per-service security bar (referenced from the new-role runbook) - docs/security/accepted-risks.md — living accepted-risk register (R1-R4) - planned /security-review skill (TODO 8.5) - agent guardrails in CLAUDE.md "what Claude must not do" STATUS.md records the frame as present (manual enforcement) and /security-review as planned-not-built. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| 001-architecture.md | ||
| 002-security.md | ||
| 003-toolchain.md | ||
| 004-docker-model.md | ||
| 005-bootstrapping.md | ||
| 006-terraform.md | ||
| 007-network.md | ||
| 008-testing.md | ||
| 009-provisioning-handoff.md | ||
| 010-forgejo-ci.md | ||
| 012-hardware-capacity.md | ||