diff --git a/docs/superpowers/plans/2026-05-15-deployment-responsibility.md b/docs/superpowers/plans/2026-05-15-deployment-responsibility.md new file mode 100644 index 0000000..95ff13f --- /dev/null +++ b/docs/superpowers/plans/2026-05-15-deployment-responsibility.md @@ -0,0 +1,1135 @@ +# Deployment Responsibility Implementation Plan + +> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking. + +**Goal:** Make `left4me/deploy/` the single source of truth for static application-shape deployment artifacts (hardening drop-ins, sudoers, sysctl, helpers). ckn-bw delivers them via target-side symlinks into the (root-owned) `/opt/left4me/src/deploy/...` checkout. + +**Architecture:** Five independent landable migration steps. Sysctl consolidation is the canary that validates the symlink mechanism end-to-end before higher-stakes artifacts (hardening, sudoers, scripts) follow. Base systemd unit bodies + slice CPU pinning stay bw-managed; only static drop-ins and stand-alone files move. Each step touches both repos (left4me + ckn-bw) and is verified on `ovh.left4me` via `bw apply` + on-host inspection. + +**Tech Stack:** bundlewrap (`bw apply`, `symlinks{}`/`files{}` item types), systemd (`systemctl daemon-reload`, drop-ins), sysctl (`sysctl --system`), Python (pytest, ckn-bw items.py + metadata.py), git. + +**Spec:** `docs/superpowers/specs/2026-05-15-deployment-responsibility-design.md`. Reread it before starting if anything below is ambiguous. + +--- + +## Preflight + +- [ ] **Step 0.1: Confirm prereq landed.** + +```bash +ssh root@ovh.left4me 'stat -c "%U:%G %a %n" /opt/left4me/src /var/lib/left4me/.venv /var/lib/left4me/steam' +``` + +Expected: `/opt/left4me/src` is `root:root 755`; `.venv` and `steam` are `left4me:left4me`. If not, stop — the runtime-state relocation (`2026-05-15-runtime-state-relocation-design.md`) hasn't landed and target-side symlinks won't be safe. + +- [ ] **Step 0.2: Capture baseline state. Save the output to `/tmp/preflight-baseline.txt` for cross-checking later.** + +```bash +ssh root@ovh.left4me ' + echo "=== sysctl ===" + sysctl kernel.yama.ptrace_scope net.core.rmem_max net.ipv4.tcp_congestion_control + echo "=== left4me-web hardening (selected) ===" + systemctl show -p ProtectSystem,ProtectHome,PrivateTmp,ProtectProc,SystemCallArchitectures,SystemCallFilter left4me-web.service + echo "=== left4me-server@ hardening (selected, instance 1) ===" + systemctl show -p ProtectSystem,PrivateUsers,PrivatePIDs,NoNewPrivileges,CapabilityBoundingSet,SystemCallArchitectures left4me-server@1.service 2>/dev/null || echo "(no instance 1 running; use any active instance or the unit-file value via systemctl cat)" + echo "=== sudo for left4me ===" + sudo -l -U left4me 2>&1 | head -30 +' +``` + +Save the output; you will diff against these values after each migration step. + +--- + +## Task 1: Sysctl canary — consolidate `99-left4me.conf` + symlink + +**Goal:** Move `kernel.yama.ptrace_scope` from ckn-bw metadata into the existing sysctl drop-in in left4me; replace the verbatim mirror in ckn-bw with a symlink item. Smallest possible change that validates the full mechanism (file content in left4me, symlink in ckn-bw, content propagates on `bw apply`, on-host kernel state matches). + +**Files:** +- Modify: `~/Projekte/left4me/deploy/files/etc/sysctl.d/99-left4me.conf` +- Modify: `~/Projekte/left4me/deploy/tests/test_example_units.py:182-198` +- Modify: `~/Projekte/ckn-bw/bundles/left4me/metadata.py:86-96` +- Modify: `~/Projekte/ckn-bw/bundles/left4me/items.py` (replace `files` entry, add `symlinks` block) +- Delete: `~/Projekte/ckn-bw/bundles/left4me/files/etc/sysctl.d/99-left4me.conf` + +### Steps + +- [ ] **Step 1.1: Append `ptrace_scope` to the sysctl drop-in in left4me.** + +Edit `deploy/files/etc/sysctl.d/99-left4me.conf`, append (preserving the trailing newline): + +``` +# Block ptrace except from CAP_SYS_PTRACE holders. Belt-and-braces with +# SystemCallFilter=~@debug + PrivateUsers=true in the gameserver unit. +# See docs/superpowers/specs/2026-05-15-hardening-defenses-survey.md. +kernel.yama.ptrace_scope = 2 +``` + +- [ ] **Step 1.2: Update the left4me test to assert the new line.** + +In `deploy/tests/test_example_units.py:182-198`, add one entry to the tuple in `test_sysctl_conf_present_with_perf_settings`: + +```python +def test_sysctl_conf_present_with_perf_settings(): + assert SYSCTL_CONF.is_file() + text = SYSCTL_CONF.read_text() + for line in ( + "net.core.rmem_max = 8388608", + "net.core.wmem_max = 8388608", + "net.core.rmem_default = 524288", + "net.core.wmem_default = 524288", + "net.core.netdev_max_backlog = 5000", + "net.core.netdev_budget = 600", + "vm.swappiness = 10", + "net.ipv4.udp_rmem_min = 16384", + "net.ipv4.udp_wmem_min = 16384", + "net.core.default_qdisc = fq_codel", + "net.ipv4.tcp_congestion_control = bbr", + "kernel.yama.ptrace_scope = 2", + ): + assert line in text, f"missing {line!r} in 99-left4me.conf" +``` + +- [ ] **Step 1.3: Run the test and watch it pass.** + +```bash +cd ~/Projekte/left4me +pytest deploy/tests/test_example_units.py::test_sysctl_conf_present_with_perf_settings -v +``` + +Expected: PASS. + +- [ ] **Step 1.4: Commit the left4me side.** + +```bash +cd ~/Projekte/left4me +git add deploy/files/etc/sysctl.d/99-left4me.conf deploy/tests/test_example_units.py +git commit -m "deploy/sysctl: absorb kernel.yama.ptrace_scope into the drop-in + +Single source of truth for left4me sysctl tuning. The metadata entry +in ckn-bw (sysctl/kernel/yama/ptrace_scope) is removed in lockstep; +the live value is unchanged. + +Part of 2026-05-15-deployment-responsibility-design.md migration step 1 +(canary)." +git push +``` + +- [ ] **Step 1.5: Remove the metadata entry in ckn-bw.** + +In `~/Projekte/ckn-bw/bundles/left4me/metadata.py`, delete the `'sysctl'` block from `defaults` (lines ~86-96): + +```python +# DELETE THIS BLOCK: + 'sysctl': { + # Block ptrace except from CAP_SYS_PTRACE holders. Belt-and-braces + # with SystemCallFilter=~@debug + PrivateUsers=true in the gameserver + # unit. See: + # left4me docs/superpowers/specs/2026-05-15-hardening-defenses-survey.md + 'kernel': { + 'yama': { + 'ptrace_scope': '2', + }, + }, + }, +``` + +- [ ] **Step 1.6: Replace the bw `files{}` entry with a `symlinks{}` entry in ckn-bw.** + +In `~/Projekte/ckn-bw/bundles/left4me/items.py`: + +(a) Find the `files` dict and **remove** the `'/etc/sysctl.d/99-left4me.conf'` entry: + +```python +# DELETE FROM `files = { ... }`: + '/etc/sysctl.d/99-left4me.conf': { + 'source': 'etc/sysctl.d/99-left4me.conf', + 'mode': '0644', + 'owner': 'root', + 'group': 'root', + 'triggers': [ + 'action:left4me_sysctl_reload', + ], + }, +``` + +(b) Add a new `symlinks` block (if one doesn't exist yet) near the `files` dict: + +```python +symlinks = { + '/etc/sysctl.d/99-left4me.conf': { + 'target': '/opt/left4me/src/deploy/files/etc/sysctl.d/99-left4me.conf', + 'owner': 'root', + 'group': 'root', + 'needs': [ + 'git_deploy:/opt/left4me/src', + ], + 'triggers': [ + 'action:left4me_sysctl_reload', + ], + }, +} +``` + +The `needs: git_deploy:/opt/left4me/src` is critical — without it bw may try to create the symlink before the checkout exists on a fresh host. + +- [ ] **Step 1.7: Delete the verbatim mirror.** + +```bash +cd ~/Projekte/ckn-bw +rm bundles/left4me/files/etc/sysctl.d/99-left4me.conf +rmdir bundles/left4me/files/etc/sysctl.d 2>/dev/null || true # if empty +``` + +- [ ] **Step 1.8: Run `bw test` to catch config errors locally.** + +```bash +cd ~/Projekte/ckn-bw +bw test +``` + +Expected: no errors for the left4me bundle. + +- [ ] **Step 1.9: Apply to the production host.** + +```bash +cd ~/Projekte/ckn-bw +bw apply ovh.left4me +``` + +Expected output: shows the file→symlink replacement (bw removes the file, creates the symlink), fires `left4me_sysctl_reload`. The `sysctl` bundle no longer emits a separate ptrace_scope file (the metadata entry is gone), so that file goes away too. Net new state: one symlink at `/etc/sysctl.d/99-left4me.conf` plus the kernel parameter set. + +- [ ] **Step 1.10: Verify on the host.** + +```bash +ssh root@ovh.left4me ' + echo "=== symlink ===" + ls -la /etc/sysctl.d/99-left4me.conf + echo "=== kernel value ===" + sysctl kernel.yama.ptrace_scope + echo "=== perf values still set ===" + sysctl net.core.rmem_max net.ipv4.tcp_congestion_control + echo "=== bw-generated ptrace_scope file is gone ===" + ls /etc/sysctl.d/ | grep -i yama || echo "(no yama files — good)" +' +``` + +Expected: +- `/etc/sysctl.d/99-left4me.conf` → `/opt/left4me/src/deploy/files/etc/sysctl.d/99-left4me.conf` symlink +- `kernel.yama.ptrace_scope = 2` +- `net.core.rmem_max = 8388608` and `net.ipv4.tcp_congestion_control = bbr` +- No separate ptrace-related file in `/etc/sysctl.d/` + +- [ ] **Step 1.11: Re-apply to confirm idempotent.** + +```bash +cd ~/Projekte/ckn-bw +bw apply ovh.left4me +``` + +Expected: `0 fixed, 0 failed`. No actions re-fire. + +- [ ] **Step 1.12: Commit ckn-bw side.** + +```bash +cd ~/Projekte/ckn-bw +git add bundles/left4me/metadata.py bundles/left4me/items.py +git add bundles/left4me/files/etc/sysctl.d/ # captures the deletion +git commit -m "left4me: symlink /etc/sysctl.d/99-left4me.conf to the checkout + +Sysctl drop-in lives in left4me/deploy/files/etc/sysctl.d/99-left4me.conf +(absorbed kernel.yama.ptrace_scope from the metadata entry). Deliver +via target-side symlink instead of a verbatim copy. + +Canary for the deployment-responsibility reshape (left4me design doc +2026-05-15-deployment-responsibility-design.md, step 1). Validated +end-to-end on ovh.left4me: symlink resolves to the checkout, +sysctl --system fires on apply, kernel value matches, idempotent." +``` + +--- + +## Task 2: Hardening drop-ins — extract from reactor, symlink in + +**Goal:** Extract `HARDENING_COMMON` / `HARDENING_SERVER` / `HARDENING_WEB` from ckn-bw's Python source into two `.conf` drop-in files in left4me. Reactor stops splatting hardening into the unit body. ckn-bw deploys the drop-ins via target-side symlinks. Reference units in `deploy/files/` lose their inline hardening (which moves into the drop-in files). + +This is the biggest task. It runs `systemctl daemon-reload` on apply and changes the live unit-level enforcement state of `left4me-web.service` and `left4me-server@.service`. Restart both after applying to ensure the new effective directives are in force. + +**Files:** +- Create: `~/Projekte/left4me/deploy/files/etc/systemd/system/left4me-web.service.d/10-hardening.conf` +- Create: `~/Projekte/left4me/deploy/files/etc/systemd/system/left4me-server@.service.d/10-hardening.conf` +- Modify: `~/Projekte/left4me/deploy/files/usr/local/lib/systemd/system/left4me-web.service` (strip hardening directives + comments; keep base-unit content) +- Modify: `~/Projekte/left4me/deploy/files/usr/local/lib/systemd/system/left4me-server@.service` (same) +- Modify: `~/Projekte/left4me/deploy/tests/test_example_units.py` (move hardening assertions to a new test for the drop-ins; remove from the unit-body tests) +- Modify: `~/Projekte/ckn-bw/bundles/left4me/metadata.py` (delete `HARDENING_*` constants; remove `**HARDENING_WEB` / `**HARDENING_SERVER` splats from the reactor) +- Modify: `~/Projekte/ckn-bw/bundles/left4me/items.py` (add `directory` items for the `.service.d/` dirs; add `symlinks` for the drop-ins) + +### Steps + +- [ ] **Step 2.1: Create the web drop-in in left4me.** + +Move the existing hardening directives + their per-directive comments out of `deploy/files/usr/local/lib/systemd/system/left4me-web.service` into a new file at `deploy/files/etc/systemd/system/left4me-web.service.d/10-hardening.conf`. The new file's `[Service]` section contains every directive currently between the per-directive comment block in the reference unit. Concretely: + +```ini +# Hardening drop-in for left4me-web.service. +# +# Source of truth: this file (in left4me/deploy/files/). ckn-bw deploys +# it to /etc/systemd/system/left4me-web.service.d/10-hardening.conf via a +# target-side symlink into the checkout. +# +# See docs/superpowers/specs/2026-05-15-hardening-defenses-survey.md +# and 2026-05-15-hardening-test-plan.md for the threat model and the +# verification matrix. +# +# This unit is the web app; some sudo-incompatible directives are +# intentionally absent: +# NoNewPrivileges — blocks sudo's setuid escalation +# PrivateUsers — breaks sudo's host-root mapping +# RestrictSUIDSGID — blocks setuid()/setgid() +# CapabilityBoundingSet= — empty value would deny sudo's caps +# ~@privileged in SystemCallFilter — blocks sudo's setuid syscall +# All of those are unconditional on the gameserver unit (no sudo there). +[Service] +ProtectSystem=strict +ProtectHome=true +PrivateTmp=true +ProtectProc=invisible +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectClock=true +ProtectControlGroups=true +ProtectHostname=true +LockPersonality=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@debug @mount @raw-io @reboot @swap @cpu-emulation @obsolete +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=true +RestrictRealtime=true +RemoveIPC=true +KeyringMode=private +UMask=0027 +``` + +(Confirm the exact directive list matches `HARDENING_COMMON` + the web-specific additions in ckn-bw's `metadata.py:131-210`. Any directive in `HARDENING_WEB` belongs here.) + +- [ ] **Step 2.2: Create the gameserver drop-in in left4me.** + +`deploy/files/etc/systemd/system/left4me-server@.service.d/10-hardening.conf`: + +```ini +# Hardening drop-in for left4me-server@.service. +# +# Source of truth: this file (in left4me/deploy/files/). ckn-bw deploys +# it to /etc/systemd/system/left4me-server@.service.d/10-hardening.conf +# via a target-side symlink into the checkout. +# +# Gameserver unit: full hardening profile. No sudo path inside; no +# sudo-incompatibility carve-outs. +[Service] +NoNewPrivileges=true +RestrictSUIDSGID=true +CapabilityBoundingSet= +AmbientCapabilities= +# srcds_linux is i386 (Source 2007 engine). Bare 'native' kills every +# 32-bit syscall and traps srcds_run in a respawn loop. +SystemCallArchitectures=native x86 +SystemCallFilter=@system-service +SystemCallFilter=~@debug @mount @raw-io @reboot @swap @cpu-emulation @obsolete @privileged +TemporaryFileSystem=/var/lib /etc /opt /home /root /srv /mnt /media +BindReadOnlyPaths=/var/lib/left4me/installation +BindReadOnlyPaths=/var/lib/left4me/overlays +BindReadOnlyPaths=/etc/left4me/host.env +BindReadOnlyPaths=/etc/ssl +BindReadOnlyPaths=/etc/ca-certificates +BindReadOnlyPaths=/etc/resolv.conf +BindReadOnlyPaths=/etc/nsswitch.conf +BindReadOnlyPaths=/etc/alternatives +BindPaths=/var/lib/left4me/runtime/%i +ProtectSystem=strict +ProtectHome=true +PrivateUsers=true +# PrivatePIDs is the test-plan amendment that closes D2.b: same-uid +# ProtectProc=invisible cannot hide gunicorn from srcds (both run as +# uid 980); a private PID namespace does. +PrivatePIDs=true +PrivateTmp=true +PrivateDevices=true +PrivateIPC=true +RestrictNamespaces=true +RestrictRealtime=true +ProtectProc=invisible +ProcSubset=pid +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectClock=true +ProtectControlGroups=true +ProtectHostname=true +LockPersonality=true +RemoveIPC=true +KeyringMode=private +UMask=0027 +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +# Lock srcds bindable sockets to the game port range. Hard-coded range +# because systemd directive variable substitution is uneven for +# SocketBindAllow. +SocketBindAllow=udp:27000-27999 +SocketBindAllow=tcp:27000-27999 +# MemoryDenyWriteExecute=true permanently excluded — Source engine i386 +# .so files have text relocations that need mprotect(W+X) during the +# dynamic linker's relocation pass. +``` + +(Same cross-check: the directive list must equal `HARDENING_SERVER` in ckn-bw `metadata.py`.) + +- [ ] **Step 2.3: Strip hardening from the reference unit files in left4me.** + +Edit `deploy/files/usr/local/lib/systemd/system/left4me-web.service` and `left4me-server@.service`. Remove every line that is now in the corresponding drop-in. Keep: +- `[Unit]` section as-is +- `[Service]` base-unit directives: `Type`, `User`, `Group`, `WorkingDirectory`, `Environment=`, `EnvironmentFile=`, `ExecStartPre=`, `ExecStart=`, `ExecStopPost=`, `Restart=`, `RestartSec=`, `ReadWritePaths=`, `Slice=`, `Nice=`, `IOSchedulingClass=`, `IOSchedulingPriority=`, `OOMScoreAdjust=`, `MemoryHigh=`, `MemoryMax=`, `TasksMax=`, `LimitNOFILE=`, `KillSignal=`, `TimeoutStopSec=`, `LogRateLimitIntervalSec=` +- `[Install]` section as-is +- The per-directive comment block at the top describing the sudo-incompatibility carve-outs is fine to drop (it's redundant with the drop-in file); leave one short pointer comment in the unit body if useful. + +The resulting reference unit is the "base" unit: what the reactor emits before the drop-in adds the hardening profile. + +- [ ] **Step 2.4: Update the left4me test to reflect the split.** + +In `deploy/tests/test_example_units.py`: + +(a) Add path constants near the existing ones: + +```python +WEB_HARDENING_DROPIN = DEPLOY / "files/etc/systemd/system/left4me-web.service.d/10-hardening.conf" +SERVER_HARDENING_DROPIN = DEPLOY / "files/etc/systemd/system/left4me-server@.service.d/10-hardening.conf" +``` + +(b) Remove hardening assertions from `test_web_unit_contains_required_runtime_contract`. The unit-body assertions that **stay** are the base-unit ones (User, Group, WorkingDirectory, PATH, EnvironmentFile, ExecStart, --workers/--threads, NoNewPrivileges-NOT-set, ReadWritePaths, MountFlags-NOT-set). The assertions that **move to a new test** (`test_web_hardening_dropin`) are the hardening directives (`PrivateTmp=true`, `ProtectSystem=full|strict`, etc. — note: `ProtectSystem=full` assertion in the existing test was already incorrect drift; the new assertion should be `ProtectSystem=strict` matching HARDENING_COMMON). + +(c) Same surgery for `test_server_unit_contains_required_runtime_contract` → split base-unit assertions from hardening assertions. + +(d) New tests: + +```python +def test_web_hardening_dropin_present_with_directives(): + assert WEB_HARDENING_DROPIN.is_file() + text = WEB_HARDENING_DROPIN.read_text() + assert "[Service]" in text + # COMMON + for d in ( + "ProtectProc=invisible", + "ProtectKernelTunables=true", + "ProtectKernelModules=true", + "ProtectKernelLogs=true", + "ProtectClock=true", + "ProtectControlGroups=true", + "ProtectHostname=true", + "LockPersonality=true", + "ProtectSystem=strict", + "ProtectHome=true", + "PrivateTmp=true", + "RestrictNamespaces=true", + "RestrictRealtime=true", + "RemoveIPC=true", + "KeyringMode=private", + "UMask=0027", + "RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX", + ): + assert d in text, f"missing {d!r} in web hardening drop-in" + # WEB-specific + assert "SystemCallArchitectures=native" in text + assert "SystemCallFilter=@system-service" in text + assert "SystemCallFilter=~@debug @mount @raw-io @reboot @swap @cpu-emulation @obsolete" in text + # WEB must NOT include the sudo-incompatible directives. + assert "NoNewPrivileges=" not in text + assert "PrivateUsers=" not in text + assert "RestrictSUIDSGID=" not in text + assert "CapabilityBoundingSet=" not in text + assert "~@privileged" not in text + + +def test_server_hardening_dropin_present_with_directives(): + assert SERVER_HARDENING_DROPIN.is_file() + text = SERVER_HARDENING_DROPIN.read_text() + assert "[Service]" in text + # Server adds sudo-incompatible flags on top of COMMON. + for d in ( + "NoNewPrivileges=true", + "RestrictSUIDSGID=true", + "PrivateUsers=true", + "PrivatePIDs=true", + "PrivateIPC=true", + "PrivateDevices=true", + "CapabilityBoundingSet=", + "AmbientCapabilities=", + "SystemCallArchitectures=native x86", + "ProcSubset=pid", + "TemporaryFileSystem=/var/lib /etc /opt /home /root /srv /mnt /media", + "BindReadOnlyPaths=/var/lib/left4me/installation", + "BindReadOnlyPaths=/var/lib/left4me/overlays", + "BindReadOnlyPaths=/etc/left4me/host.env", + "BindPaths=/var/lib/left4me/runtime/%i", + "SocketBindAllow=udp:27000-27999", + "SocketBindAllow=tcp:27000-27999", + ): + assert d in text, f"missing {d!r} in server hardening drop-in" + assert "SystemCallFilter=~@debug @mount @raw-io @reboot @swap @cpu-emulation @obsolete @privileged" in text + # MemoryDenyWriteExecute must remain absent (Source engine compat). + assert "MemoryDenyWriteExecute" not in text +``` + +- [ ] **Step 2.5: Run all left4me tests.** + +```bash +cd ~/Projekte/left4me +pytest deploy/tests/test_example_units.py -v +``` + +Expected: all PASS (including the two new drop-in tests and the slimmed-down unit-body tests). + +- [ ] **Step 2.6: Commit left4me side.** + +```bash +cd ~/Projekte/left4me +git add deploy/files/etc/systemd/system/left4me-web.service.d/10-hardening.conf +git add deploy/files/etc/systemd/system/left4me-server@.service.d/10-hardening.conf +git add deploy/files/usr/local/lib/systemd/system/left4me-web.service +git add deploy/files/usr/local/lib/systemd/system/left4me-server@.service +git add deploy/tests/test_example_units.py +git commit -m "deploy: extract hardening into drop-in files alongside the units + +Hardening directives leave the base unit body and live in: + deploy/files/etc/systemd/system/left4me-web.service.d/10-hardening.conf + deploy/files/etc/systemd/system/left4me-server@.service.d/10-hardening.conf + +Reference units now describe just the base operational shape (exec, +env, restart, resources). Tests split: base-unit content and hardening +profile are asserted separately. + +Part of 2026-05-15-deployment-responsibility-design.md migration +step 2. ckn-bw lands the matching reactor surgery + symlink delivery." +git push +``` + +- [ ] **Step 2.7: Drop the HARDENING constants + splats from ckn-bw.** + +In `~/Projekte/ckn-bw/bundles/left4me/metadata.py`: + +(a) Delete `HARDENING_COMMON`, `HARDENING_SERVER`, `HARDENING_WEB` (lines ~122-210). All three constants and their comment block go away. + +(b) Remove `**HARDENING_WEB` from the `left4me-web.service` `Service` dict (in the `systemd_units` reactor). + +(c) Remove `**HARDENING_SERVER` from the `left4me-server@.service` `Service` dict. + +(d) Update the `# Hardening profile — see HARDENING_WEB ...` comments above each splat to point to the drop-in file path instead (e.g., `# Hardening profile delivered via /etc/systemd/system/left4me-web.service.d/10-hardening.conf (symlink into the checkout).`). + +- [ ] **Step 2.8: Add directory + symlink items for the drop-ins.** + +In `~/Projekte/ckn-bw/bundles/left4me/items.py`: + +(a) Add to `directories`: + +```python + '/etc/systemd/system/left4me-web.service.d': { + 'owner': 'root', 'group': 'root', 'mode': '0755', + }, + '/etc/systemd/system/left4me-server@.service.d': { + 'owner': 'root', 'group': 'root', 'mode': '0755', + }, +``` + +(b) Add one `triggered` action that runs `systemctl daemon-reload`. It will fire on either the symlink itself changing OR on `git_deploy` updating the source content (the symlink path doesn't change in that case, so we need both wirings): + +```python +actions['left4me_daemon_reload'] = { + 'command': 'systemctl daemon-reload', + 'triggered': True, + 'cascade_skip': False, +} +``` + +(c) Add to `symlinks` (which now has the sysctl entry from Task 1): + +```python + '/etc/systemd/system/left4me-web.service.d/10-hardening.conf': { + 'target': '/opt/left4me/src/deploy/files/etc/systemd/system/left4me-web.service.d/10-hardening.conf', + 'owner': 'root', 'group': 'root', + 'needs': [ + 'directory:/etc/systemd/system/left4me-web.service.d', + 'git_deploy:/opt/left4me/src', + ], + 'triggers': [ + 'action:left4me_daemon_reload', + ], + }, + '/etc/systemd/system/left4me-server@.service.d/10-hardening.conf': { + 'target': '/opt/left4me/src/deploy/files/etc/systemd/system/left4me-server@.service.d/10-hardening.conf', + 'owner': 'root', 'group': 'root', + 'needs': [ + 'directory:/etc/systemd/system/left4me-server@.service.d', + 'git_deploy:/opt/left4me/src', + ], + 'triggers': [ + 'action:left4me_daemon_reload', + ], + }, +``` + +(d) Wire `left4me_daemon_reload` into the `git_deploy:/opt/left4me/src` `triggers` list (in addition to whatever's already there — `left4me_alembic_upgrade`, `left4me_pip_install`, etc.): + +```python +git_deploy = { + '/opt/left4me/src': { + 'repo': node.metadata.get('left4me/git_url'), + 'rev': node.metadata.get('left4me/git_branch'), + 'triggers': [ + 'action:left4me_alembic_upgrade', + 'action:left4me_pip_install', + 'action:left4me_daemon_reload', # NEW + # …whatever else is already in this list + ], + }, +} +``` + +This handles the case where the source content of a hardening drop-in changes (via `git_deploy`) but the symlink itself doesn't. + +- [ ] **Step 2.9: `bw test` in ckn-bw.** + +```bash +cd ~/Projekte/ckn-bw +bw test +``` + +Expected: no errors. + +- [ ] **Step 2.10: Apply to the production host (interactive).** + +The web service will get its hardening overlay reloaded on this apply. Expect bw to: remove old reactor-emitted hardening from the unit file, create the new drop-in directories and symlinks, `systemctl daemon-reload`. The service is *not* restarted automatically by bw on a drop-in change. You must restart it explicitly to pick up the new effective directives: + +```bash +cd ~/Projekte/ckn-bw +bw apply ovh.left4me +ssh root@ovh.left4me 'systemctl restart left4me-web.service' +``` + +Gameserver instances are template-instantiated on demand by the web app. To pick up the new hardening drop-in, any *currently running* instance must be restarted via the web UI (or directly: `systemctl restart left4me-server@`). New instances started after `daemon-reload` will get the new hardening automatically. + +- [ ] **Step 2.11: Verify on host.** + +```bash +ssh root@ovh.left4me ' + echo "=== drop-ins symlinked ===" + ls -la /etc/systemd/system/left4me-web.service.d/10-hardening.conf + ls -la /etc/systemd/system/left4me-server@.service.d/10-hardening.conf + echo "=== web unit, effective directives ===" + systemctl show -p ProtectSystem,ProtectHome,PrivateTmp,ProtectProc,SystemCallArchitectures,LockPersonality left4me-web.service + echo "=== server unit (file-level, since instances spawn on demand) ===" + systemctl cat left4me-server@.service | grep -E "^Drop-In|10-hardening" + echo "=== systemctl daemon-reload fired ===" + systemctl status left4me-web.service | head -5 +' +``` + +Expected: +- Both drop-in symlinks point into `/opt/left4me/src/deploy/files/etc/systemd/system/...` +- `systemctl show` for left4me-web reports the directives from the drop-in (`ProtectSystem=strict`, `PrivateTmp=yes`, etc. — matches Step 0.2's baseline) +- `systemctl cat left4me-server@.service` shows `# Drop-In: /etc/systemd/system/left4me-server@.service.d/` and references `10-hardening.conf` + +- [ ] **Step 2.12: Run the relevant hardening test plan checks.** + +From `docs/superpowers/specs/2026-05-15-hardening-test-plan.md`, pick a small subset that exercises both units in the live state (e.g., Test 1 ProtectSystem, Test 4 PrivateUsers on the server unit). Run them. Expected: pass identically to before. + +- [ ] **Step 2.13: Re-apply for idempotency.** + +```bash +cd ~/Projekte/ckn-bw +bw apply ovh.left4me +``` + +Expected: `0 fixed, 0 failed`. Daemon-reload does *not* fire on a no-op apply. + +- [ ] **Step 2.14: Commit ckn-bw side.** + +```bash +cd ~/Projekte/ckn-bw +git add bundles/left4me/metadata.py bundles/left4me/items.py +git commit -m "left4me: hardening lives in drop-ins owned by left4me; deliver via symlink + +Reactor stops emitting hardening directives in the unit bodies. The +HARDENING_COMMON / HARDENING_SERVER / HARDENING_WEB constants are gone. +Effective hardening on the live units now comes from drop-in files +shipped by left4me at: + /etc/systemd/system/left4me-web.service.d/10-hardening.conf + /etc/systemd/system/left4me-server@.service.d/10-hardening.conf +Both are target-side symlinks into /opt/left4me/src/deploy/files/... +(safe because /opt/left4me/src is root-owned post-relocation refactor). + +Verified on ovh.left4me: systemctl show reports the same directives as +the pre-refactor baseline; relevant hardening test-plan checks pass." +``` + +--- + +## Task 3: Sudoers symlink — dedupe the verbatim mirror + +**Goal:** `/etc/sudoers.d/left4me` becomes a symlink into the checkout instead of a file copy from ckn-bw's bundle. Delete the bundle's mirror file. + +**Files:** +- Modify: `~/Projekte/ckn-bw/bundles/left4me/items.py` (move sudoers from `files` → `symlinks`) +- Delete: `~/Projekte/ckn-bw/bundles/left4me/files/etc/sudoers.d/left4me` +- (Optional) Create: `~/Projekte/left4me/deploy/tests/test_sudoers.py` + +### Steps + +- [ ] **Step 3.1: (Optional) Add a left4me-side syntax test.** + +The current bw `files{}` entry uses `'test_with': 'visudo -cf {}'`, which won't run for a `symlinks{}` entry. Replace that gate with a left4me-side pytest: + +```python +# deploy/tests/test_sudoers.py +"""Syntax-check the sudoers drop-in via visudo before it leaves the repo.""" +import shutil +import subprocess +from pathlib import Path + +import pytest + +SUDOERS = Path(__file__).resolve().parents[2] / "deploy/files/etc/sudoers.d/left4me" + + +@pytest.mark.skipif(shutil.which("visudo") is None, reason="visudo not installed") +def test_sudoers_parses(): + result = subprocess.run( + ["visudo", "-cf", str(SUDOERS)], + capture_output=True, text=True, + ) + assert result.returncode == 0, f"visudo -cf failed: {result.stdout}{result.stderr}" +``` + +Run it: + +```bash +cd ~/Projekte/left4me +pytest deploy/tests/test_sudoers.py -v +``` + +Expected: PASS (or SKIP on systems without visudo — fine for CI on hosts that have it). + +- [ ] **Step 3.2: Commit the left4me-side test if added.** + +```bash +cd ~/Projekte/left4me +git add deploy/tests/test_sudoers.py +git commit -m "deploy/tests: add visudo syntax test for the sudoers drop-in + +Pre-deploy syntax guard; replaces ckn-bw's per-item test_with which +won't apply to a symlink-delivered file (see deployment-responsibility +migration step 3)." +git push +``` + +- [ ] **Step 3.3: Move the sudoers entry from `files` to `symlinks` in ckn-bw.** + +In `~/Projekte/ckn-bw/bundles/left4me/items.py`: + +(a) Remove from `files`: + +```python +# DELETE: + '/etc/sudoers.d/left4me': { + 'source': 'etc/sudoers.d/left4me', + 'mode': '0440', + 'owner': 'root', + 'group': 'root', + 'test_with': 'visudo -cf {}', + }, +``` + +(b) Add to `symlinks`: + +```python + '/etc/sudoers.d/left4me': { + 'target': '/opt/left4me/src/deploy/files/etc/sudoers.d/left4me', + 'owner': 'root', 'group': 'root', + 'needs': [ + 'git_deploy:/opt/left4me/src', + ], + # sudo follows symlinks; with the target file at root:root 0440 + # in a root-owned source tree, sudo accepts it. No daemon-reload + # equivalent — sudo re-reads /etc/sudoers.d/ on each invocation. + }, +``` + +- [ ] **Step 3.4: Delete the verbatim mirror.** + +```bash +cd ~/Projekte/ckn-bw +rm bundles/left4me/files/etc/sudoers.d/left4me +rmdir bundles/left4me/files/etc/sudoers.d 2>/dev/null || true +``` + +- [ ] **Step 3.5: Confirm the source file has the right mode (must be 0440 root:root) in the live checkout.** + +The on-target permissions of `/opt/left4me/src/deploy/files/etc/sudoers.d/left4me` matter (sudo checks the resolved file). `git_deploy` extracts as root, so the file inherits the source file's mode from git (default 0644). sudo requires 0440 / 0400. The simplest fix: a small ckn-bw action that runs `chmod 0440 /opt/left4me/src/deploy/files/etc/sudoers.d/left4me` after git_deploy. Add to `items.py`: + +```python +actions['left4me_chmod_sudoers'] = { + 'command': 'chmod 0440 /opt/left4me/src/deploy/files/etc/sudoers.d/left4me', + 'unless': 'test "$(stat -c %a /opt/left4me/src/deploy/files/etc/sudoers.d/left4me)" = "440"', + 'cascade_skip': False, + 'needs': [ + 'git_deploy:/opt/left4me/src', + ], + # Required so the symlink resolves to a sudo-acceptable file. +} +``` + +And add `'action:left4me_chmod_sudoers'` to the `symlinks['/etc/sudoers.d/left4me']` `needs` list. + +Alternative: set the in-repo file's git mode to 0440 with `chmod 0440 deploy/files/etc/sudoers.d/left4me && git add --chmod=u-w …` so git tracks the mode. Either works; the action approach is more robust against future repo-mode regressions. + +- [ ] **Step 3.6: `bw test` + apply.** + +```bash +cd ~/Projekte/ckn-bw +bw test +bw apply ovh.left4me +``` + +Expected: file removed, action fires the chmod, symlink created. + +- [ ] **Step 3.7: Verify sudo still works.** + +```bash +ssh root@ovh.left4me ' + echo "=== symlink ===" + ls -la /etc/sudoers.d/left4me + stat -c "%U:%G %a" /opt/left4me/src/deploy/files/etc/sudoers.d/left4me + echo "=== sudoers content via sudo -l ===" + sudo -l -U left4me 2>&1 | head -30 +' +``` + +Expected: +- Symlink resolves into the checkout +- Target file is `root:root 440` +- `sudo -l -U left4me` lists the same commands as Step 0.2 baseline + +- [ ] **Step 3.8: Functional check — run a privileged helper via sudo.** + +Trigger one of the sudoers-allowed commands the way the web app does, e.g. a status check via the systemctl helper: + +```bash +ssh root@ovh.left4me 'sudo -u left4me /usr/bin/sudo /usr/local/libexec/left4me/left4me-systemctl status left4me-web.service | head -5' +``` + +Expected: command runs successfully (returns status output, not "Sorry, user … is not allowed"). + +- [ ] **Step 3.9: Idempotent re-apply + commit.** + +```bash +cd ~/Projekte/ckn-bw +bw apply ovh.left4me # expect 0 fixed +git add bundles/left4me/items.py bundles/left4me/files/etc/sudoers.d/ +git commit -m "left4me: symlink /etc/sudoers.d/left4me to the checkout + +Sudoers drop-in lives in left4me/deploy/files/etc/sudoers.d/left4me +(single source of truth). Deleted the verbatim mirror in this bundle's +files/ tree. Added an idempotent chmod action so the in-checkout file +is 0440 root:root — required for sudo to accept it through the symlink. + +Syntax check on the source file is now a left4me-side pytest +(deploy/tests/test_sudoers.py) running visudo -cf. + +Part of 2026-05-15-deployment-responsibility-design.md migration step 3." +``` + +--- + +## Task 4: Privileged scripts — relocate to `deploy/scripts/` + symlink + +**Goal:** Move `left4me/scripts/{libexec,sbin}/` into `left4me/deploy/scripts/{libexec,sbin}/` for layout consistency (everything ckn-bw deploys lives under `deploy/`). Replace the `install_left4me_scripts` copy-action with bw `symlinks{}` items, one per script. + +**Files:** +- `git mv` in left4me: `scripts/` → `deploy/scripts/` +- Modify: `~/Projekte/left4me/AGENTS.md`, any docs referencing the old path (grep first) +- Modify: `~/Projekte/ckn-bw/bundles/left4me/items.py` (drop `install_left4me_scripts` action; add symlink items; update git_deploy triggers) + +### Steps + +- [ ] **Step 4.1: Find every reference to the old path in left4me.** + +```bash +cd ~/Projekte/left4me +grep -rn "scripts/libexec\|scripts/sbin\|/opt/left4me/src/scripts" \ + --include='*.py' --include='*.md' --include='*.sh' --include='*.toml' --include='*.cfg' \ + . 2>/dev/null | grep -v worktrees +``` + +Save the file list — every match needs updating. + +- [ ] **Step 4.2: `git mv` the scripts directory in left4me.** + +```bash +cd ~/Projekte/left4me +git mv scripts deploy/scripts +``` + +- [ ] **Step 4.3: Update all references in left4me to the new path.** + +For each file found in 4.1, replace `scripts/libexec/` → `deploy/scripts/libexec/`, `scripts/sbin/` → `deploy/scripts/sbin/`, `/opt/left4me/src/scripts/` → `/opt/left4me/src/deploy/scripts/`. Use sed or your editor of choice. Be careful: don't touch worktree files or vendored dependencies. + +- [ ] **Step 4.4: Run the full left4me test suite.** + +```bash +cd ~/Projekte/left4me +pytest -v +``` + +Expected: PASS. If any test fails on a path reference you missed, fix and re-run. + +- [ ] **Step 4.5: Commit the left4me relocation.** + +```bash +cd ~/Projekte/left4me +git add -A +git commit -m "deploy: move scripts/{libexec,sbin}/ into deploy/scripts/ + +Layout consistency: everything ckn-bw deploys to the host now lives +under deploy/. ckn-bw's install_left4me_scripts copy-action goes away +in lockstep with this commit and is replaced by target-side symlinks. + +Part of 2026-05-15-deployment-responsibility-design.md migration step 4." +git push +``` + +- [ ] **Step 4.6: Replace `install_left4me_scripts` with symlinks in ckn-bw.** + +In `~/Projekte/ckn-bw/bundles/left4me/items.py`: + +(a) Delete `actions['install_left4me_scripts']`. + +(b) Remove `'action:install_left4me_scripts'` from `git_deploy:/opt/left4me/src`'s `triggers` list. + +(c) Replace `directory:/usr/local/libexec/left4me` (already exists) and add symlink items, one per script (the current four — see `ls /opt/left4me/src/scripts/libexec/ scripts/sbin/` on host for the canonical list): + +```python +# Per-script symlinks. Source content lives in left4me/deploy/scripts/. +# git_deploy:/opt/left4me/src is the prerequisite for each — without it +# the symlink target wouldn't exist on a fresh apply. +LEFT4ME_LIBEXEC_SCRIPTS = ( + 'left4me-overlay', + 'left4me-systemctl', + 'left4me-journalctl', + 'left4me-script-sandbox', +) +LEFT4ME_SBIN_SCRIPTS = ( + 'left4me', +) + +for _script in LEFT4ME_LIBEXEC_SCRIPTS: + symlinks[f'/usr/local/libexec/left4me/{_script}'] = { + 'target': f'/opt/left4me/src/deploy/scripts/libexec/{_script}', + 'owner': 'root', 'group': 'root', + 'needs': [ + 'directory:/usr/local/libexec/left4me', + 'git_deploy:/opt/left4me/src', + ], + } + +for _script in LEFT4ME_SBIN_SCRIPTS: + symlinks[f'/usr/local/sbin/{_script}'] = { + 'target': f'/opt/left4me/src/deploy/scripts/sbin/{_script}', + 'owner': 'root', 'group': 'root', + 'needs': [ + 'git_deploy:/opt/left4me/src', + ], + } +``` + +(d) Confirm the source scripts have the executable bit set in the checkout. Add an idempotent chmod action if needed: + +```python +actions['left4me_chmod_scripts'] = { + 'command': ( + 'chmod 0755 ' + '/opt/left4me/src/deploy/scripts/libexec/* ' + '/opt/left4me/src/deploy/scripts/sbin/*' + ), + 'unless': ( + '! find /opt/left4me/src/deploy/scripts -type f \\! -perm 755 -print -quit | grep -q .' + ), + 'cascade_skip': False, + 'needs': [ + 'git_deploy:/opt/left4me/src', + ], +} +``` + +Add `'action:left4me_chmod_scripts'` to each script symlink's `needs:`. + +- [ ] **Step 4.7: `bw test` + apply.** + +```bash +cd ~/Projekte/ckn-bw +bw test +bw apply ovh.left4me +``` + +Expected: install_left4me_scripts action removed from the graph; symlinks created; existing root-owned copies in `/usr/local/{libexec,sbin}/` are replaced by symlinks. + +- [ ] **Step 4.8: Verify the helpers still work.** + +```bash +ssh root@ovh.left4me ' + echo "=== symlinks ===" + ls -la /usr/local/libexec/left4me/ /usr/local/sbin/left4me + echo "=== executable check ===" + /usr/local/libexec/left4me/left4me-systemctl --help 2>&1 | head -3 || true + echo "=== sudo invocation (the way the web app uses them) ===" + sudo -u left4me /usr/bin/sudo /usr/local/libexec/left4me/left4me-systemctl status left4me-web.service | head -5 +' +``` + +Expected: every entry is a symlink into `/opt/left4me/src/deploy/scripts/`; the help/status outputs look normal; sudo invocation still succeeds. + +- [ ] **Step 4.9: Live gameserver round-trip.** + +Start a fresh instance via the web app (or `sudo /usr/local/libexec/left4me/left4me-systemctl start left4me-server@test`), confirm srcds_run starts, stop it. The `left4me-overlay` helper (now a symlink into the checkout) gets exercised as part of the ExecStartPre/ExecStopPost. + +- [ ] **Step 4.10: Idempotent re-apply + commit.** + +```bash +cd ~/Projekte/ckn-bw +bw apply ovh.left4me # expect 0 fixed +git add bundles/left4me/items.py +git commit -m "left4me: symlink privileged helpers to the checkout + +/usr/local/libexec/left4me/* and /usr/local/sbin/left4me are now +target-side symlinks into /opt/left4me/src/deploy/scripts/... +Replaces the install_left4me_scripts copy-action. + +Part of 2026-05-15-deployment-responsibility-design.md migration +step 4. Verified on ovh.left4me: helpers run via sudo from the web +app context; gameserver mount/unmount round-trip succeeds." +``` + +--- + +## Task 5: Cleanup + docs + +**Goal:** Prune now-dead metadata, update both repos' READMEs to describe the new model, and run the end-to-end verification matrix one final time. + +**Files:** +- Modify: `~/Projekte/left4me/deploy/README.md` +- Modify: `~/Projekte/ckn-bw/bundles/left4me/README.md` +- (Possibly) Modify: `~/Projekte/left4me/AGENTS.md` + +### Steps + +- [ ] **Step 5.1: Audit ckn-bw `bundles/left4me/` for any dead references.** + +```bash +cd ~/Projekte/ckn-bw +grep -nE "HARDENING_|install_left4me_scripts|left4me_chown_src" bundles/left4me/*.py +``` + +Expected: no matches. If there are, they're leftovers from earlier steps — clean them up. + +- [ ] **Step 5.2: Update `~/Projekte/left4me/deploy/README.md`.** + +Describe the new model: `deploy/files/` and `deploy/scripts/` are the canonical source for everything ckn-bw deploys via target-side symlinks; base unit bodies in `deploy/files/usr/local/lib/systemd/system/` remain reference fixtures that match the reactor-emitted live form. Hardening profile lives in the drop-in files alongside the unit it hardens. + +- [ ] **Step 5.3: Update `~/Projekte/ckn-bw/bundles/left4me/README.md`.** + +Replace the "drops privileged helpers" and "git_deploy then pip_install -e" descriptions with the current model: target-side symlinks for static artifacts (hardening drop-ins, sudoers, sysctl drop-in, helpers); reactor emits per-host unit bodies and slice CPU pinning. Point at the design doc for the rationale. + +- [ ] **Step 5.4: Update `~/Projekte/left4me/AGENTS.md` if it describes the deployment layout.** + +Likely just a path update from `scripts/` → `deploy/scripts/`. Grep first. + +- [ ] **Step 5.5: Full end-to-end verification matrix.** + +Re-run the Preflight baseline capture and compare against the post-migration state: + +```bash +ssh root@ovh.left4me ' + echo "=== sysctl ===" + sysctl kernel.yama.ptrace_scope net.core.rmem_max net.ipv4.tcp_congestion_control + echo "=== left4me-web hardening (selected) ===" + systemctl show -p ProtectSystem,ProtectHome,PrivateTmp,ProtectProc,SystemCallArchitectures left4me-web.service + echo "=== left4me-server@ hardening (template-level via systemctl cat) ===" + systemctl cat left4me-server@.service | grep -E "ProtectSystem|PrivateUsers|PrivatePIDs|NoNewPrivileges|SocketBindAllow" + echo "=== sudo for left4me ===" + sudo -l -U left4me 2>&1 | head -30 + echo "=== symlinks ===" + ls -la /etc/sudoers.d/left4me /etc/sysctl.d/99-left4me.conf \ + /etc/systemd/system/left4me-web.service.d/10-hardening.conf \ + /etc/systemd/system/left4me-server@.service.d/10-hardening.conf \ + /usr/local/libexec/left4me/left4me-overlay \ + /usr/local/sbin/left4me + echo "=== bw idempotent ===" +' +cd ~/Projekte/ckn-bw && bw apply ovh.left4me +``` + +Expected: +- All sysctl values match baseline +- All hardening directives reported by systemctl match baseline +- `sudo -l` output matches baseline +- All listed paths are symlinks into `/opt/left4me/src/deploy/` +- `bw apply` reports `0 fixed, 0 failed` + +- [ ] **Step 5.6: Gameserver round-trip in production mode.** + +Through the web UI: start an instance, confirm it appears in the live-state panel, run a cvar inspect, stop it. End-to-end confirms the symlinked helpers + hardened gameserver unit all work together. + +- [ ] **Step 5.7: Commit docs.** + +```bash +cd ~/Projekte/left4me +git add deploy/README.md AGENTS.md 2>/dev/null +git commit -m "deploy/docs: describe the new symlink-based delivery model" || true +git push + +cd ~/Projekte/ckn-bw +git add bundles/left4me/README.md +git commit -m "left4me/README: describe symlink delivery + reactor scope after the reshape" +``` + +- [ ] **Step 5.8: Mark the design doc as shipped.** + +In `~/Projekte/left4me/docs/superpowers/specs/2026-05-15-deployment-responsibility-design.md`, add a status block at the top: + +```markdown +## Status + +**Shipped 2026-05-15.** All five migration steps landed and verified on +ovh.left4me. Implementation plan executed: +`docs/superpowers/plans/2026-05-15-deployment-responsibility.md`. +``` + +Commit: + +```bash +cd ~/Projekte/left4me +git add docs/superpowers/specs/2026-05-15-deployment-responsibility-design.md +git commit -m "spec(deployment-responsibility): mark shipped after step-5 verification" +git push +``` + +--- + +## What this plan does NOT cover + +- The build-overlay-unit refactor (`2026-05-15-build-overlay-unit-design.md`) — separate work, lands on top of this. Its hardening profile should ship as a drop-in inline with the dispatcher using the pattern established here. +- AppArmor profiles (deferred from the defenses survey). +- Moving base unit bodies / slice CPU pinning into left4me — explicitly out of scope per the design doc. + +## Sequencing notes + +- Steps within a task are sequential. Tasks 1-4 can in principle be parallelized across multiple sessions, but they all touch `bw apply ovh.left4me`, and interleaving applies makes failure attribution harder. Land them one at a time. +- Each task ends with both repos committed and the live host idempotent. That's the natural "checkpoint" — safe to stop between tasks. +- If a verification step fails: stop, do not paper over. Most likely cause is a wiring mismatch (wrong path, missing `needs`, missing daemon-reload trigger). Use `bw verify` and `systemctl status`/`journalctl -xe` on the host to localize.