Plan: Restructure ThinkPad P16g Deployment Project

Context
The ThinkPad P16g deployment project
(partials/projects/thinkpad-t16g-deploy/) is nearly complete with 18
partial files covering phases 0-11 plus supporting documents. Two
structural problems have emerged as the project grew:

  1. Phase 11 is overloaded — it jams verification checklists, AppArmor deployment (a multi-week SEC-001 initiative with its own CR and INC), UFW firewall, SSH hardening, and btrfs snapshots into 126 lines. These are fundamentally different activities.

  2. Field notes is monolithic — 699 lines with 8+ unrelated sections (scope creep, hardware specs, 33 commands learned, 35 issues encountered, stow audit, post-deploy TODOs, improvement proposals). Not navigable.

    The user also just enabled AppArmor (SEC-001 Phase 1 complete) and rebooted
 — validation is immediate next step.
    Changes

  3. Split Phase 11 into Three Phases

    Current phase-11-verification.adoc (126 lines) becomes:
    New File: phase-11-verification.adoc
Content Source: Lines 1-53 + 115-126 (rewrite)
Lines: ~65
Purpose: Pure verification checklists (System, Desktop, Dev) + btrfs
  snapshot
────────────────────────────────────────
New File: phase-12-security-hardening.adoc
Content Source: Lines 55-114 (expanded)
Lines: ~200
Purpose: AppArmor (4 phases, xrefs to CR/INC), UFW (expanded), SSH
hardening
  (expanded), port audit
────────────────────────────────────────
New File: phase-13-maintenance.adoc
Content Source: New (from post-deploy TODOs)
Lines: ~120
Purpose: Borg timer, TLP thresholds, cert renewal, ssh-agent, pacman hook
  validation
    Rationale: Security hardening is multi-week operational work, not a
checkbox. AppArmor alone has 4 phases spanning days. Verification is a
run-once gate confirming phases 0-10 worked. Maintenance captures ongoing
operational tasks that currently have no home.

  4. Split Field Notes into 7 Focused Appendices

    Current appendix-field-notes.adoc (699 lines) becomes:
    ┌────────────────────────────────┬─────────┬──────┬────────────────────┐
│            New File            │ Source  │ Size │      Content       │
│                                │  Lines  │      │                    │
├────────────────────────────────┼─────────┼──────┼────────────────────┤
│ appendix-scope-creep.adoc      │ 1-111   │ ~111 │ Active backlog     │
│                                │         │      │ tracking table     │
├────────────────────────────────┼─────────┼──────┼────────────────────┤
│                                │         │      │ Pre-wipe disk      │
│ appendix-hardware.adoc         │ 112-160 │ ~49  │ layout, hardware   │
│                                │         │      │ specs, MACs        │
├────────────────────────────────┼─────────┼──────┼────────────────────┤
│                                │         │      │ 33 commands        │
│ appendix-commands-learned.adoc │ 161-237 │ ~77  │ discovered during  │
│                                │         │      │ deployment         │
├────────────────────────────────┼─────────┼──────┼────────────────────┤
│ appendix-deviations.adoc       │ 239-298 │ ~60  │ 12 plan-vs-reality │
│                                │         │      │  divergences       │
├────────────────────────────────┼─────────┼──────┼────────────────────┤
│ appendix-issues.adoc           │ 300-475 │ ~176 │ 35 issues with     │
│                                │         │      │ resolutions        │
├────────────────────────────────┼─────────┼──────┼────────────────────┤
│                                │         │      │ Audit commands +   │
│ appendix-stow-audit.adoc       │ 476-601 │ ~125 │ 43-package status  │
│                                │         │      │ table + SSH IP     │
│                                │         │      │ verification       │
├────────────────────────────────┼─────────┼──────┼────────────────────┤
│                                │         │      │ P0/P1/P2 TODOs +   │
│ appendix-todos.adoc            │ 602-699 │ ~98  │ improvement        │
│                                │         │      │ proposals          │
└────────────────────────────────┴─────────┴──────┴────────────────────┘
    Rationale: Each section serves a different audience and access pattern. The
 issues table is a troubleshooting KB. Commands learned is a reference
card. TODOs are active task tracking. Mixing them in one 699-line file
forces scrolling past irrelevant content.

  5. New Container Pages + Nav Updates

    New container pages in pages/projects/personal/thinkpad-t16g/:
- phase-12.adoc — includes phase-12-security-hardening.adoc
- phase-13.adoc — includes phase-13-maintenance.adoc
- appendix-scope-creep.adoc, appendix-hardware.adoc,
appendix-commands.adoc, appendix-deviations.adoc, appendix-issues.adoc,
appendix-stow-audit.adoc, appendix-todos.adoc
    Modified:
- phase-11.adoc — update navtitle from "Verification & Hardening" to
"Verification"
    Deleted:
- field-notes.adoc container page (replaced by 7 appendix pages)
    nav.adoc updates (lines 137-152):
- Fix label: "ThinkPad T16g" → "ThinkPad P16g" (hostname was corrected
months ago, nav still says T16g)
- Add Phase 12 and Phase 13 entries
- Replace "Field Notes" with nested "Appendices" group (7 entries at *****
level)

  6. Update summary.adoc

    • Phase 11 row: remove "hardening" from description

    • Add Phase 12 row: 🟡 In progress (AppArmor Phase 1 complete, pending reboot verify)

    • Add Phase 13 row: ❌ Not started

    • Update SEC-001 row: cross-reference Phase 12

    • Update status line: "Phases 9-13 in progress"

  7. Update CR-2026-04-04 Future Considerations

    Line 349 says "Add a new Phase 11a (or fold into Phase 11)". Update to
reference Phase 12.
    File Inventory (After)
    Partials: 24 files (was 18: +9 new, -1 deleted, 2 modified)
Container pages: 23 files (was 15: +9 new, -1 deleted, 1 modified)
    Implementation Order
    Step 1: Create new partial files (parallel)

    • phase-12-security-hardening.adoc — migrate + expand from phase-11 lines 55-114

    • AppArmor section with 4 sub-phases, xrefs to CR/INC, verification commands

    • UFW section expanded with default policy, allow rules, verification, systemctl enable

    • SSH hardening expanded: PermitRootLogin no, PasswordAuthentication no, MaxAuthTries, AllowUsers

    • Open ports audit with expected output documentation

    • phase-13-maintenance.adoc — skeleton from post-deploy TODO items

    • Borg backup systemd timer

    • TLP charge thresholds (40/80)

    • Vault cert renewal workflow

    • Pacman hook validation

    • ssh-agent persistence strategy

    • Wired EAP-TLS (when cable available)

      Step 2: Split field notes into 7 appendix partials (parallel)

    • Direct content extraction with section heading adjustments

    • Update TODO references from "Phase 11: UFW" to "Phase 12: UFW"

    • Update SEC-001 references to point to Phase 12

      Step 3: Rewrite phase-11-verification.adoc

    • Keep verification checklists (System, Desktop, Development tables)

    • Keep btrfs snapshot as final verification step

    • Remove all hardening content (now in Phase 12)

      Step 4: Create container pages (parallel)

    • phase-12.adoc, phase-13.adoc

    • 7 appendix-*.adoc container pages

      Step 5: Delete old files

    • appendix-field-notes.adoc partial

    • field-notes.adoc container page

      Step 6: Update nav.adoc

    • Fix "T16g" → "P16g" in nav label

    • Add Phase 12, Phase 13 entries

    • Replace Field Notes with Appendices group

      Step 7: Update summary.adoc + CR document

    • Modify deployment status table

    • Update CR future considerations

      Step 8: Build verification

    • make 2>&1 | grep -E "WARN|ERROR" — confirm no broken includes or xrefs

      Critical Files
      File: partials/projects/thinkpad-t16g-deploy/phase-11-verification.adoc
Action: Rewrite (strip hardening)
────────────────────────────────────────
File: partials/projects/thinkpad-t16g-deploy/appendix-field-notes.adoc
Action: Delete (split into 7 files)
────────────────────────────────────────
File: partials/projects/thinkpad-t16g-deploy/summary.adoc
Action: Modify (add phases 12-13)
────────────────────────────────────────
File: pages/projects/personal/thinkpad-t16g/field-notes.adoc
Action: Delete
────────────────────────────────────────
File: pages/projects/personal/thinkpad-t16g/phase-11.adoc
Action: Modify (update navtitle)
────────────────────────────────────────
File: nav.adoc
Action: Modify (lines 137-152 restructured)
────────────────────────────────────────
File:
pages/case-studies/changes/CR-2026-04-04-p16g-apparmor-deployment.adoc
Action: Modify (line 349)
      Verification

  8. make builds clean with no WARN/ERROR

  9. All 23 container pages render (spot-check phase-12, appendix-issues)

  10. Nav sidebar shows correct structure with Appendices sub-group

  11. xrefs from CR → deploy project still resolve

  12. No orphaned includes (grep for appendix-field-notes returns zero hits) ╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌

    Claude has written up a plan and is ready to execute. Would you like to
proceed?
    ❯ 1. Yes, auto-accept edits
  2. Yes, manually approve edits
  3. Tell Claude what to change
     shift+tab to approve with this feedback
    ctrl-g to edit in Nvim · ~/.claude/plans/expressive-watching-rabin.md