# Tasks: Extract Matrix Platform Modules for ops-jrz1 Server

**Input**: Design documents from `/specs/001-extract-matrix-platform/`
**Prerequisites**: plan.md, spec.md, research.md, data-model.md, contracts/, quickstart.md

**Organization**: Tasks are grouped by user story to enable independent implementation and testing of each story. This is a repository extraction project, so tasks focus on extracting, sanitizing, documenting, and publishing rather than traditional software development.

## Format: `[ID] [P?] [Story] Description`
- **[P]**: Can run in parallel (different files, no dependencies)
- **[Story]**: Which user story this task belongs to (US1-US5)
- Include exact file paths in descriptions

## Path Conventions
This is a SINGLE repository project:
- **ops-jrz1** (this repo): Planning docs + extracted modules + server configuration

All work happens in this repository:
- **specs/001-extract-matrix-platform/**: Planning and design docs (speckit workflow)
- **staging/**: Temporary workspace for extraction from ops-base
- **modules/**: Sanitized Matrix modules (extracted from ops-base)
- **hosts/ops-jrz1.nix**: Server-specific configuration
- **flake.nix**: Server flake configuration
- **configuration.nix**: Main server configuration

## Repository Architecture
**Current Phase**: Extract modules from ops-base, sanitize, configure ops-jrz1 dev/test server
**Future (Deferred)**: Public template sharing when ready

---

## Phase 1: Setup (Shared Infrastructure)

**Purpose**: Initialize workspace and create basic repository structure

- [x] T001 Create staging directory structure in ~/proj/ops-jrz1/staging/{modules,configurations,docs}
- [x] T002 (OBSOLETE - single repo) Create Forgejo repository - not needed, using ops-jrz1
- [x] T003 (OBSOLETE - single repo) Clone template locally - not needed, using ops-jrz1
- [x] T004 Create directory structure in ops-jrz1 repo root: modules/, hosts/, docs/, secrets/, scripts/ (per plan.md structure)
- [x] T004a Create hosts/ops-jrz1.nix with dev/test server-specific configuration
- [x] T004b Create flake.nix skeleton referencing ops-jrz1 host (will be expanded in T032)
- [x] T004c Create configuration.nix importing ops-jrz1 host module

---

## Phase 2: Foundational (Blocking Prerequisites)

**Purpose**: Core scripts and contracts that MUST be complete before ANY user story can be implemented

**⚠️ CRITICAL**: No extraction/sanitization work can begin until these tools are ready

- [x] T005 Create scripts/sanitize-files.sh based on contracts/sanitization-rules.yaml (applies all 22 sanitization rules)
- [x] T006 [P] Create scripts/validate-sanitization.sh (runs gitleaks + pattern checks from contracts)
- [x] T007 [P] Create .pre-commit-config.yaml with pre-commit and pre-push hooks (gitleaks + nix flake check + build validation) - PRIMARY VALIDATION
- [x] T008 [P] Create git hooks wrapper scripts in scripts/hooks/ (called by pre-commit framework)
- [x] T009 Create initial .gitignore for ops-jrz1 repo (result, result-*, secrets/*.yaml except examples)
- [x] T010 Create initial README.md in ops-jrz1 repo (work-in-progress status, planned features)
- [x] T011 [P] Create LICENSE file in ops-jrz1 repo (MIT license text)

**Checkpoint**: Foundation ready - extraction and sanitization can now begin

---

## Phase 3: User Story 2 - Sanitize and Publish Template (Priority: P1) 🎯 FOUNDATIONAL

**Goal**: Extract modules from ops-base, sanitize all personal information, and create clean publishable repository

**Why First**: This is the foundational story - must complete before US1 (deployment) can be tested. US2 creates the artifact that US1 uses.

**Independent Test**: Run sanitization scripts → verify gitleaks finds zero secrets → verify no personal domains/IPs → build all example configs successfully

### Module Extraction (US2)

- [ ] T012 [P] [US2] Copy modules/matrix-continuwuity.nix from ops-base to staging/modules/
- [ ] T013 [P] [US2] Copy modules/mautrix-slack.nix from ops-base to staging/modules/
- [ ] T014 [P] [US2] Copy modules/mautrix-whatsapp.nix from ops-base to staging/modules/
- [ ] T015 [P] [US2] Copy modules/mautrix-gmessages.nix from ops-base to staging/modules/
- [ ] T016 [P] [US2] Copy modules/dev-services.nix from ops-base to staging/modules/
- [ ] T017 [P] [US2] Copy modules/security/fail2ban.nix from ops-base to staging/modules/security/
- [ ] T018 [P] [US2] Copy modules/security/ssh-hardening.nix from ops-base to staging/modules/security/
- [ ] T019 [P] [US2] Copy modules/matrix-secrets/default.nix from ops-base to staging/modules/matrix-secrets/

### Configuration Extraction (US2)

- [ ] T020 [P] [US2] Copy configurations/vultr-dev.nix from ops-base to staging/configurations/example-vps.nix
- [ ] T021 [P] [US2] Copy configurations/dev-vps.nix from ops-base to staging/configurations/example-dev.nix

### Sanitization (US2)

- [ ] T022 [US2] Run scripts/sanitize-files.sh on staging/modules/ → output to modules/
- [ ] T023 [US2] Run scripts/sanitize-files.sh on staging/configurations/ → output to hosts/
- [ ] T024 [US2] Manual review of all .nix files for personal references in comments (checklist: comments, docs, inline notes)
- [ ] T025 [US2] Add REPLACE_ME comments to domain/workspace/secret fields in sanitized files

### Validation (US2)

- [ ] T026 [US2] Run scripts/validate-sanitization.sh on modules/ (expect: zero personal domains/IPs/paths)
- [ ] T027 [US2] Run scripts/validate-sanitization.sh on hosts/ (expect: zero personal domains/IPs/paths)
- [ ] T028 [US2] Run gitleaks detect --no-git --source . (expect: zero secrets found)

### Example Files (US2)

- [ ] T029 [P] [US2] Create examples/secrets.yaml.example with sops-nix template structure
- [ ] T030 [P] [US2] Create examples/.sops.yaml.example with age key placeholder
- [ ] T031 [P] [US2] Create examples/minimal-matrix.nix as simplest working configuration

### Flake Configuration (US2)

- [ ] T032 [US2] Create flake.nix in ops-jrz1 repo (imports: nixpkgs, sops-nix; outputs: ops-jrz1 nixosConfiguration)
- [ ] T033 [US2] Run nix flake lock in ops-jrz1 repo to generate flake.lock
- [ ] T034 [US2] Run nix flake check in ops-jrz1 repo (expect: all checks pass)
- [ ] T035 [US2] Run nix build .#nixosConfigurations.ops-jrz1.config.system.build.toplevel (expect: builds successfully)
- [ ] T036 (OBSOLETE - single config) Run nix build .#nixosConfigurations.example-dev.config.system.build.toplevel (expect: builds successfully)

### Initial Commit (US2)

- [ ] T037 [US2] Commit sanitized modules to ops-jrz1 repo: "Add sanitized NixOS modules for Matrix platform"
- [ ] T038 [US2] Commit ops-jrz1 server configuration: "Add ops-jrz1 server configuration"
- [ ] T039 (OBSOLETE - single repo) Push to Forgejo (work stays in ops-jrz1 branch)

**Checkpoint**: User Story 2 complete - sanitized modules in ops-jrz1 repo, builds pass, zero secrets detected

---

## Phase 4: User Story 5 - Documentation Extraction (Priority: P3)

**Goal**: Extract pattern documentation from worklogs and create comprehensive guides

**Why Before US1**: Documentation must exist for US1 (deployment) testing. Developers need guides to deploy.

**Independent Test**: Read each doc → verify technical accuracy → verify no personal infrastructure references → verify examples use generic domains/IPs

### Pattern Documentation (US5)

- [ ] T040 [P] [US5] Extract docs/patterns/config-generation.md from mautrix-slack-bridge-implementation-gmessages-pattern.org worklog
- [ ] T041 [P] [US5] Extract docs/patterns/admin-room-setup.md from conduwuit-admin-room-discovery-password-reset.org worklog
- [ ] T042 [P] [US5] Sanitize docs/patterns/*.md for personal infrastructure references (check for clarun.xyz, talu.uno, personal IPs)

### Bridge Setup Guides (US5)

- [ ] T043 [P] [US5] Extract docs/bridges/slack-setup.md from mautrix-slack-socket-mode-oauth-scopes-blocker.org worklog (Socket Mode, OAuth scopes)
- [ ] T044 [P] [US5] Create docs/bridges/whatsapp-setup.md from module configuration and QR pairing pattern (authentication flow, troubleshooting)
- [ ] T045 [P] [US5] Create docs/bridges/gmessages-setup.md from module configuration and pairing process (prerequisites, common issues)
- [ ] T046 [US5] Sanitize docs/bridges/*.md for personal infrastructure references

### Core Documentation (US5)

- [ ] T047 [P] [US5] Extract docs/secrets-management.md from sops-nix-secrets-management-rfc.md (sops-nix setup, age keys, workflow)
- [ ] T048 [P] [US5] Create docs/architecture.md from RFC and worklogs (system design, module relationships, deployment model)
- [ ] T049 [P] [US5] Create docs/getting-started.md with 5-minute quickstart (prerequisites, customization, deployment steps)
- [ ] T050 [P] [US5] Create docs/deployment.md with detailed deployment guide (VPS setup, DNS, TLS, troubleshooting)
- [ ] T051 [US5] Sanitize docs/*.md for personal infrastructure references

### Validation (US5)

- [ ] T052 [US5] Review all documentation for technical accuracy against actual module code
- [ ] T053 [US5] Verify all code examples in docs use example.com/10.0.0.x/generic values
- [ ] T054 [US5] Verify all docs link to correct files and sections (no broken internal links)

### Commit Documentation (US5)

- [ ] T055 [US5] Commit documentation to ops-jrz1 repo: "Add comprehensive documentation extracted from worklogs"
- [ ] T056 (OBSOLETE - single repo) Push documentation to Forgejo (work stays in ops-jrz1 branch)

**Checkpoint**: User Story 5 complete - all 8 required documentation sections present and sanitized

---

## Phase 5: User Story 3 - Community Governance (Priority: P3 - OPTIONAL/DEFERRED)

**Goal**: Add governance files (CONTRIBUTING.md, SECURITY.md) and CI/CD to enable community contributions

**Status**: Per spec.md US3 is P3-DEFERRED for future public sharing. Can be implemented later when ready for community contributions.

**Independent Test**: Fork repo → make sample change → verify CI runs → verify contribution guidelines clear

### Governance Files (US3)

- [ ] T057 [P] [US3] Create CONTRIBUTING.md with contribution guidelines, testing requirements, PR process
- [ ] T058 [P] [US3] Create SECURITY.md with vulnerability disclosure process, supported versions, response times
- [ ] T059 [P] [US3] Create .github/ISSUE_TEMPLATE/bug_report.yml with structured bug report template
- [ ] T060 [P] [US3] Create .github/ISSUE_TEMPLATE/feature_request.yml with feature request template
- [ ] T061 [P] [US3] Update README.md with community links, contribution section, code of conduct reference

### Git Hooks Validation (US3)

- [ ] T062 [US3] Install pre-commit framework in ops-jrz1 repo: pre-commit install
- [ ] T063 [US3] Test pre-commit hook blocks bad commit (intentionally add clarun.xyz, verify hook rejects)
- [ ] T064 [US3] Test pre-push hook validates builds (make change, verify nix flake check runs before push)
- [ ] T065 [US3] Verify hooks pass with valid changes (fix typo, confirm commit/push succeeds)

### Repository Settings (US3) - Forgejo

- [ ] T066 [US3] Add repository description in Forgejo: "Production-ready NixOS modules for Matrix homeserver with bridges"
- [ ] T067 [US3] Configure repository topics in Forgejo: nixos, matrix, continuwuity, mautrix, homeserver, nix-flakes
- [ ] T068 [US3] Set repository visibility to private (development phase)
- [ ] T069 [DEFER] Enable community features when publishing to public platform (Phase 8)

### Commit Governance (US3)

- [ ] T070 [US3] Commit governance files to ops-jrz1 repo: "Add community governance and contribution guidelines"
- [ ] T071 (OBSOLETE - single repo) Push governance files to Forgejo (work stays in ops-jrz1 branch)

**Checkpoint**: User Story 3 complete - community can fork, contribute, and submit PRs with git hooks validation

---

## Phase 6: User Story 4 - Sync Workflow (Priority: P2)

**Goal**: Create documented workflow and scripts for syncing future improvements from ops-base to template

**Independent Test**: Identify sample ops-base changes → run sync script → verify changes sanitized → verify no secrets leaked → builds pass

### Sync Scripts (US4)

- [ ] T072 [US4] Create scripts/sync-to-template.sh based on research.md sync workflow (identify changes, sanitize, validate)
- [ ] T073 [US4] Create sync-log.md in ops-jrz1 repo with initial publication entry (date, ops-base commit, modules list)
- [ ] T074 [US4] Add quarterly sync schedule to maintainer calendar (January, April, July, October reminders)

### Sync Documentation (US4)

- [ ] T075 [US4] Document sync workflow in ops-jrz1 repo README (when to sync, how to use scripts, validation steps)
- [ ] T076 [US4] Create sync testing checklist based on contracts/sanitization-rules.yaml (validation steps, expected results)

### Sync Testing (US4)

- [ ] T077 [US4] Test sync workflow with mock change in ops-base (add comment to module, sync to template, verify sanitized)
- [ ] T078 [US4] Verify sync validation catches personal references (intentionally add clarun.xyz, verify script rejects)
- [ ] T079 [US4] Verify sync creates git tag and sync-log.md entry correctly

### Commit Sync Workflow (US4)

- [ ] T080 [US4] Commit sync scripts and documentation to ops-jrz1 repo: "Add sync workflow for ongoing maintenance"
- [ ] T081 (OBSOLETE - single repo) Push sync workflow to Forgejo (work stays in ops-jrz1 branch)

**Checkpoint**: User Story 4 complete - maintainer can sync improvements from ops-base quarterly

---

## Phase 7: User Story 1 - Deploy to ops-jrz1 Server (Priority: P1) 🎯 VALIDATION

**Goal**: Deploy Matrix platform to ops-jrz1 dev/test server using extracted and sanitized modules

**Why Last**: Requires sanitized modules (US2) and documentation (US5) to be complete before deployment

**Independent Test**: Customize configuration for ops-jrz1 → deploy to server → verify Matrix responds → verify bridges work

### ops-jrz1 Server Provisioning (US1)

- [ ] T082 [US1] Verify ops-jrz1 server exists and is accessible via SSH (x86_64-linux, NixOS 24.05+)
- [ ] T083 [US1] Configure DNS for ops-jrz1 domain pointing to server IP
- [ ] T084 [US1] SSH to ops-jrz1 and verify NixOS version and nix flake support

### Deployment Following Docs (US1)

- [ ] T085 [US1] Verify ops-jrz1 repo is up to date on branch 001-extract-matrix-platform
- [ ] T086 [US1] Follow docs/getting-started.md step-by-step, time the process (target: <30 minutes)
- [ ] T087 [US1] Customize hosts/ops-jrz1.nix with server domain and settings
- [ ] T088 [US1] Generate age key on ops-jrz1 server: ssh-to-age < /etc/ssh/ssh_host_ed25519_key.pub
- [ ] T089 [US1] Create secrets/secrets.yaml with ops-jrz1 values (matrix registration token, acme email)
- [ ] T090 [US1] Encrypt secrets with sops: sops -e -i secrets/secrets.yaml
- [ ] T091 [US1] Deploy to ops-jrz1: nixos-rebuild switch --flake .#ops-jrz1 --target-host root@<ops-jrz1-ip>

### Functional Validation (US1)

- [ ] T092 [US1] Verify Matrix homeserver responds: curl https://<ops-jrz1-domain>/_matrix/client/versions (expect: JSON response)
- [ ] T093 [US1] Verify .well-known endpoints: curl https://<ops-jrz1-domain>/.well-known/matrix/server (expect: JSON)
- [ ] T094 [US1] Create test user via registration: use matrix registration token
- [ ] T095 [US1] Login to Element Web with test user credentials (verify authentication works)
- [ ] T096 [US1] Verify systemd services running: ssh root@ops-jrz1 systemctl status matrix-continuwuity

### Bridge Testing (US1)

- [ ] T097 [US1] Follow docs/bridges/slack-setup.md to configure Slack bridge (if testing bridges)
- [ ] T098 [US1] Verify bridge appservice registered with Matrix homeserver
- [ ] T099 [US1] Test bridge message flow (send test message, verify delivery)

### Issues and Documentation Updates (US1)

- [ ] T100 [US1] Document any unclear steps or issues encountered during deployment
- [ ] T101 [US1] Update docs/getting-started.md based on deployment experience (fix ambiguities, add troubleshooting)
- [ ] T102 [US1] Update docs/deployment.md with any missing steps or common issues discovered

### Timing and Metrics (US1)

- [ ] T103 [US1] Verify total deployment time from clone to working Matrix was <30 minutes (SC-001)
- [ ] T104 [US1] Record deployment experience notes for README improvement

**Checkpoint**: User Story 1 complete - ops-jrz1 server deployed with working Matrix homeserver in <30 minutes

---

## Phase 8: Polish & Cross-Cutting Concerns (Partial Deferral)

**Purpose**: Final improvements affecting multiple user stories, preparation for v1.0 publication

**Note**: Public release tasks (T119-T125) are DEFERRED per spec.md Out of Scope. Security validation and build checks remain in scope.

### README Expansion

- [ ] T105 [P] Expand README.md with ops-jrz1 server overview, Matrix platform features, deployment status
- [ ] T106 [P] Add license badge to README: ![License](https://img.shields.io/badge/license-MIT-blue.svg)
- [ ] T107 (DEFERRED) Add repository links to README (for future public template)
- [ ] T108 (DEFERRED) Add community contact info to README (for future public sharing)

### Final Security Validation

- [ ] T109 Run gitleaks on full ops-jrz1 repository (expect: zero findings) - final verification
- [ ] T110 Manual grep for all sensitive patterns: rg 'clarun|talu|192\.168\.1\.|45\.77|/home/dan' in sanitized modules/hosts/docs (expect: no matches)
- [ ] T111 Review git log for any accidentally committed secrets or personal info in branch 001-extract-matrix-platform
- [ ] T112 Verify no .sops.yaml with real age keys committed (only .sops.yaml.example if present)

### Build Validation

- [ ] T113 Run nix flake check (expect: all checks pass)
- [ ] T114 Build ops-jrz1 configuration: nix build .#nixosConfigurations.ops-jrz1 (expect: success)
- [ ] T115 (OBSOLETE - single config) Build example-dev configuration - not needed for single-repo ops-jrz1

### Module Checklist Verification (SC-004)

- [ ] T116 Verify all 6+ core modules present and building: matrix-continuwuity ✓, mautrix-slack ✓, mautrix-whatsapp ✓, mautrix-gmessages ✓, fail2ban ✓, ssh-hardening ✓, plus optional dev-services ✓ and matrix-secrets ✓

### Documentation Checklist Verification (SC-005)

- [ ] T117 Verify core documentation complete: README ✓, deployment guide ✓, secrets-management ✓, plus optional bridge/pattern docs: slack-setup.md ✓, whatsapp-setup.md ✓, gmessages-setup.md ✓, config-generation.md ✓, admin-room-setup.md ✓

### Release Preparation

- [ ] T118 Create v1.0.0 release tag: git tag v1.0.0 -m "Initial release - ops-jrz1 Matrix platform"
- [ ] T119 (DEFERRED) Create public repository (GitHub/tangl.sh) for template publication
- [ ] T120 (DEFERRED) Push sanitized template with tags to public repository

### Announcement Preparation (DEFERRED)

- [ ] T121 (DEFERRED) [P] Draft announcement post for Matrix.org community (#nix:nixos.org)
- [ ] T122 (DEFERRED) [P] Draft announcement post for NixOS Discourse
- [ ] T123 (DEFERRED) [P] Draft announcement post for Reddit r/NixOS
- [ ] T124 (DEFERRED) [P] Draft Show HN post for Hacker News
- [ ] T125 (DEFERRED) Publish announcements across all channels (coordinate timing)

---

## Dependencies & Execution Order

### Phase Dependencies

- **Phase 1 (Setup)**: No dependencies - can start immediately
- **Phase 2 (Foundational)**: Depends on Phase 1 (Setup) - BLOCKS all user stories
- **Phase 3 (US2 - Sanitize)**: Depends on Phase 2 (Foundational) - scripts must exist first
- **Phase 4 (US5 - Docs)**: Depends on Phase 3 (US2) - modules must be sanitized first
- **Phase 5 (US3 - Governance)**: Can start after Phase 2, parallel with US2/US5
- **Phase 6 (US4 - Sync)**: Can start after Phase 2, parallel with other stories
- **Phase 7 (US1 - Deployment)**: Depends on Phase 3, Phase 4, Phase 5 (needs complete template to test)
- **Phase 8 (Polish)**: Depends on all user stories complete

### User Story Dependencies

- **US2 (Sanitize/Publish)**: FOUNDATIONAL - no dependencies, enables all others
- **US5 (Documentation)**: Depends on US2 (modules must exist to document them)
- **US3 (Governance)**: Independent, can run parallel with US2/US5
- **US4 (Sync Workflow)**: Independent, can run parallel with US2/US5
- **US1 (Deployment)**: Depends on US2 + US5 + US3 (needs modules + docs + CI to test)

### Critical Path

```
Phase 1 (Setup)
    ↓
Phase 2 (Foundational - scripts/CI)
    ↓
Phase 3 (US2 - Extract & Sanitize Modules) ← CRITICAL PATH
    ↓
Phase 4 (US5 - Extract Documentation) ← CRITICAL PATH
    ↓
Phase 7 (US1 - VPS Deployment Test) ← CRITICAL PATH
    ↓
Phase 8 (Polish & Release)
```

**Parallel Opportunities**:
- Phase 5 (US3) and Phase 6 (US4) can run in parallel with Phase 3/4
- Within Phase 3: T012-T021 (module/config copies) all parallel
- Within Phase 4: T040-T051 (doc extraction) most are parallel
- Within Phase 8: Many polish tasks parallel (T105-T108, T121-T124)

### Within Each Phase

**Phase 3 (US2) order**:
1. Copy all modules/configs in parallel (T012-T021)
2. Run sanitization sequentially (T022-T023) - depends on copies
3. Manual review (T024-T025) - depends on sanitization
4. Validation (T026-T028) - depends on review
5. Create examples in parallel (T029-T031)
6. Flake config sequentially (T032-T036) - incremental dependencies
7. Commit (T037-T039)

**Phase 7 (US1) order**:
1. VPS provisioning (T082-T084)
2. Clone and customize sequentially (T085-T091) - follows docs
3. Functional validation (T092-T096)
4. Optional bridge testing (T097-T099)
5. Documentation improvements (T100-T102)
6. Metrics collection (T103-T104)

---

## Parallel Execution Examples

### Phase 2: Foundational Scripts

```bash
# All foundational scripts can be created in parallel:
Task: "Create scripts/sanitize-files.sh"
Task: "Create scripts/validate-sanitization.sh"
Task: "Create .github/workflows/ci.yml"
Task: "Create .pre-commit-config.yaml"
Task: "Create LICENSE file"
```

### Phase 3: Module Extraction (US2)

```bash
# All module copies can run in parallel:
Task: "Copy modules/matrix-continuwuity.nix"
Task: "Copy modules/mautrix-slack.nix"
Task: "Copy modules/mautrix-whatsapp.nix"
Task: "Copy modules/mautrix-gmessages.nix"
Task: "Copy modules/dev-services.nix"
Task: "Copy modules/security/fail2ban.nix"
Task: "Copy modules/security/ssh-hardening.nix"
Task: "Copy modules/matrix-secrets/default.nix"
Task: "Copy configurations/example-vps.nix"
Task: "Copy configurations/example-dev.nix"
```

### Phase 4: Documentation (US5)

```bash
# Pattern docs in parallel:
Task: "Extract docs/patterns/config-generation.md"
Task: "Extract docs/patterns/admin-room-setup.md"

# Bridge guides in parallel:
Task: "Extract docs/bridges/slack-setup.md"
Task: "Create docs/bridges/whatsapp-setup.md"
Task: "Create docs/bridges/gmessages-setup.md"

# Core docs in parallel:
Task: "Extract docs/secrets-management.md"
Task: "Create docs/architecture.md"
Task: "Create docs/getting-started.md"
Task: "Create docs/deployment.md"
```

---

## Implementation Strategy

### MVP First (US2 + US5 + US1)

1. Complete Phase 1: Setup (T001-T004)
2. Complete Phase 2: Foundational (T005-T011) - CRITICAL
3. Complete Phase 3: US2 Sanitize (T012-T039) - Extract modules
4. Complete Phase 4: US5 Documentation (T040-T056) - Add docs
5. Skip Phase 5-6 temporarily (governance/sync can wait)
6. Complete Phase 7: US1 Deployment Test (T082-T104) - VALIDATE
7. **STOP and EVALUATE**: Do we have a working template?

### Full v1.0 (All Stories)

1. Complete MVP (above)
2. Add Phase 5: US3 Governance (T057-T071) - Community contributions
3. Add Phase 6: US4 Sync Workflow (T072-T081) - Maintenance
4. Complete Phase 8: Polish (T105-T125) - Final touches & publication

### Incremental Delivery

1. **Week 1**: Setup + Foundational + Module Extraction (T001-T039) → Sanitized modules exist
2. **Week 2**: Documentation (T040-T056) → Comprehensive docs exist
3. **Week 3**: Deployment Testing (T082-T104) → Validated working template
4. **Week 4**: Governance + Sync + Polish (T057-T125) → v1.0 ready for publication

---

## Task Summary

**Total Tasks**: 125
- Phase 1 (Setup): 4 tasks
- Phase 2 (Foundational): 7 tasks (BLOCKING)
- Phase 3 (US2 - Sanitize): 28 tasks
- Phase 4 (US5 - Documentation): 17 tasks
- Phase 5 (US3 - Governance): 15 tasks
- Phase 6 (US4 - Sync): 10 tasks
- Phase 7 (US1 - Deployment): 23 tasks
- Phase 8 (Polish): 21 tasks

**By User Story**:
- US2 (Sanitize/Publish): 28 tasks - FOUNDATIONAL
- US5 (Documentation): 17 tasks
- US3 (Governance): 15 tasks
- US4 (Sync Workflow): 10 tasks
- US1 (Deployment Test): 23 tasks
- Shared (Setup/Foundational/Polish): 32 tasks

**Parallel Opportunities**: 45+ tasks marked [P] for parallel execution

**Independent Test Criteria**:
- US2: gitleaks zero findings + builds pass + no personal refs
- US5: docs complete + sanitized + technically accurate
- US3: fork + change + CI passes + guidelines clear
- US4: sync mock change + validate + no secrets leaked
- US1: clone + deploy + Matrix responds + <30 min

**Suggested MVP Scope**: US2 + US5 + US1 (73 tasks) - Delivers working template with docs, validated on VPS

---

## Notes

- This is a **repository extraction project**, not traditional software development
- Primary activity is copying, sanitizing, documenting, and validating
- Testing is manual validation (gitleaks, nix flake check, VPS deployment)
- No automated test suite needed - validation is built into sanitization/CI contracts
- Each user story delivers independent value:
  - US2: Clean sanitized modules (buildable)
  - US5: Comprehensive documentation (readable)
  - US3: Community contribution capability (forkable)
  - US4: Ongoing maintenance workflow (sustainable)
  - US1: End-to-end deployment validation (usable)
- Success criteria SC-004/SC-005 validated by module/doc checklists in Phase 8
- Security validation (SC-003/SC-009) enforced by gitleaks throughout
- Deployment timing (SC-001) measured during Phase 7