ops-jrz1/specs/001-extract-matrix-platform/tasks.md

Tasks: Extract Matrix Platform Modules for ops-jrz1 Server

Input: Design documents from /specs/001-extract-matrix-platform/ Prerequisites: plan.md, spec.md, research.md, data-model.md, contracts/, quickstart.md

Organization: Tasks are grouped by user story to enable independent implementation and testing of each story. This is a repository extraction project, so tasks focus on extracting, sanitizing, documenting, and publishing rather than traditional software development.

Format: [ID] [P?] [Story] Description

• [P]: Can run in parallel (different files, no dependencies)
• [Story]: Which user story this task belongs to (US1-US5)
• Include exact file paths in descriptions

Path Conventions

This is a SINGLE repository project:

• ops-jrz1 (this repo): Planning docs + extracted modules + server configuration

All work happens in this repository:

• specs/001-extract-matrix-platform/: Planning and design docs (speckit workflow)
• staging/: Temporary workspace for extraction from ops-base
• modules/: Sanitized Matrix modules (extracted from ops-base)
• hosts/ops-jrz1.nix: Server-specific configuration
• flake.nix: Server flake configuration
• configuration.nix: Main server configuration

Repository Architecture

Current Phase: Extract modules from ops-base, sanitize, configure ops-jrz1 dev/test server Future (Deferred): Public template sharing when ready

---

Phase 1: Setup (Shared Infrastructure)

Purpose: Initialize workspace and create basic repository structure

• T001 Create staging directory structure in ~/proj/ops-jrz1/staging/{modules,configurations,docs}
• T002 (OBSOLETE - single repo) Create Forgejo repository - not needed, using ops-jrz1
• T003 (OBSOLETE - single repo) Clone template locally - not needed, using ops-jrz1
• T004 Create directory structure in ops-jrz1 repo root: modules/, hosts/, docs/, secrets/, scripts/ (per plan.md structure)
• T004a Create hosts/ops-jrz1.nix with dev/test server-specific configuration
• T004b Create flake.nix skeleton referencing ops-jrz1 host (will be expanded in T032)
• T004c Create configuration.nix importing ops-jrz1 host module

---

Phase 2: Foundational (Blocking Prerequisites)

Purpose: Core scripts and contracts that MUST be complete before ANY user story can be implemented

⚠️ CRITICAL: No extraction/sanitization work can begin until these tools are ready

• T005 Create scripts/sanitize-files.sh based on contracts/sanitization-rules.yaml (applies all 22 sanitization rules)
• T006 [P] Create scripts/validate-sanitization.sh (runs gitleaks + pattern checks from contracts)
• T007 [P] Create .pre-commit-config.yaml with pre-commit and pre-push hooks (gitleaks + nix flake check + build validation) - PRIMARY VALIDATION
• T008 [P] Create git hooks wrapper scripts in scripts/hooks/ (called by pre-commit framework)
• T009 Create initial .gitignore for ops-jrz1 repo (result, result-, secrets/.yaml except examples)
• T010 Create initial README.md in ops-jrz1 repo (work-in-progress status, planned features)
• T011 [P] Create LICENSE file in ops-jrz1 repo (MIT license text)

Checkpoint: Foundation ready - extraction and sanitization can now begin

---

Phase 3: User Story 2 - Sanitize and Publish Template (Priority: P1) 🎯 FOUNDATIONAL

Goal: Extract modules from ops-base, sanitize all personal information, and create clean publishable repository

Why First: This is the foundational story - must complete before US1 (deployment) can be tested. US2 creates the artifact that US1 uses.

Independent Test: Run sanitization scripts → verify gitleaks finds zero secrets → verify no personal domains/IPs → build all example configs successfully

Module Extraction (US2)

• T012 [P] [US2] Copy modules/matrix-continuwuity.nix from ops-base to staging/modules/
• T013 [P] [US2] Copy modules/mautrix-slack.nix from ops-base to staging/modules/
• T014 [P] [US2] Copy modules/mautrix-whatsapp.nix from ops-base to staging/modules/
• T015 [P] [US2] Copy modules/mautrix-gmessages.nix from ops-base to staging/modules/
• T016 [P] [US2] Copy modules/dev-services.nix from ops-base to staging/modules/
• T017 [P] [US2] Copy modules/security/fail2ban.nix from ops-base to staging/modules/security/
• T018 [P] [US2] Copy modules/security/ssh-hardening.nix from ops-base to staging/modules/security/
• T019 [P] [US2] Copy modules/matrix-secrets/default.nix from ops-base to staging/modules/matrix-secrets/

Configuration Extraction (US2)

• T020 [P] [US2] Copy configurations/vultr-dev.nix from ops-base to staging/configurations/example-vps.nix
• T021 [P] [US2] Copy configurations/dev-vps.nix from ops-base to staging/configurations/example-dev.nix

Sanitization (US2)

• T022 [US2] Run scripts/sanitize-files.sh on staging/modules/ → output to modules/
• T023 [US2] Run scripts/sanitize-files.sh on staging/configurations/ → output to hosts/
• T024 [US2] Manual review of all .nix files for personal references in comments (checklist: comments, docs, inline notes)
• T025 [US2] Add REPLACE_ME comments to domain/workspace/secret fields in sanitized files

Validation (US2)

• T026 [US2] Run scripts/validate-sanitization.sh on modules/ (expect: zero personal domains/IPs/paths)
• T027 [US2] Run scripts/validate-sanitization.sh on hosts/ (expect: zero personal domains/IPs/paths)
• T028 [US2] Run gitleaks detect --no-git --source . (expect: zero secrets found)

Example Files (US2)

• T029 [P] [US2] Create examples/secrets.yaml.example with sops-nix template structure
• T030 [P] [US2] Create examples/.sops.yaml.example with age key placeholder
• T031 [P] [US2] Create examples/minimal-matrix.nix as simplest working configuration

Flake Configuration (US2)

• T032 [US2] Create flake.nix in ops-jrz1 repo (imports: nixpkgs, sops-nix; outputs: ops-jrz1 nixosConfiguration)
• T033 [US2] Run nix flake lock in ops-jrz1 repo to generate flake.lock
• T034 [US2] Run nix flake check in ops-jrz1 repo (expect: all checks pass)
• T035 [US2] Run nix build .#nixosConfigurations.ops-jrz1.config.system.build.toplevel (expect: builds successfully)
• T036 (OBSOLETE - single config) Run nix build .#nixosConfigurations.example-dev.config.system.build.toplevel (expect: builds successfully)

Initial Commit (US2)

• T037 [US2] Commit sanitized modules to ops-jrz1 repo: "Add sanitized NixOS modules for Matrix platform"
• T038 [US2] Commit ops-jrz1 server configuration: "Add ops-jrz1 server configuration"
• T039 (OBSOLETE - single repo) Push to Forgejo (work stays in ops-jrz1 branch)

Checkpoint: User Story 2 complete - sanitized modules in ops-jrz1 repo, builds pass, zero secrets detected

---

Phase 4: User Story 5 - Documentation Extraction (Priority: P3)

Goal: Extract pattern documentation from worklogs and create comprehensive guides

Why Before US1: Documentation must exist for US1 (deployment) testing. Developers need guides to deploy.

Independent Test: Read each doc → verify technical accuracy → verify no personal infrastructure references → verify examples use generic domains/IPs

Pattern Documentation (US5)

• T040 [P] [US5] Extract docs/patterns/config-generation.md from mautrix-slack-bridge-implementation-gmessages-pattern.org worklog
• T041 [P] [US5] Extract docs/patterns/admin-room-setup.md from conduwuit-admin-room-discovery-password-reset.org worklog
• T042 [P] [US5] Sanitize docs/patterns/*.md for personal infrastructure references (check for clarun.xyz, talu.uno, personal IPs)

Bridge Setup Guides (US5)

• T043 [P] [US5] Extract docs/bridges/slack-setup.md from mautrix-slack-socket-mode-oauth-scopes-blocker.org worklog (Socket Mode, OAuth scopes)
• T044 [P] [US5] Create docs/bridges/whatsapp-setup.md from module configuration and QR pairing pattern (authentication flow, troubleshooting)
• T045 [P] [US5] Create docs/bridges/gmessages-setup.md from module configuration and pairing process (prerequisites, common issues)
• T046 [US5] Sanitize docs/bridges/*.md for personal infrastructure references

Core Documentation (US5)

• T047 [P] [US5] Extract docs/secrets-management.md from sops-nix-secrets-management-rfc.md (sops-nix setup, age keys, workflow)
• T048 [P] [US5] Create docs/architecture.md from RFC and worklogs (system design, module relationships, deployment model)
• T049 [P] [US5] Create docs/getting-started.md with 5-minute quickstart (prerequisites, customization, deployment steps)
• T050 [P] [US5] Create docs/deployment.md with detailed deployment guide (VPS setup, DNS, TLS, troubleshooting)
• T051 [US5] Sanitize docs/*.md for personal infrastructure references

Validation (US5)

• T052 [US5] Review all documentation for technical accuracy against actual module code
• T053 [US5] Verify all code examples in docs use example.com/10.0.0.x/generic values
• T054 [US5] Verify all docs link to correct files and sections (no broken internal links)

Commit Documentation (US5)

• T055 [US5] Commit documentation to ops-jrz1 repo: "Add comprehensive documentation extracted from worklogs"
• T056 (OBSOLETE - single repo) Push documentation to Forgejo (work stays in ops-jrz1 branch)

Checkpoint: User Story 5 complete - all 8 required documentation sections present and sanitized

---

Phase 5: User Story 3 - Community Governance (Priority: P3 - OPTIONAL/DEFERRED)

Goal: Add governance files (CONTRIBUTING.md, SECURITY.md) and CI/CD to enable community contributions

Status: Per spec.md US3 is P3-DEFERRED for future public sharing. Can be implemented later when ready for community contributions.

Independent Test: Fork repo → make sample change → verify CI runs → verify contribution guidelines clear

Governance Files (US3)

• T057 [P] [US3] Create CONTRIBUTING.md with contribution guidelines, testing requirements, PR process
• T058 [P] [US3] Create SECURITY.md with vulnerability disclosure process, supported versions, response times
• T059 [P] [US3] Create .github/ISSUE_TEMPLATE/bug_report.yml with structured bug report template
• T060 [P] [US3] Create .github/ISSUE_TEMPLATE/feature_request.yml with feature request template
• T061 [P] [US3] Update README.md with community links, contribution section, code of conduct reference

Git Hooks Validation (US3)

• T062 [US3] Install pre-commit framework in ops-jrz1 repo: pre-commit install
• T063 [US3] Test pre-commit hook blocks bad commit (intentionally add clarun.xyz, verify hook rejects)
• T064 [US3] Test pre-push hook validates builds (make change, verify nix flake check runs before push)
• T065 [US3] Verify hooks pass with valid changes (fix typo, confirm commit/push succeeds)

Repository Settings (US3) - Forgejo

• T066 [US3] Add repository description in Forgejo: "Production-ready NixOS modules for Matrix homeserver with bridges"
• T067 [US3] Configure repository topics in Forgejo: nixos, matrix, continuwuity, mautrix, homeserver, nix-flakes
• T068 [US3] Set repository visibility to private (development phase)
• T069 [DEFER] Enable community features when publishing to public platform (Phase 8)

Commit Governance (US3)

• T070 [US3] Commit governance files to ops-jrz1 repo: "Add community governance and contribution guidelines"
• T071 (OBSOLETE - single repo) Push governance files to Forgejo (work stays in ops-jrz1 branch)

Checkpoint: User Story 3 complete - community can fork, contribute, and submit PRs with git hooks validation

---

Phase 6: User Story 4 - Sync Workflow (Priority: P2)

Goal: Create documented workflow and scripts for syncing future improvements from ops-base to template

Independent Test: Identify sample ops-base changes → run sync script → verify changes sanitized → verify no secrets leaked → builds pass

Sync Scripts (US4)

• T072 [US4] Create scripts/sync-to-template.sh based on research.md sync workflow (identify changes, sanitize, validate)
• T073 [US4] Create sync-log.md in ops-jrz1 repo with initial publication entry (date, ops-base commit, modules list)
• T074 [US4] Add quarterly sync schedule to maintainer calendar (January, April, July, October reminders)

Sync Documentation (US4)

• T075 [US4] Document sync workflow in ops-jrz1 repo README (when to sync, how to use scripts, validation steps)
• T076 [US4] Create sync testing checklist based on contracts/sanitization-rules.yaml (validation steps, expected results)

Sync Testing (US4)

• T077 [US4] Test sync workflow with mock change in ops-base (add comment to module, sync to template, verify sanitized)
• T078 [US4] Verify sync validation catches personal references (intentionally add clarun.xyz, verify script rejects)
• T079 [US4] Verify sync creates git tag and sync-log.md entry correctly

Commit Sync Workflow (US4)

• T080 [US4] Commit sync scripts and documentation to ops-jrz1 repo: "Add sync workflow for ongoing maintenance"
• T081 (OBSOLETE - single repo) Push sync workflow to Forgejo (work stays in ops-jrz1 branch)

Checkpoint: User Story 4 complete - maintainer can sync improvements from ops-base quarterly

---

Phase 7: User Story 1 - Deploy to ops-jrz1 Server (Priority: P1) 🎯 VALIDATION

Goal: Deploy Matrix platform to ops-jrz1 dev/test server using extracted and sanitized modules

Why Last: Requires sanitized modules (US2) and documentation (US5) to be complete before deployment

Independent Test: Customize configuration for ops-jrz1 → deploy to server → verify Matrix responds → verify bridges work

ops-jrz1 Server Provisioning (US1)

• T082 [US1] Verify ops-jrz1 server exists and is accessible via SSH (x86_64-linux, NixOS 24.05+)
• T083 [US1] Configure DNS for ops-jrz1 domain pointing to server IP
• T084 [US1] SSH to ops-jrz1 and verify NixOS version and nix flake support

Deployment Following Docs (US1)

• T085 [US1] Verify ops-jrz1 repo is up to date on branch 001-extract-matrix-platform
• T086 [US1] Follow docs/getting-started.md step-by-step, time the process (target: <30 minutes)
• T087 [US1] Customize hosts/ops-jrz1.nix with server domain and settings
• T088 [US1] Generate age key on ops-jrz1 server: ssh-to-age < /etc/ssh/ssh_host_ed25519_key.pub
• T089 [US1] Create secrets/secrets.yaml with ops-jrz1 values (matrix registration token, acme email)
• T090 [US1] Encrypt secrets with sops: sops -e -i secrets/secrets.yaml
• T091 [US1] Deploy to ops-jrz1: nixos-rebuild switch --flake .#ops-jrz1 --target-host root@

Functional Validation (US1)

• T092 [US1] Verify Matrix homeserver responds: curl https:///_matrix/client/versions (expect: JSON response)
• T093 [US1] Verify .well-known endpoints: curl https:///.well-known/matrix/server (expect: JSON)
• T094 [US1] Create test user via registration: use matrix registration token
• T095 [US1] Login to Element Web with test user credentials (verify authentication works)
• T096 [US1] Verify systemd services running: ssh root@ops-jrz1 systemctl status matrix-continuwuity

Bridge Testing (US1)

• T097 [US1] Follow docs/bridges/slack-setup.md to configure Slack bridge (if testing bridges)
• T098 [US1] Verify bridge appservice registered with Matrix homeserver
• T099 [US1] Test bridge message flow (send test message, verify delivery)

Issues and Documentation Updates (US1)

• T100 [US1] Document any unclear steps or issues encountered during deployment
• T101 [US1] Update docs/getting-started.md based on deployment experience (fix ambiguities, add troubleshooting)
• T102 [US1] Update docs/deployment.md with any missing steps or common issues discovered

Timing and Metrics (US1)

• T103 [US1] Verify total deployment time from clone to working Matrix was <30 minutes (SC-001)
• T104 [US1] Record deployment experience notes for README improvement

Checkpoint: User Story 1 complete - ops-jrz1 server deployed with working Matrix homeserver in <30 minutes

---

Phase 8: Polish & Cross-Cutting Concerns (Partial Deferral)

Purpose: Final improvements affecting multiple user stories, preparation for v1.0 publication

Note: Public release tasks (T119-T125) are DEFERRED per spec.md Out of Scope. Security validation and build checks remain in scope.

README Expansion

• T105 [P] Expand README.md with ops-jrz1 server overview, Matrix platform features, deployment status
• T106 [P] Add license badge to README:
• T107 (DEFERRED) Add repository links to README (for future public template)
• T108 (DEFERRED) Add community contact info to README (for future public sharing)

Final Security Validation

• T109 Run gitleaks on full ops-jrz1 repository (expect: zero findings) - final verification
• T110 Manual grep for all sensitive patterns: rg 'clarun|talu|192.168.1.|45.77|/home/dan' in sanitized modules/hosts/docs (expect: no matches)
• T111 Review git log for any accidentally committed secrets or personal info in branch 001-extract-matrix-platform
• T112 Verify no .sops.yaml with real age keys committed (only .sops.yaml.example if present)

Build Validation

• T113 Run nix flake check (expect: all checks pass)
• T114 Build ops-jrz1 configuration: nix build .#nixosConfigurations.ops-jrz1 (expect: success)
• T115 (OBSOLETE - single config) Build example-dev configuration - not needed for single-repo ops-jrz1

Module Checklist Verification (SC-004)

• T116 Verify all 6+ core modules present and building: matrix-continuwuity ✓, mautrix-slack ✓, mautrix-whatsapp ✓, mautrix-gmessages ✓, fail2ban ✓, ssh-hardening ✓, plus optional dev-services ✓ and matrix-secrets ✓

Documentation Checklist Verification (SC-005)

• T117 Verify core documentation complete: README ✓, deployment guide ✓, secrets-management ✓, plus optional bridge/pattern docs: slack-setup.md ✓, whatsapp-setup.md ✓, gmessages-setup.md ✓, config-generation.md ✓, admin-room-setup.md ✓

Release Preparation

• T118 Create v1.0.0 release tag: git tag v1.0.0 -m "Initial release - ops-jrz1 Matrix platform"
• T119 (DEFERRED) Create public repository (GitHub/tangl.sh) for template publication
• T120 (DEFERRED) Push sanitized template with tags to public repository

Announcement Preparation (DEFERRED)

• T121 (DEFERRED) [P] Draft announcement post for Matrix.org community (#nix:nixos.org)
• T122 (DEFERRED) [P] Draft announcement post for NixOS Discourse
• T123 (DEFERRED) [P] Draft announcement post for Reddit r/NixOS
• T124 (DEFERRED) [P] Draft Show HN post for Hacker News
• T125 (DEFERRED) Publish announcements across all channels (coordinate timing)

---

Dependencies & Execution Order

Phase Dependencies

• Phase 1 (Setup): No dependencies - can start immediately
• Phase 2 (Foundational): Depends on Phase 1 (Setup) - BLOCKS all user stories
• Phase 3 (US2 - Sanitize): Depends on Phase 2 (Foundational) - scripts must exist first
• Phase 4 (US5 - Docs): Depends on Phase 3 (US2) - modules must be sanitized first
• Phase 5 (US3 - Governance): Can start after Phase 2, parallel with US2/US5
• Phase 6 (US4 - Sync): Can start after Phase 2, parallel with other stories
• Phase 7 (US1 - Deployment): Depends on Phase 3, Phase 4, Phase 5 (needs complete template to test)
• Phase 8 (Polish): Depends on all user stories complete

User Story Dependencies

• US2 (Sanitize/Publish): FOUNDATIONAL - no dependencies, enables all others
• US5 (Documentation): Depends on US2 (modules must exist to document them)
• US3 (Governance): Independent, can run parallel with US2/US5
• US4 (Sync Workflow): Independent, can run parallel with US2/US5
• US1 (Deployment): Depends on US2 + US5 + US3 (needs modules + docs + CI to test)

Critical Path

Phase 1 (Setup)
    ↓
Phase 2 (Foundational - scripts/CI)
    ↓
Phase 3 (US2 - Extract & Sanitize Modules) ← CRITICAL PATH
    ↓
Phase 4 (US5 - Extract Documentation) ← CRITICAL PATH
    ↓
Phase 7 (US1 - VPS Deployment Test) ← CRITICAL PATH
    ↓
Phase 8 (Polish & Release)

Parallel Opportunities:

• Phase 5 (US3) and Phase 6 (US4) can run in parallel with Phase 3/4
• Within Phase 3: T012-T021 (module/config copies) all parallel
• Within Phase 4: T040-T051 (doc extraction) most are parallel
• Within Phase 8: Many polish tasks parallel (T105-T108, T121-T124)

Within Each Phase

Phase 3 (US2) order:

1. Copy all modules/configs in parallel (T012-T021)
2. Run sanitization sequentially (T022-T023) - depends on copies
3. Manual review (T024-T025) - depends on sanitization
4. Validation (T026-T028) - depends on review
5. Create examples in parallel (T029-T031)
6. Flake config sequentially (T032-T036) - incremental dependencies
7. Commit (T037-T039)

Phase 7 (US1) order:

1. VPS provisioning (T082-T084)
2. Clone and customize sequentially (T085-T091) - follows docs
3. Functional validation (T092-T096)
4. Optional bridge testing (T097-T099)
5. Documentation improvements (T100-T102)
6. Metrics collection (T103-T104)

---

Parallel Execution Examples

Phase 2: Foundational Scripts

# All foundational scripts can be created in parallel:
Task: "Create scripts/sanitize-files.sh"
Task: "Create scripts/validate-sanitization.sh"
Task: "Create .github/workflows/ci.yml"
Task: "Create .pre-commit-config.yaml"
Task: "Create LICENSE file"

Phase 3: Module Extraction (US2)

# All module copies can run in parallel:
Task: "Copy modules/matrix-continuwuity.nix"
Task: "Copy modules/mautrix-slack.nix"
Task: "Copy modules/mautrix-whatsapp.nix"
Task: "Copy modules/mautrix-gmessages.nix"
Task: "Copy modules/dev-services.nix"
Task: "Copy modules/security/fail2ban.nix"
Task: "Copy modules/security/ssh-hardening.nix"
Task: "Copy modules/matrix-secrets/default.nix"
Task: "Copy configurations/example-vps.nix"
Task: "Copy configurations/example-dev.nix"

Phase 4: Documentation (US5)

# Pattern docs in parallel:
Task: "Extract docs/patterns/config-generation.md"
Task: "Extract docs/patterns/admin-room-setup.md"

# Bridge guides in parallel:
Task: "Extract docs/bridges/slack-setup.md"
Task: "Create docs/bridges/whatsapp-setup.md"
Task: "Create docs/bridges/gmessages-setup.md"

# Core docs in parallel:
Task: "Extract docs/secrets-management.md"
Task: "Create docs/architecture.md"
Task: "Create docs/getting-started.md"
Task: "Create docs/deployment.md"

---

Implementation Strategy

MVP First (US2 + US5 + US1)

1. Complete Phase 1: Setup (T001-T004)
2. Complete Phase 2: Foundational (T005-T011) - CRITICAL
3. Complete Phase 3: US2 Sanitize (T012-T039) - Extract modules
4. Complete Phase 4: US5 Documentation (T040-T056) - Add docs
5. Skip Phase 5-6 temporarily (governance/sync can wait)
6. Complete Phase 7: US1 Deployment Test (T082-T104) - VALIDATE
7. STOP and EVALUATE: Do we have a working template?

Full v1.0 (All Stories)

1. Complete MVP (above)
2. Add Phase 5: US3 Governance (T057-T071) - Community contributions
3. Add Phase 6: US4 Sync Workflow (T072-T081) - Maintenance
4. Complete Phase 8: Polish (T105-T125) - Final touches & publication

Incremental Delivery

1. Week 1: Setup + Foundational + Module Extraction (T001-T039) → Sanitized modules exist
2. Week 2: Documentation (T040-T056) → Comprehensive docs exist
3. Week 3: Deployment Testing (T082-T104) → Validated working template
4. Week 4: Governance + Sync + Polish (T057-T125) → v1.0 ready for publication

---

Task Summary

Total Tasks: 125

• Phase 1 (Setup): 4 tasks
• Phase 2 (Foundational): 7 tasks (BLOCKING)
• Phase 3 (US2 - Sanitize): 28 tasks
• Phase 4 (US5 - Documentation): 17 tasks
• Phase 5 (US3 - Governance): 15 tasks
• Phase 6 (US4 - Sync): 10 tasks
• Phase 7 (US1 - Deployment): 23 tasks
• Phase 8 (Polish): 21 tasks

By User Story:

• US2 (Sanitize/Publish): 28 tasks - FOUNDATIONAL
• US5 (Documentation): 17 tasks
• US3 (Governance): 15 tasks
• US4 (Sync Workflow): 10 tasks
• US1 (Deployment Test): 23 tasks
• Shared (Setup/Foundational/Polish): 32 tasks

Parallel Opportunities: 45+ tasks marked [P] for parallel execution

Independent Test Criteria:

• US2: gitleaks zero findings + builds pass + no personal refs
• US5: docs complete + sanitized + technically accurate
• US3: fork + change + CI passes + guidelines clear
• US4: sync mock change + validate + no secrets leaked
• US1: clone + deploy + Matrix responds + <30 min

Suggested MVP Scope: US2 + US5 + US1 (73 tasks) - Delivers working template with docs, validated on VPS

---

Notes

• This is a repository extraction project, not traditional software development
• Primary activity is copying, sanitizing, documenting, and validating
• Testing is manual validation (gitleaks, nix flake check, VPS deployment)
• No automated test suite needed - validation is built into sanitization/CI contracts
• Each user story delivers independent value:
  • US2: Clean sanitized modules (buildable)
  • US5: Comprehensive documentation (readable)
  • US3: Community contribution capability (forkable)
  • US4: Ongoing maintenance workflow (sustainable)
  • US1: End-to-end deployment validation (usable)
• Success criteria SC-004/SC-005 validated by module/doc checklists in Phase 8
• Security validation (SC-003/SC-009) enforced by gitleaks throughout
• Deployment timing (SC-001) measured during Phase 7