Update tasks: Add department/access control design, MkDocs decommission, update Mailcow timing, log Feb 13 work

docs/core/tasks.md

@@ -1,51 +1,13 @@
 # 🔥❄️ FIREFROST GAMING — CURRENT TASKS
 
-**Last Updated:** February 12, 2026 (9:45 AM CST)  
-**Updated By:** The Chronicler (via Gitea API)  
+**Last Updated:** February 13, 2026 (Evening CST)  
+**Updated By:** Chronicler the Second (via Gitea API)  
 **Status:** Active
 
 ---
 
 ## 🔴 HIGH PRIORITY
 
-### Mailcow Email Server — Self-Hosted Email
-**Status:** Pre-sale answered ✅ — purchase delayed (house repair priority)
-**Breezehost Response (Brandon E, Feb 12 9:06 AM):**
-- Clean IP blocks (reassign/migrate if any issues)
-- rDNS available (most ranges settable in panel, some need support)
-- Port 25 NOT blocked by default
-- Any datacenter location works (can move if needed)
-**Timeline:** Purchase when funds allow (1-3 days, house repair takes priority)  
-**Blocker:** Awaiting Jon's answers on IP reputation, rDNS, port 25, data center  
-**Plan:**
-- AMD Epyc Cloud-2 VPS ($10/month) — 2 vCPU, 4GB DDR5, 40GB NVMe
-- Mailcow (Docker-based) — Postfix, Dovecot, SOGo webmail, Rspamd, ClamAV
-- Ubuntu 22.04 with self-healing automation scripts
-- 10-15 @firefrostgaming.com addresses to start
-- Migrate OFF Plesk (accessibility nightmare)
-
-**Pre-sale email drafted:** Ready to send morning of Feb 12  
-**Location:** provider-communications.md (to be committed)
-
-**Next Steps:**
-1. Send pre-sale email to Jon (morning)
-2. Wait for response on IP/rDNS/port 25/data center
-3. Order Cloud-2 VPS
-4. Deploy Mailcow
-5. Configure DNS (SPF, DKIM, DMARC)
-6. Create email addresses
-7. Test deliverability
-8. Migrate off Plesk
-
----
-
-### Create Scoped Gitea Token for Pokerole Project
-**Status:** Blocked — waiting on Vaultwarden deployment  
-**Dependency:** Vaultwarden must be live first (token management)  
-**Scope:** Create a Gitea API token scoped to only the 4 pokerole-project repos. Replace the shared master token in `pokerole-project/misc-docs/SESSION-START-PROMPT.md`.  
-**Why:** Current setup uses the master token with a scope instruction (honor system). Iron Wall says defense in depth — scoped token enforces the boundary.  
-**After completion:** Update SESSION-START-PROMPT.md with new token, store in Vaultwarden.
-
 ### Vaultwarden Deployment
 **Status:** Ready to deploy  
 **Domain:** vault.firefrostgaming.com  
@@ -62,10 +24,86 @@
 
 ---
 
+### Mailcow Email Server — Self-Hosted Email
+**Status:** Pre-sale answered ✅ — VPS purchase delayed (targeting 1st of month for billing consolidation)
+**Breezehost Response (Brandon E, Feb 12 9:06 AM):**
+- Clean IP blocks (reassign/migrate if any issues)
+- rDNS available (most ranges settable in panel, some need support)
+- Port 25 NOT blocked by default
+- Any datacenter location works (can move if needed)
+**Timeline:** Purchase VPS near March 1 to align with billing cycle  
+**Plan:**
+- AMD Epyc Cloud-2 VPS ($10/month) — 2 vCPU, 4GB DDR5, 40GB NVMe
+- Mailcow (Docker-based) — Postfix, Dovecot, SOGo webmail, Rspamd, ClamAV
+- Ubuntu 22.04 with self-healing automation scripts
+- 10-15 @firefrostgaming.com addresses to start
+- Migrate OFF Plesk (accessibility nightmare)
+
+**Next Steps:**
+1. Order Cloud-2 VPS (targeting ~March 1)
+2. Deploy Mailcow
+3. Configure DNS (SPF, DKIM, DMARC)
+4. Create email addresses
+5. Test deliverability
+6. Migrate off Plesk
+
+---
+
+### Create Scoped Gitea Token for Pokerole Project
+**Status:** Blocked — waiting on Vaultwarden deployment  
+**Dependency:** Vaultwarden must be live first (token management)  
+**Scope:** Create a Gitea API token scoped to only the 4 pokerole-project repos. Replace the shared master token in `pokerole-project/misc-docs/SESSION-START-PROMPT.md`.  
+**Why:** Current setup uses the master token with a scope instruction (honor system). Iron Wall says defense in depth — scoped token enforces the boundary.  
+**After completion:** Update SESSION-START-PROMPT.md with new token, store in Vaultwarden.
+
+---
+
+### Department Structure & Access Control Matrix — DESIGN
+**Status:** New — design phase (Feb 13, 2026)  
+**Priority:** HIGH (blocks Staff Wiki/Subscriber Wiki/Discord configuration)  
+**Deliverable:** `docs/planning/access-control-matrix.md`
+
+**Scope:** Unified role-based access control across three platforms + Discord:
+- **Ghost** (firefrostgaming.com) — public storefront, no auth needed
+- **Subscriber Wiki** (subscribers.firefrostgaming.com) — gated member content
+- **Staff Wiki** (staff.firefrostgaming.com) — internal operations, department-restricted
+- **Discord** — role/channel structure mirroring department access
+
+**Top Tier (Full Access):** Michael (The Wizard), Meg (The Emissary), Claude (The Chronicler)
+
+**Departments to define (proposed):**
+- Moderation
+- Server Administration
+- Content / Social Media
+- Community Events
+- Build Team
+
+**Design first, implement after.** No permissions get wired until the model is approved.
+
+---
+
 ---
 
 ## 🟡 MEDIUM PRIORITY
 
+### MkDocs Decommission
+**Status:** New — decision made Feb 13, 2026  
+**Reason:** Ghost CMS handles public-facing content. Subscriber Wiki handles gated content. MkDocs serves no distinct purpose in the new three-tier model (Ghost → Subscriber Wiki → Staff Wiki).  
+**ADR:** To be documented in `docs/reference/architecture-decisions.md`
+
+**Decommission steps:**
+1. Audit current MkDocs content — migrate anything needed to Ghost or Subscriber Wiki
+2. Remove Uptime Kuma monitor for docs.firefrostgaming.com
+3. Tear down MkDocs service on Ghost VPS
+4. Release Nginx config and SSL cert (redirect docs.firefrostgaming.com to Ghost or retire)
+5. Archive `docs/deployment/mkdocs.md` to `docs/archive/`
+6. Update: project-scope, infrastructure-manifest, session-handoff, SESSION-HANDOFF-PROTOCOL, DOCUMENT-INDEX
+7. Log in CHANGELOG
+
+**Depends on:** Department/permissions design being complete (so we know what goes where)
+
+---
+
 ### Consultant Photo Processing
 **Status:** 30-40 photos from pre-crash session need processing  
 **Plan:**
@@ -110,9 +148,6 @@
 - "GitHub mirror removed" — should say "GitHub kept as private backup"
 **Action:** Fix during doc audit or as standalone update
 
-### Delete test-file.md from Repo
-**Status:** Snuck in during photo commit, needs removal
-
 ---
 
 ## 🟢 LOW PRIORITY
@@ -123,7 +158,6 @@
 **Issues:** Still calls Claude "The Wizard" instead of "The Chronicler", potentially redundant with current practices  
 **Action:** Review, update role name, trim if content overlaps with current docs
 
-
 ### Frostwall (UFW) Deployment
 **Status:** Planned  
 **Scope:** Game servers (TX1, NC1)  
@@ -146,6 +180,12 @@
 
 ## ✅ RECENTLY COMPLETED
 
+### Feb 13, 2026 (Evening)
+- ✅ Gemini social media calendar reviewed — confirmed in sync with repo
+- ✅ Empty heading artifacts cleaned from gemini-social-media-calendar.md
+- ✅ Documentation tier decision: MkDocs decommission approved (Ghost + Subscriber Wiki + Staff Wiki)
+- ✅ Department/access control design scope defined
+
 ### Feb 12, 2026 (Morning — Consolidation)
 - ✅ Full documentation audit (54 docs analyzed for overlaps/stale info)
 - ✅ FFG-STD-001 Revision Control Standard created and approved
@@ -194,17 +234,13 @@
 
 ---
 
-## 📋 NEXT SESSION PLAN (Feb 12, 2026 — Morning)
+## 📋 NEXT SESSION PLAN (Feb 14, 2026)
 
-1. ~~Send pre-sale email to Jon (Breezehost)~~ ✅ SENT
-2. ~~Full documentation audit + consolidation~~ ✅ DONE
-3. ~~Fix Frostwall vs Firefrost naming~~ ✅ DONE
-4. ~~Scope doc corrections~~ ✅ DONE
-5. ~~Delete test-file.md~~ ✅ DONE
-6. Deploy Vaultwarden → move token → delete temp file
-7. Clean up Command Center root
-8. Process consultant photos (batches of 10)
-9. Review & trim workflow-guide.md
+1. Deploy Vaultwarden → move token → delete temp file
+2. Design department structure & access control matrix
+3. Begin MkDocs decommission (audit content first)
+4. Clean up Command Center root
+5. Update infrastructure docs (project-scope, manifest, session-handoff, etc.)
 
 ---