Update tasks.md: Vaultwarden complete, add security hardening task

docs/core/tasks.md

@@ -1,7 +1,7 @@
 # 🔥❄️ FIREFROST GAMING — CURRENT TASKS
 
-**Last Updated:** February 13, 2026 (Late Night CST)
-**Updated By:** The Engineer (Chronicler the Fifth)
+**Last Updated:** February 13, 2026 (Late Evening CST)
+**Updated By:** The Sixth (Chronicler the Sixth)
 **Status:** Active
 
 ---
@@ -35,20 +35,6 @@
 ---
 
 
-### Vaultwarden Deployment
-**Status:** Ready to deploy  
-**Domain:** vault.firefrostgaming.com  
-**Location:** Command Center VPS  
-**Priority:** HIGH (API token currently in temp file in repo)  
-
-**Why Now:**
-- Gitea API token needs secure storage (currently in `docs/core/gitea-api-token-TEMPORARY.md`)
-- Growing number of service credentials
-- Team password management for staff
-- Accessibility-friendly web UI
-
-**After deployment:** Move token to Vaultwarden, delete temp file from repo.
-
 ---
 
 ### Mailcow Email Server — Self-Hosted Email
@@ -113,6 +99,34 @@
 
 ## 🟡 MEDIUM PRIORITY
 
+### Command Center Security Hardening
+**Status:** New — identified Feb 13, 2026  
+**Priority:** MEDIUM (UFW active, but can be improved)  
+**Scope:** Command Center VPS (63.143.34.217)
+
+**Current State:**
+- ✅ UFW enabled with default deny incoming
+- ✅ Ports 22, 80, 443 open on primary IP
+- ❌ Fail2Ban not installed
+- ❌ SSH not hardened (still allows password auth)
+- ❌ No rate limiting on SSH
+
+**Tasks:**
+1. Install and configure Fail2Ban (auto-ban brute force attempts)
+2. SSH hardening:
+   - Disable password authentication (key-only)
+   - Consider non-standard SSH port
+   - Rate limit connection attempts
+3. Review UFW rules (ensure minimal necessary access)
+4. Document security configuration in repo
+
+**Why Medium Priority:**
+- Breezehost provides network-level DDoS protection
+- UFW already active with sensible defaults
+- No active threats, but defense-in-depth is good practice
+
+---
+
 ### MkDocs Decommission
 **Status:** New — decision made Feb 13, 2026  
 **Reason:** Ghost CMS handles public-facing content. Subscriber Wiki handles gated content. MkDocs serves no distinct purpose in the new three-tier model (Ghost → Subscriber Wiki → Staff Wiki).  
@@ -317,6 +331,19 @@ Each server gets: name, uuid, node, tier, enabled flag
 
 ## ✅ RECENTLY COMPLETED
 
+### Feb 13, 2026 (Late Evening — Vaultwarden Deployment)
+- ✅ Docker installed on Command Center (docker.io + docker-compose)
+- ✅ Vaultwarden deployed via Docker (vault.firefrostgaming.com)
+- ✅ SSL certificate obtained via Certbot (Let's Encrypt)
+- ✅ Nginx reverse proxy configured with HTTPS
+- ✅ UFW rules added for ports 80/443 on primary IP
+- ✅ DNS configured (A record, DNS-only/gray cloud)
+- ✅ Admin account created, public signups disabled
+- ✅ Gitea API token migrated to Vaultwarden vault
+- ✅ Temporary token file deleted from Git repo
+- ✅ Bitwarden browser extension installed and configured
+- ✅ SESSION-START-PROMPT.md updated to reference Vaultwarden
+
 ### Feb 13, 2026 (Evening)
 - ✅ Gemini social media calendar reviewed — confirmed in sync with repo
 - ✅ Empty heading artifacts cleaned from gemini-social-media-calendar.md
@@ -389,3 +416,4 @@ Each server gets: name, uuid, node, tier, enabled flag
 ---
 
 **Fire + Frost + Foundation = Where Love Builds Legacy** 💙🔥❄️
+