feat: add server baseline spec, status command, and test suite workplan

- Fix duplicate `converge` Makefile target (was causing warnings)
- Fix `make status` SSH hardening check (use grep on sshd_config instead
  of sshd -T which fails without hostkeys)
- Add `make status` target with connectivity, UFW, fail2ban, SSH checks
- Add spec/server-baseline.yaml — authoritative target-state spec for
  all managed nodes (firewall, SSH, services, packages, users)
- Add workplan RAIL-HO-WP-0002 for Goss test suite and repo boundary ADR

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Makefile

@@ -129,9 +129,6 @@ tf-providers-plan: ## Plan after an upgrade (uses HCLOUD_TOKEN if set)
 ansible-bootstrap: ## Run base bootstrap play (users, ssh, ufw, sops-agent)
 	cd ansible && ansible-playbook playbooks/bootstrap.yaml -u admin
 
-converge: ansible-bootstrap ## Alias for current bootstrap converge
-	@true
-
 # ---- Orchestration ----
 apply: tf-fmt tf-apply ansible-bootstrap ## Provision via Terraform then converge via Ansible
 
@@ -189,6 +186,16 @@ ansible-inventory: ## Print the dynamic inventory Ansible will use
 ansible-ping: ## Quick connectivity check (SSH + Python availability)
 	cd $(ANS_DIR) && ansible all -u $(SSH_USER) -m ping
 
+status: ## Show live security state of all hosts (UFW, fail2ban, SSH hardening)
+	@echo "=== Connectivity ==="
+	cd $(ANS_DIR) && ansible all -u $(SSH_USER) -m ping
+	@echo "=== UFW ==="
+	cd $(ANS_DIR) && ansible all -u $(SSH_USER) -m shell -a "ufw status" --become
+	@echo "=== fail2ban ==="
+	cd $(ANS_DIR) && ansible all -u $(SSH_USER) -m shell -a "systemctl is-active fail2ban"
+	@echo "=== SSH hardening ==="
+	cd $(ANS_DIR) && ansible all -u $(SSH_USER) -m shell -a "grep -iE '^(PermitRootLogin|PasswordAuthentication)' /etc/ssh/sshd_config" --become
+
 converge: ## Converge all hosts to the baseline (idempotent)
 	cd $(ANS_DIR) && ansible-playbook $(PLAY) -u $(SSH_USER)