# Achievements

## Built

- control plane for enrollment, key rotation, revocation, admin login, audit, and signed catalog publication
- client bootstrap CLI with local key generation
- gateway config renderer that avoids storing gateway private keys in the control plane
- policy layer for ingress gateway, front-door, and egress pool selection
- provider-aware planning and reconciliation
- real Hetzner adapter slice
- plan/apply orchestrator path
- local tracer bullet
- provider smoke-test CLI

## Proven

- unit tests cover auth, catalog signing, gateway/egress policy, region blueprinting, WireGuard config generation, and reconciliation logic
- integration tests cover the control-plane end-to-end API lifecycle
- tracer bullet proves the local end-to-end path from identity generation to gateway config rendering and signed catalog issuance
- smoke tests prove provider-specific planning for Hetzner ingress and egress resources

## Not Yet Proven

- real live Hetzner server creation
- real live Hetzner primary IP allocation
- DigitalOcean live provisioning
- database-backed state migration
- automated cleanup of cloud smoke resources

## Immediate Priorities

- complete live Hetzner validation with cleanup
- bootstrap and register gateways after provisioning
- implement client-side signed catalog consumption and failover
- migrate state off JSON files