docs(adr-009): consolidate ADR & retire implementation plan

Now that ADR-T-009 Phases 1–9 have all landed, fold the
implementation plan into the ADR proper and retire the standalone
plan document. The ADR now carries a single decision-log section
(§D1–§D8) that supersedes the dual "ADR §N / plan §M" numbering
the working docs grew during the phased rollout.

- Delete adr/009-implementation-plan.md (3.2k lines); the surviving
  decisions live in the consolidated ADR.
- Rework adr/009-container-infrastructure-refactor.md: drop the
  "Implementation plan" pointer, mark status simply "Implemented",
  and re-anchor every internal reference onto the §D-series IDs.
- Re-point all stale §N / §9.x / §7.3 cross-references in the
  CI workflow, Containerfile, entry script, su-exec AUDIT, the
  containers guide, and the config-probe rustdoc onto their §D
  equivalents (or onto Acceptance Criterion #N where the plan
  numbering had no ADR analogue).
- Rewrite the CHANGELOG [Unreleased] block as a release-shaped
  narrative (Highlights / Breaking changes / Added / Changed /
  Removed / Fixed / Security) rather than a chronological dump
  of phase bullets.
- Update src/lib.rs rustdoc and README.md to reflect the §D2
  decision: tracker.token and database.connect_url are now
  mandatory schema fields with no shipped defaults, so the docker
  quick-start now shows the required env-var overrides and the
  Configuration section names both fields as mandatory. Also
  correct TORRUST_INDEX_CONFIG_PATH → TORRUST_INDEX_CONFIG_TOML_PATH
  and link the new container guide / ADR alongside the legacy
  docker docs pointer.
- Mention the standalone torrust-index-config crate in the
  Configuration section so readers know where the parsing
  surface lives.

No code or runtime behaviour changes; this is purely the
post-merge documentation tidy-up for ADR-T-009.

Author: peer-cat

.github/workflows/container.yaml

@@ -42,12 +42,12 @@ jobs:
           # output points the reader at the real line.
           if awk '{ sub(/#.*/, ""); print }' compose.yaml \
               | grep -nE 'mailcatcher|MAILER|SMTP|smtp_'; then
-            echo "::error file=compose.yaml::dev mail sidecar / SMTP config present in production-shaped baseline (ADR-T-009 §8.1, §9.1.3)"
+            echo "::error file=compose.yaml::dev mail sidecar / SMTP config present in production-shaped baseline (ADR-T-009 §D1 / §8.1)"
             exit 1
           fi
           echo "compose.yaml clean."
 
-      # Phase 9 §9.2 — vendored `su-exec.c` must not change
+      # Phase 9 / ADR-T-009 §D8 — vendored `su-exec.c` must not change
       # without a fresh audit entry recording the new SHA-256
       # in contrib/dev-tools/su-exec/AUDIT.md.
       - id: su-exec-audit
@@ -59,17 +59,17 @@ jobs:
           recorded=$(sed -n '/^## Audit Log/,$ { s/^SHA-256: \([0-9a-f]\{64\}\)$/\1/p; }' "$audit" | tail -1)
           actual=$(sha256sum contrib/dev-tools/su-exec/su-exec.c | cut -d' ' -f1)
           if [ -z "$recorded" ]; then
-            echo "::error file=$audit::no SHA-256 entry found in '## Audit Log' section (ADR-T-009 §9.2)"
+            echo "::error file=$audit::no SHA-256 entry found in '## Audit Log' section (ADR-T-009 §D8)"
             exit 1
           fi
           if [ "$recorded" != "$actual" ]; then
-            echo "::error file=$audit::recorded SHA-256 ($recorded) does not match contrib/dev-tools/su-exec/su-exec.c ($actual). Append a new dated audit entry per ADR-T-009 §9.2."
+            echo "::error file=$audit::recorded SHA-256 ($recorded) does not match contrib/dev-tools/su-exec/su-exec.c ($actual). Append a new dated audit entry per ADR-T-009 §D8."
             exit 1
           fi
           echo "su-exec audit current ($actual)."
 
-      # Phase 9 §9 / Acceptance Criterion #7 — every env var
-      # listed in the entry script's manifest block must be
+      # Phase 9 / ADR-T-009 Acceptance Criterion #7 — every env
+      # var listed in the entry script's manifest block must be
       # documented in docs/containers.md.
       - id: entry-env-docs
         name: entry-script env vars documented
@@ -80,7 +80,7 @@ jobs:
                   | grep -oE '[A-Z][A-Z0-9_]+' \
                   | sort -u)
           if [ -z "$vars" ]; then
-            echo "::error file=$script::ENTRY_ENV_VARS manifest block not found or empty (ADR-T-009 §9 Crit. #7)"
+            echo "::error file=$script::ENTRY_ENV_VARS manifest block not found or empty (ADR-T-009 Acceptance Criterion #7)"
             exit 1
           fi
           missing=0

CHANGELOG.md

@@ -123,7 +123,7 @@ RUN mkdir -p /app/bin/; \
 # Phase 4: per-binary modes. Application binary stays
 # world-executable; root-phase-only helpers (health-check,
 # auth-keypair, config-probe) tighten to root-only
-# (0500 root:root) per ADR-T-009 §6 / §7.3 — same posture as
+# (0500 root:root) per ADR-T-009 §D4 / §D5 — same posture as
 # busybox, su-exec, jq. The healthcheck binary is invoked
 # from HEALTHCHECK, which runs as root (no --user in the
 # directive), so 0500 is sufficient. The config-probe is
@@ -156,7 +156,7 @@ RUN mkdir -p /app/bin/; \
 # Phase 4: per-binary modes (see test_debug above for rationale).
 # The healthcheck binary is invoked from HEALTHCHECK, which
 # runs as root (no --user in the directive), so 0500 is
-# sufficient. The config-probe (ADR-T-009 §6 / §7) is invoked
+# sufficient. The config-probe (ADR-T-009 §D3) is invoked
 # only from the entry script's pre-su-exec phase, so it is
 # also root-only.
 RUN chown -R root:root /app; chmod -R u=rw,go=r,a+X /app; \

Containerfile

@@ -125,7 +125,7 @@ _Optionally, you may choose to supply the entire configuration as an environment
 TORRUST_INDEX_CONFIG_TOML=$(cat "./storage/index/etc/index.toml") cargo run
 ```
 
-_For deployment, you __should__ override the `tracker_api_token`:_
+_For deployment, you __should__ override the `tracker.token` (per ADR-T-009 §D2 it is mandatory; the shipped TOMLs no longer carry a default):_
 
 ```sh
 # Override secrets in configuration using environmental variables