unifi-wifi: pfSense compat layer ON HOLD — Cascades pfSense too old for RESTAPI pkg, needs upgrade first

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.claude/skills/unifi-wifi/SKILL.md

@@ -43,7 +43,9 @@ path is Cascades — override with the script's vault-path arg per client.
   to ride out transient VPN flaps without wasting a sweep.
 - **[WIP] Client DHCP/DNS policy, deeper VPN (server) config, adoption *remediation* depth** — port-forward
   + WAN firewall is now covered (gw-control); remaining gateway config (VPN server stand-up, DHCP/DNS) is future.
-- **[SCAFFOLDED] pfSense gateway compatibility layer** — `scripts/pfsense-backend.sh` (REST API pkg backend).
+- **[SCAFFOLDED — ON HOLD] pfSense gateway compatibility layer** — `scripts/pfsense-backend.sh` (REST API pkg backend).
+  ON HOLD (Howard 2026-06-16): the RESTAPI package needs a newer pfSense than Cascades runs — **blocked on a
+  pfSense upgrade** before any live use. Code is complete; see ROADMAP §E "BLOCKER / Resume trigger".
   `gw-audit.sh`/`gw-control.sh` now **auto-dispatch** to it when a site has no UniFi gateway (num_gw=0) AND a
   pfSense API cred is vaulted at `clients/<slug>/pfsense-api` (or pass `--pfsense <slug>` when the UOS site
   name differs from the client slug) — the SAME verbs (`gw-audit`, `pf-list/disable/enable/set-ports`,

.claude/skills/unifi-wifi/references/ROADMAP.md

@@ -119,12 +119,22 @@ exists for at least two sites; per-client pfSense cred vaulting mirrors the AP-S
   collectors). DONE: writes are `--apply`-gated and save a per-object rollback to `.claude/tmp/`, and
   pfSense `firewall/apply` is called after each change. config.xml backup-first is the SSH-fallback's job.
 
-**STATUS: SCAFFOLDED — live validation pending.** Build complete (backend + dispatch + setup helper);
+**STATUS: SCAFFOLDED — ON HOLD (blocked on pfSense upgrade).** Build complete (backend + dispatch +
-the BLOCKED/setup/no-cred-hint paths are tested. The live REST calls (audit/pf-*/fw-*/block-ips) need a
+setup helper); the BLOCKED/setup/no-cred-hint paths are tested. The live REST calls
-reachable pfSense with the API pkg installed + a key vaulted; REST endpoint paths follow the v2 schema and
+(audit/pf-*/fw-*/block-ips) need a reachable pfSense with the API pkg installed + a key vaulted; REST
-must be verified against the installed API version on first live run. Cascades + ACG office have pfSense
+endpoint paths follow the v2 schema and must be verified against the installed API version on first live run.
-web creds vaulted (`clients/cascades-tucson/pfsense-firewall`, `infrastructure/pfsense-firewall`) — still
+
-need the API key added at `clients/<slug>/pfsense-api`.
+**[BLOCKER — Howard 2026-06-16]** `pfSense-pkg-RESTAPI` is third-party and the **Cascades pfSense is too
+old to install it**. PREREQUISITE: **upgrade the Cascades pfSense** (firmware) before the package will
+install. Work is ON HOLD until that upgrade is done. After the upgrade: install RESTAPI → mint a read-only
+key (write-capable for control) → `pfsense-backend.sh clients/cascades-tucson/pfsense-api setup` →
+vault url+apikey at `clients/cascades-tucson/pfsense-api` → first live `gw-audit cascades` to verify
+v2 endpoints. (Also blocked from Howard-Home by the `.0.0/24` home-LAN shadow over pfSense `192.168.0.1` —
+run the first live validation from/through the Cascades network.) ACG office pfSense (`infrastructure/
+pfsense-firewall`) may be a newer box usable as the first live test once it has the pkg + a vaulted key.
+
+**Resume trigger:** Cascades (or another client) pfSense upgraded + RESTAPI installable. The code is done;
+resuming = the setup/vault steps above + endpoint verification, no further build expected unless v2 paths differ.
 - [ ] **Site→gateway map:** record per-site gateway type + access (UOS site_id ↔ pfSense host/cred) so the
   driver auto-selects. Could live alongside `sites.sh` output.
 - [ ] **VPN convergence:** the "Deeper VPN — gateway-hosted VPN server" item (C) is *easier and better* on