doc 03 §6/§4/§9 + doc 02: slice 8C implemented — controller de-privileged, slice 8 CLOSED (2026-06-10)

§6: disk-management endpoints + reframed principle (non-data-destructive
self-serve; data-destructive stays operator-signed; classifier = agent-internal
device inspection). §4: data-bearing-ness is agent-internal, never caller-claimed.
§9: 8C implemented, slice 8 CLOSED. doc 02: EXECUTED banner. Validated live
(data-bearing format refused; de-privileged controller).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

documentation/architecture/02-controller-module-map.md

@@ -1,5 +1,13 @@
 # Felhom Controller Architecture — Part 2: Controller Module Map
 
+> **EXECUTED (slice 8C, 2026-06-10 — controller v0.37.0).** This map's target state is now realized:
+> the disk-execution subsystem (`storage/*`, restic, cross-drive, drive-restore, `disk_layout`,
+> `local_infra`, `infra_backup`, `setup/scanner`, `monitor/watchdog`+`pinger`, the storage UI) is
+> **deleted** (~12.3k LOC); `backup.Manager` is **split to app-data only**; disk management is
+> **rewired to the host agent's local API** (`web/agent_disk_handlers.go` → agent `/disks`); and the
+> container is **de-privileged** (no `privileged`, `/dev`, `/etc/fstab`, rshared). The in-guest
+> controller is now **Docker-only with no disk/Proxmox privileges**, as designed. See doc 03 §6/§9.
+
 **Status:** audit (keep / port / delete / modify / add), grounded in the v0.33 source.
 **Subject:** the v0.33 controller in `felhom-controller/controller/` (110 `.go` files,
 ~40 K LOC) audited against [01-topology-and-trust.md](01-topology-and-trust.md) and