Add homelab services stack PRD

Verifies 16 DockerHub images, assigns target nodes per locked policy,
defines 3-phase deployment order (Infra → Media → Polish),
and captures open questions for Bobby.

Services: Traefik, Technitium DNS, AdGuard Home, Prometheus, Grafana,
Beszel, Dozzle, Portainer, Homepage, Authelia, Vaultwarden, Jellyfin,
Sonarr, Radarr, Prowlarr, Nextcloud

Domain: *.ai.home
No public internet exposure.

plans/02-success-criteria.md

@@ -0,0 +1,25 @@
+# Iron Legion Homelab Services Stack — Success Criteria
+
+## Done When
+1. ✅ Every service in the catalog has a verified DockerHub image with a non-stale last-update date (≤ 90 days old at time of cataloging)
+2. ✅ Every service has an assigned target node that respects the **Node Assignments Locked** policy
+3. ✅ Every service has a deployment phase (1, 2, or 3) agreed by Bobby
+4. ✅ Network ingress/egress flow is documented at the service level (who talks to whom, via what port/protocol)
+5. ✅ A single `docker-compose.yml` skeleton exists per phase, ready for population
+6. ✅ Bobby has read and approved this PRD; any objections are captured as blockers below
+
+## Verification Methods
+- DockerHub API freshness check: `last_updated` field within 90 days
+- Node lock compliance: cross-reference against `fleet-ops.md` node assignments
+- Compose skeleton existence: `ls ~/.ansible-repo/new-build/phase-*.yml`
+
+## Failure Modes
+| Failure | Mitigation |
+|---------|------------|
+| DockerHub image stale or abandoned | Flag for alternative image research |
+| Node assignment conflicts with locked policy | Escalate to Bobby immediately |
+| Service dependency on another Phase 2+ service | Note in Open Questions, defer deployment |
+
+## Known Blockers
+- **Authelia** requires a domain + valid TLS cert. If Bobby does not want to expose to public internet, Traefik + internal Tailscale cert or self-signed CA required.
+- **Technitium DNS** upstream forwarding policy not yet specified (DoH, DoT, plain UDP?).