Transcribe backlog tasks into plan documents (#151)

## Summary
- **adopt-oidc-provider:** Dex-based OIDC identity provider for SSO across services (status: Planning — service dependency/recovery design needed)
- **harden-zot-registry:** OIDC + API key auth and tag immutability for zot (depends on OIDC provider + Dagger CI)
- **forgejo-actions-dashboard:** Custom textfile Prometheus exporter + Grafana dashboard for Forgejo Actions CI metrics
- **operationalize-reolink-camera:** Cloud-free Frigate NVR with ONNX detection, NFS ring buffer recording to sifaka (depends on network segmentation)
- **add-unifi-pulumi-stack:** Expanded with NFS security motivation, BlumeOps Services subnet, IoT/appliance segregation, firewall rules

## Test plan
- [x] Pre-commit hooks pass (all 3 commits)
- [x] `docs-check-links` passes
- [x] `docs-check-index` passes
- [x] `docs-check-filenames` passes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/151

docs/how-to/how-to.md

@@ -56,3 +56,7 @@ Migration and transition plans for upcoming infrastructure changes.
 | [[add-unifi-pulumi-stack]] | Add Pulumi IaC for UniFi Express 7 |
 | [[adopt-dagger-ci]] | Adopt Dagger as CI/CD build engine |
 | [[upstream-fork-strategy]] | Stacked-branch forking strategy for upstream projects |
+| [[adopt-oidc-provider]] | Deploy OIDC identity provider for SSO across services |
+| [[harden-zot-registry]] | Add authentication and tag immutability to zot registry |
+| [[forgejo-actions-dashboard]] | Grafana dashboard for Forgejo Actions CI metrics |
+| [[operationalize-reolink-camera]] | Cloud-free NVR with Frigate and ring buffer recording |