docs: update CLAUDE.md for playbook-based deployment

Document WireGuard connectivity, playbook architecture, --check
flag, parallel execution, and updated ad-hoc ansible commands
using toolkit inventory.

CLAUDE.md

@@ -37,30 +37,47 @@ All deployment and service management is handled by `tools/`:
 
 ```
 tools/
-  lib/ppf-common.sh     shared library (hosts, wrappers, colors)
-  ppf-deploy            deploy code to nodes
-  ppf-logs              view container logs
-  ppf-service           manage containers (status/start/stop/restart)
+  lib/ppf-common.sh           shared library (hosts, wrappers, colors)
+  ppf-deploy                   deploy wrapper (local validation + playbook)
+  ppf-logs                     view container logs
+  ppf-service                  manage containers (status/start/stop/restart)
+  playbooks/
+    deploy.yml                 ansible playbook (sync, compose, restart)
+    inventory.ini              hosts with WireGuard IPs + SSH key
+    group_vars/
+      all.yml                  shared vars (ppf_base, ppf_owner)
+      master.yml               odin paths + compose file
+      workers.yml              worker paths + compose file
 ```
 
 Symlinked to `~/.local/bin/` for direct use.
 
+### Connectivity
+
+All tools connect over WireGuard (`10.200.1.0/24`) as user `ansible`
+with the SSH key at `/opt/ansible/secrets/ssh/ansible`.
+
 ### Deployment
 
+`ppf-deploy` validates syntax locally, then runs the Ansible playbook.
+Hosts execute in parallel; containers restart only when files change.
+
 ```bash
 ppf-deploy                  # all nodes: validate, sync, restart
 ppf-deploy odin             # master only
 ppf-deploy workers          # cassius, edge, sentinel
 ppf-deploy cassius edge     # specific hosts
 ppf-deploy --no-restart     # sync only, skip restart
+ppf-deploy --check          # dry run (ansible --check --diff)
+ppf-deploy -v               # verbose ansible output
 ```
 
-Steps performed automatically:
-1. Validate Python syntax locally
-2. Rsync `*.py` + `servers.txt` (root for odin, `src/` for workers)
-3. Copy compose file per role (`compose.master.yml` / `compose.worker.yml`)
-4. Fix ownership (`chown -R podman:podman`)
-5. Restart containers and show status
+Playbook steps (per host, in parallel):
+1. Rsync `*.py` + `servers.txt` (role-aware destination via group_vars)
+2. Copy compose file per role (`compose.master.yml` / `compose.worker.yml`)
+3. Fix ownership (`podman:podman`, recursive)
+4. Restart containers via handler (only if files changed)
+5. Show container status
 
 ### Container Logs
 
@@ -83,19 +100,19 @@ ppf-service start workers   # start all workers
 
 ### Direct Ansible (for operations not covered by tools)
 
-Tools use `/opt/ansible` venv and `ANSIBLE_REMOTE_TMP=/tmp/.ansible`
-internally. For ad-hoc operations:
+Use the toolkit inventory for ad-hoc commands over WireGuard:
 
 ```bash
 cd /opt/ansible && source venv/bin/activate
+INV=/home/user/git/ppf/tools/playbooks/inventory.ini
 
 # Check worker config
-ANSIBLE_REMOTE_TMP=/tmp/.ansible ansible cassius,edge,sentinel \
-  -m shell -a "grep -E 'threads|timeout|ssl' /home/podman/ppf/config.ini"
+ansible -i $INV workers -m shell \
+  -a "grep -E 'threads|timeout|ssl' /home/podman/ppf/config.ini"
 
 # Modify config option
-ANSIBLE_REMOTE_TMP=/tmp/.ansible ansible cassius,edge,sentinel \
-  -m lineinfile -a "path=/home/podman/ppf/config.ini line='ssl_only = 1' insertafter='ssl_first'"
+ansible -i $INV workers -m lineinfile \
+  -a "path=/home/podman/ppf/config.ini line='ssl_only = 1' insertafter='ssl_first'"
 ```
 
 ## Podman User IDs