## Why

The base role enables UFW with a default-deny policy before adding the SSH port allow rule. This creates a window where the firewall is active with no allow rules, which can drop the active Ansible SSH connection and lock out the user after the first initialization stage.

## What Changes

- Reorder UFW tasks in `roles/base/tasks/main.yml`: allow SSH and other ports **before** enabling UFW with the deny policy

## Capabilities

### New Capabilities
<!-- none -->

### Modified Capabilities
<!-- none - this is an implementation ordering fix, no spec-level behavior changes -->

## Impact

- `roles/base/tasks/main.yml`: task reordering only, no functional changes