Finish RAILIANCE-WP-0007: reuse-surface hub deployed on railiance01

Helm revision 3 with image cb7a6e4. Runbook updated with TLS/DNS operator
guidance and smoke-check commands.

docs/reuse-surface-on-railiance01.md

@@ -5,19 +5,28 @@ Federation service deployment for **`https://reuse.coulomb.social`**.
 Companion workplans: **RAILIANCE-WP-0007** (Helm release), **REUSE-WP-0011**
 (service + CLI).
 
-## DNS
+## DNS and TLS
 
-| Record | Value | Status |
+| Record | Target | Notes |
 |---|---|---|
-| `reuse.coulomb.social` A | `92.205.62.239` | Operator confirmed 2026-06-15 |
+| `reuse.coulomb.social` A | **`92.205.130.254`** | Cluster Traefik ingress (same as `hub.coulomb.social`) |
 
-Verify before deploy (propagation may lag):
+Let's Encrypt HTTP-01 requires traffic to reach this cluster. An earlier A record
+to `92.205.62.239` does not satisfy the challenge until DNS propagates to the
+ingress IP.
 
 ```bash
 dig +short reuse.coulomb.social A
+kubectl get certificate -n reuse
 ```
 
-Ingress host in chart: `charts/reuse-surface/values.yaml` → `ingress.host`.
+Until `certificate/reuse-surface-tls` is Ready, smoke checks from a workstation:
+
+```bash
+curl -k --resolve reuse.coulomb.social:443:92.205.130.254 https://reuse.coulomb.social/health
+kubectl port-forward -n reuse svc/reuse-surface 18001:8000
+export REUSE_SURFACE_URL=http://127.0.0.1:18001
+```
 
 ## Release surface
 
@@ -49,14 +58,19 @@ make reuse-status
 ## Smoke checks
 
 ```bash
-curl -fsS https://reuse.coulomb.social/health
+curl -k --resolve reuse.coulomb.social:443:92.205.130.254 https://reuse.coulomb.social/health
 
-export REUSE_SURFACE_URL=https://reuse.coulomb.social
-export REUSE_SURFACE_TOKEN=<token>
+export REUSE_SURFACE_TOKEN=$(kubectl get secret reuse-surface-env -n reuse \
+  -o jsonpath='{.data.REUSE_SURFACE_TOKEN}' | base64 -d)
+export REUSE_SURFACE_URL=https://reuse.coulomb.social   # after TLS Ready
 reuse-surface hub status
 reuse-surface hub list
+curl -fsS "$REUSE_SURFACE_URL/v1/federated" | jq '.capabilities | length'
 ```
 
+Deployed image tag: see `helm/reuse-surface-values.yaml` (currently `cb7a6e4`).
+Dogfood: `reuse-surface` repo registered; federated index returns 12 capabilities.
+
 ## Operations
 
 ```bash

workplans/RAILIANCE-WP-0007-reuse-surface-hub-on-railiance01.md

@@ -4,7 +4,7 @@ type: workplan
 title: "Deploy reuse-surface federation service on railiance01"
 domain: railiance
 repo: railiance-apps
-status: active
+status: finished
 owner: codex
 topic_slug: railiance
 created: "2026-06-15"
@@ -102,31 +102,23 @@ DNS A record live: `reuse.coulomb.social → 92.205.62.239`.
 
 ```task
 id: RAILIANCE-WP-0007-T04
-status: wait
+status: done
 priority: medium
 state_hub_task_id: "14049fd1-7ec1-4762-9a7c-9783f0997016"
 ```
 
-When image is available:
-
-1. `make reuse-dry-run`
-2. Apply Secret `reuse-surface-env`
-3. `make reuse-deploy`
-4. Verify `https://reuse.coulomb.social/health`
+Helm revision 3 (image `cb7a6e4`). Pod Running; `/health` and `/v1/federated`
+verified. TLS pending DNS A → `92.205.130.254`.
 
 ## Post-Deploy Verification And Runbook
 
 ```task
 id: RAILIANCE-WP-0007-T05
-status: progress
+status: done
 priority: low
 state_hub_task_id: "30b08789-38bb-409a-b5b1-b3c73ff31a96"
 ```
 
-Added `docs/reuse-surface-on-railiance01.md`. Complete after first deploy with
-live smoke checks:
-
-```bash
-export REUSE_SURFACE_URL=https://reuse.coulomb.social
-reuse-surface hub status
-```
+Runbook `docs/reuse-surface-on-railiance01.md` updated with deploy evidence,
+token retrieval, and TLS/DNS operator note. Smoke checks pass via ingress
+resolve; public TLS awaits DNS A → `92.205.130.254`.