Handle app deployment guardrail suggestions

docs/operator-setup.md

@@ -19,6 +19,7 @@ SOPS_SENTINEL=<encrypted-file> make check-sops
 - `helm`
 - `sops`
 - `python3`
+- `curl`
 
 Install the CNPG plugin for better database diagnostics:
 
@@ -31,6 +32,44 @@ kubectl krew install cnpg
 plain Kubernetes resources, but the plugin output is the preferred view
 for primary/replica health and backup state.
 
+## Production Cluster Kubeconfig
+
+S5 production app releases belong on **Railiance01**. CoulombCore may still
+host bootstrap or prerelease services, so do not rely on the workstation's
+ambient `kubectl` context for production app deploys.
+
+| Name | IP | Role |
+|---|---|---|
+| Railiance01 | `92.205.62.239` | Production k3s; deploy S5 apps here |
+| CoulombCore | `92.205.130.254` | Bootstrap / prerelease only |
+
+| Hostname | Production DNS A | Notes |
+|---|---|---|
+| `reuse.coulomb.social` | `92.205.62.239` | Production reuse-surface hub |
+| `hub.coulomb.social` | `92.205.62.239` | Target production inter-hub host; bootstrap may still point at CoulombCore until cutover |
+
+The production Makefile targets default to:
+
+```text
+~/.kube/config-hosteurope
+```
+
+Restore it from Railiance01 when missing:
+
+```bash
+ssh tegwick@92.205.62.239 'sudo cat /etc/rancher/k3s/k3s.yaml' \
+  | sed 's|127.0.0.1|92.205.62.239|' > ~/.kube/config-hosteurope
+chmod 600 ~/.kube/config-hosteurope
+export KUBECONFIG=~/.kube/config-hosteurope
+```
+
+The app-specific targets also accept explicit overrides:
+
+```bash
+REUSE_KUBECONFIG=~/.kube/config-hosteurope make reuse-status
+INTER_HUB_KUBECONFIG=~/.kube/config-hosteurope make inter-hub-status
+```
+
 ## SOPS Age Key Bootstrap
 
 SOPS-encrypted values used by app release work expect an age identity at: