Handle app deployment guardrail suggestions

docs/reuse-surface-on-railiance01.md

@@ -18,14 +18,15 @@ Companion workplans: **RAILIANCE-WP-0007** (Helm release), **REUSE-WP-0011**
 | `hub.coulomb.social` A | `92.205.62.239` (future) | `92.205.130.254` (CoulombCore bootstrap OK for now) |
 
 Let's Encrypt HTTP-01 on Railiance01 requires the public A record to reach
-**`92.205.62.239`**. Service is live on the production cluster; TLS waits on DNS.
+**`92.205.62.239`**. Service and TLS are live on the production cluster.
 
 ```bash
 dig +short reuse.coulomb.social A
 KUBECONFIG=~/.kube/config-hosteurope kubectl get certificate -n reuse
 ```
 
-Until DNS propagates and `certificate/reuse-surface-tls` is Ready:
+If DNS is being changed in the future, use an explicit resolve only during
+propagation:
 
 ```bash
 curl -k --resolve reuse.coulomb.social:443:92.205.62.239 https://reuse.coulomb.social/health
@@ -63,8 +64,8 @@ links to `/health`, `/v1/federated`, and this operator runbook. It must not
 include `REUSE_SURFACE_TOKEN` or any other runtime secret.
 
 Rollback: set `landing.enabled: false` in `helm/reuse-surface-values.yaml` and
-run `KUBECONFIG=~/.kube/config-hosteurope make reuse-deploy`; the ingress will
-return to routing all `/` traffic to the API service.
+run `make reuse-deploy`; the ingress will return to routing all `/` traffic to
+the API service.
 
 ## Deploy
 
@@ -77,9 +78,9 @@ kubectl create secret generic reuse-surface-env \
   --from-literal=REUSE_SURFACE_TOKEN='<token>' \
   --dry-run=client -o yaml | kubectl apply -f -
 
-# Production (Railiance01)
-KUBECONFIG=~/.kube/config-hosteurope make reuse-deploy
-KUBECONFIG=~/.kube/config-hosteurope make reuse-status
+# Production (Railiance01, defaults to ~/.kube/config-hosteurope)
+make reuse-deploy
+make reuse-status
 
 # Restore kubeconfig from the node if missing:
 # ssh tegwick@92.205.62.239 'sudo cat /etc/rancher/k3s/k3s.yaml' \
@@ -89,14 +90,15 @@ KUBECONFIG=~/.kube/config-hosteurope make reuse-status
 ## Smoke checks
 
 ```bash
+make reuse-smoke
 curl -I http://reuse.coulomb.social/
-curl -k --resolve reuse.coulomb.social:443:92.205.62.239 https://reuse.coulomb.social/
-curl -k --resolve reuse.coulomb.social:443:92.205.62.239 https://reuse.coulomb.social/health
-curl -k --resolve reuse.coulomb.social:443:92.205.62.239 https://reuse.coulomb.social/v1/federated
+curl -fsS https://reuse.coulomb.social/
+curl -fsS https://reuse.coulomb.social/health
+curl -fsS https://reuse.coulomb.social/v1/federated
 
-export REUSE_SURFACE_TOKEN=$(KUBECONFIG=~/.kube/config-hosteurope kubectl get secret reuse-surface-env -n reuse \
+export REUSE_SURFACE_TOKEN=$(kubectl --kubeconfig ~/.kube/config-hosteurope get secret reuse-surface-env -n reuse \
   -o jsonpath='{.data.REUSE_SURFACE_TOKEN}' | base64 -d)
-export REUSE_SURFACE_URL=https://reuse.coulomb.social   # after DNS + TLS Ready
+export REUSE_SURFACE_URL=https://reuse.coulomb.social
 reuse-surface hub status
 reuse-surface hub list
 curl -fsS "$REUSE_SURFACE_URL/v1/federated" | jq '.capabilities | length'
@@ -116,7 +118,7 @@ Image promotion: build from `coulomb/reuse-surface`, push to Gitea OCI, update
 `helm/reuse-surface-values.yaml` `image.tag`, then:
 
 ```bash
-KUBECONFIG=~/.kube/config-hosteurope make reuse-deploy
+make reuse-deploy
 ```
 
 Bootstrap copy on CoulombCore (`92.205.130.254`) was removed 2026-06-15 — use