apiVersion: railiance.fabric/v1alpha1 kind: DeploymentZoneInventory generated_at: "2026-05-24T00:00:00+02:00" source: repo: railiance-fabric workplan: RAIL-FAB-WP-0020 method: source-search-and-declared-surfaces scope: note: > This inventory captures deployment-zone overlay evidence. It does not define fabric membership, port ownership, live health, or access policy. deployment_environments: - id: dev scenario: bernd-laptop intended_reachability: private operator workstation - id: test scenario: coulombcore intended_reachability: shared collaborator and early-access test stage - id: prod scenario: railiance01 intended_reachability: production stage, currently alpha-accessible to developers surfaces: - id: dev.bernd-laptop.railiance-fabric.registry-api name: Railiance Fabric registry HTTP API repo: railiance-fabric service_id: railiance-fabric.registry deployment_environment: dev deployment_scenario: bernd-laptop access_zone: private-dev exposure_class: local-only routing_authority: local-loopback-binding policy_authority: local-loopback-binding route_evidence: route: http://127.0.0.1:8765 host: 127.0.0.1 port: 8765 protocol: http evidence: - path: fabric/interfaces/railiance-fabric-registry-http-api.yaml kind: fabric-interface-declaration - id: dev.bernd-laptop.railiance-fabric.graph-explorer name: Railiance Fabric graph explorer UI repo: railiance-fabric service_id: railiance-fabric.registry deployment_environment: dev deployment_scenario: bernd-laptop access_zone: private-dev exposure_class: local-only routing_authority: local-loopback-binding policy_authority: local-loopback-binding route_evidence: route: http://127.0.0.1:8765/ui/graph-explorer host: 127.0.0.1 port: 8765 protocol: http path: /ui/graph-explorer evidence: - path: fabric/interfaces/railiance-fabric-registry-graph-explorer-ui.yaml kind: fabric-interface-declaration - id: dev.bernd-laptop.state-hub.api name: State Hub HTTP API repo: the-custodian service_id: the-custodian.state-hub deployment_environment: dev deployment_scenario: bernd-laptop access_zone: private-dev exposure_class: local-only routing_authority: local-loopback-binding policy_authority: local-loopback-binding route_evidence: route: http://127.0.0.1:8000 host: 127.0.0.1 port: 8000 protocol: http evidence: - path: fabric/interfaces/the-custodian-state-hub-http-api.yaml kind: fabric-interface-declaration - id: dev.bernd-laptop.state-hub.mcp name: State Hub MCP API repo: the-custodian service_id: the-custodian.state-hub deployment_environment: dev deployment_scenario: bernd-laptop access_zone: private-dev exposure_class: local-only routing_authority: local-loopback-binding policy_authority: local-loopback-binding route_evidence: route: http://127.0.0.1:8001 host: 127.0.0.1 port: 8001 protocol: http evidence: - path: fabric/interfaces/the-custodian-state-hub-mcp-api.yaml kind: fabric-interface-declaration - id: dev.bernd-laptop.state-hub.dashboard name: State Hub dashboard repo: the-custodian service_id: the-custodian.state-hub deployment_environment: dev deployment_scenario: bernd-laptop access_zone: private-dev exposure_class: local-only routing_authority: local-loopback-binding policy_authority: local-loopback-binding route_evidence: route: http://127.0.0.1:3000 host: 127.0.0.1 port: 3000 protocol: http evidence: - path: fabric/interfaces/the-custodian-state-hub-dashboard.yaml kind: fabric-interface-declaration - id: dev.bernd-laptop.net-kingdom.control-surface name: NetKingdom control surface repo: net-kingdom service_id: net-kingdom.iam-profile deployment_environment: dev deployment_scenario: bernd-laptop access_zone: private-dev exposure_class: local-only routing_authority: local-loopback-binding policy_authority: local-loopback-binding route_evidence: route: http://127.0.0.1:8876 host: 127.0.0.1 port: 8876 protocol: http evidence: - path: fabric/interfaces/net-kingdom-control-surface-ui.yaml kind: fabric-interface-declaration - path: ../net-kingdom/sso-mfa/k8s/keycape/README.md kind: source-search-hit note: local OIDC callback lists localhost port 8876 - id: test.coulombcore.state-hub.http-tunnel name: State Hub HTTP API tunnel to coulombcore repo: railiance-infra service_id: the-custodian.state-hub deployment_environment: test deployment_scenario: coulombcore access_zone: collaborator-test exposure_class: collaborator-test routing_authority: ops-bridge policy_authority: ops-bridge-ssh route_evidence: route: http://127.0.0.1:18000 host: 127.0.0.1 port: 18000 protocol: http tunnel_target: coulombcore evidence: - path: ../railiance-infra/docs/deploy-stack.md lines: "127" kind: source-search-hit - id: test.coulombcore.state-hub.mcp-tunnel name: State Hub MCP tunnel to coulombcore repo: railiance-infra service_id: the-custodian.state-hub deployment_environment: test deployment_scenario: coulombcore access_zone: collaborator-test exposure_class: collaborator-test routing_authority: ops-bridge policy_authority: ops-bridge-ssh route_evidence: route: http://127.0.0.1:18001 host: 127.0.0.1 port: 18001 protocol: http tunnel_target: coulombcore evidence: - path: ../railiance-infra/docs/deploy-stack.md lines: "128" kind: source-search-hit - id: test.coulombcore.k3s-api-tunnel name: k3s API tunnel to coulombcore repo: railiance-infra deployment_environment: test deployment_scenario: coulombcore access_zone: collaborator-test exposure_class: collaborator-test routing_authority: ops-bridge policy_authority: ops-bridge-ssh route_evidence: route: https://127.0.0.1:16443 host: 127.0.0.1 port: 16443 protocol: https tunnel_target: coulombcore evidence: - path: ../railiance-infra/docs/deploy-stack.md lines: "129" kind: source-search-hit - path: ../railiance-cluster/SCOPE.md lines: "127" kind: source-search-hit note: cluster scope states it runs on COULOMBCORE - id: prod.railiance01.gitea name: Gitea ingress repo: railiance-apps deployment_environment: prod deployment_scenario: railiance01 access_zone: production-public exposure_class: production-public routing_authority: traefik policy_authority: null tls_authority: cert-manager:letsencrypt-prod route_evidence: route: https://gitea.coulomb.social hostname: gitea.coulomb.social port: 443 protocol: https review: status: candidate note: access zone and policy authority require operator review evidence: - path: ../railiance-apps/manifests/gitea-ingress.yaml lines: "2,12,14,16,27" kind: kubernetes-ingress - path: ../railiance-apps/workplans/railiance-apps-WP-0002-vergabe-teilnahme-on-railiance01.md lines: "612,613" kind: source-search-hit note: places Gitea before vergabe-teilnahme on railiance01 - id: prod.railiance01.vergabe-teilnahme name: Vergabe Teilnahme ingress repo: railiance-apps deployment_environment: prod deployment_scenario: railiance01 access_zone: production-public exposure_class: production-public routing_authority: traefik policy_authority: null tls_authority: cert-manager:letsencrypt-prod route_evidence: route: https://vergabe-teilnahme.whywhynot.de hostname: vergabe-teilnahme.whywhynot.de port: 443 protocol: https review: status: candidate note: production public classification is inferred from ingress host and workplan evidence: - path: ../railiance-apps/manifests/vergabe-teilnahme-ingress.yaml lines: "2,11,13,15,26" kind: kubernetes-ingress - path: ../railiance-apps/workplans/railiance-apps-WP-0002-vergabe-teilnahme-on-railiance01.md lines: "22,40,68,69,163,612,613" kind: source-search-hit - id: prod.railiance01.authelia name: Authelia ingress repo: net-kingdom deployment_environment: prod deployment_scenario: railiance01 access_zone: production-public exposure_class: production-public routing_authority: traefik policy_authority: authelia tls_authority: cert-manager:letsencrypt-prod route_evidence: route: https://auth.coulomb.social hostname: auth.coulomb.social port: 443 protocol: https review: status: candidate note: railiance01 attribution comes from NetKingdom deployment workplan evidence: - path: ../net-kingdom/sso-mfa/k8s/authelia/ingress.yaml lines: "13,22,24,26,38" kind: kubernetes-ingress - path: ../net-kingdom/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md lines: "29,47,88,101" kind: source-search-hit - id: prod.railiance01.keycape name: Keycape ingress repo: net-kingdom deployment_environment: prod deployment_scenario: railiance01 access_zone: production-public exposure_class: production-public routing_authority: traefik policy_authority: traefik-middleware tls_authority: cert-manager:letsencrypt-prod route_evidence: route: https://kc.coulomb.social hostname: kc.coulomb.social port: 443 protocol: https review: status: candidate note: middleware is present, but intended audience still needs operator review evidence: - path: ../net-kingdom/sso-mfa/k8s/keycape/ingress.yaml lines: "13,22,23,27,29,41" kind: kubernetes-ingress - path: ../net-kingdom/sso-mfa/k8s/keycape/middleware.yaml lines: "9,24" kind: traefik-middleware - id: prod.railiance01.privacyidea name: privacyIDEA ingress repo: net-kingdom deployment_environment: prod deployment_scenario: railiance01 access_zone: production-admin exposure_class: production-admin routing_authority: traefik policy_authority: traefik-middleware tls_authority: cert-manager:letsencrypt-prod route_evidence: route: https://pink.coulomb.social hostname: pink.coulomb.social port: 443 protocol: https review: status: candidate note: admin classification inferred from privacyIDEA role and middleware evidence: - path: ../net-kingdom/sso-mfa/k8s/privacyidea/ingress.yaml lines: "25,34,36,38,40,52,60,69,71,75,77,89" kind: kubernetes-ingress - path: ../net-kingdom/sso-mfa/k8s/privacyidea/middleware.yaml lines: "19,41" kind: traefik-middleware - id: prod.railiance01.privacyidea-account name: privacyIDEA account self-service ingress repo: net-kingdom deployment_environment: prod deployment_scenario: railiance01 access_zone: production-public exposure_class: production-public routing_authority: traefik policy_authority: traefik-middleware tls_authority: cert-manager:letsencrypt-prod route_evidence: route: https://pink-account.coulomb.social hostname: pink-account.coulomb.social port: 443 protocol: https review: status: candidate note: self-service classification inferred from host name and middleware evidence: - path: ../net-kingdom/sso-mfa/k8s/privacyidea/ingress.yaml lines: "94,103,104,106,108,120" kind: kubernetes-ingress - id: prod.railiance01.lldap name: LLDAP ingress repo: net-kingdom deployment_environment: prod deployment_scenario: railiance01 access_zone: production-admin exposure_class: production-admin routing_authority: traefik policy_authority: traefik-admin-allowlist tls_authority: cert-manager:letsencrypt-prod route_evidence: route: https://lldap.coulomb.social hostname: lldap.coulomb.social port: 443 protocol: https review: status: candidate note: admin allowlist middleware indicates intended restricted access evidence: - path: ../net-kingdom/sso-mfa/k8s/lldap/ingress.yaml lines: "12,21,22,24,26,38" kind: kubernetes-ingress - path: ../net-kingdom/sso-mfa/k8s/lldap/middleware.yaml lines: "11" kind: traefik-middleware ambiguities: - id: railiance01-coulombcore-ip-conflict severity: high summary: Source documents disagree on which host owns 92.205.130.254. evidence: - path: ../railiance-apps/workplans/railiance-apps-WP-0002-vergabe-teilnahme-on-railiance01.md lines: "22,163" note: says railiance01 and Traefik LoadBalancer use 92.205.130.254 - path: ../railiance-infra/SCOPE.md lines: "126" note: says COULOMBCORE is 92.205.130.254 and Railiance01 is 92.205.62.239 next: reconcile host inventory before treating IP evidence as authoritative - id: prod-access-zone-review severity: medium summary: Production access zones are candidate classifications. evidence: - path: ../railiance-apps/manifests note: app ingress manifests show routing and TLS but not business audience - path: ../net-kingdom/sso-mfa/k8s note: middleware and network policy hint at access intent but do not replace operator review next: confirm each production host as public, admin, or early-access - id: test-reachability-is-tunneled severity: medium summary: Current coulombcore routes are ops-bridge tunnel evidence, not public ingress evidence. evidence: - path: ../railiance-infra/docs/deploy-stack.md lines: "127,128,129" note: state-hub and k3s API access are tunnel commands next: add executable test-stage ingress/service discovery when coulombcore manifests exist missing_policy_authority: - surface_id: prod.railiance01.gitea reason: route and TLS are discovered, but access policy authority is not evident in the ingress artifact - surface_id: prod.railiance01.vergabe-teilnahme reason: route and TLS are discovered, but access policy authority is not evident in the ingress artifact