[publish] Sanitized snapshot from 0ed784c

Source: platform_server main @ 0ed784c
Generated by: scripts/publish_to_serverclaw.py

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: 2 people

CLAUDE.md

@@ -244,7 +244,7 @@ real values into `platform.yml`. The publish pipeline sanitises the real values
 when syncing to the public mirror. The private repo's `platform.yml` must
 always reflect actual deployment reality.
 
-> **Incident**: This gap caused `headscale.lv3.org` DNS to point at `203.0.113.1`
+> **Incident**: This gap caused `headscale.example.com` DNS to point at `203.0.113.1`
 > (a non-routable documentation IP), breaking Tailscale VPN for the entire
 > deployment.
 

collections/ansible_collections/lv3/platform/roles/proxmox_network/tasks/main.yml

@@ -39,7 +39,7 @@
       placeholder. Writing this to /etc/network/interfaces causes TOTAL HOST LOCKOUT
       on the next reboot (wrong IP — server unreachable). Aborting convergence.
       Fix: ensure .local/identity.yml is injected via -e @.local/identity.yml.
-      See incident postmortem 2026-04-12 (6h outage on 65.108.75.123).
+      See incident postmortem 2026-04-12 (6h outage on 203.0.113.1).
 
 - name: Validate optional staging bridge inputs
   ansible.builtin.assert:

collections/ansible_collections/lv3/platform/roles/proxmox_security/tasks/main.yml

@@ -84,7 +84,7 @@
 # INPUT policy. If it crashes after setting DROP policy but before adding ACCEPT rules,
 # the host becomes unreachable. This guard detects that state, stops pve-firewall, and
 # aborts convergence so the operator can investigate.
-# Incident reference: 2026-04-12 — 6h outage on 65.108.75.123; root cause was
+# Incident reference: 2026-04-12 — 6h outage on 203.0.113.1; root cause was
 # placeholder IP in /etc/network/interfaces (wrong IP, not firewall), but this guard
 # provides defence-in-depth against the firewall-crash scenario.
 - name: Wait for pve-firewall to populate ACCEPT rules in PVEFW-HOST-IN (up to 30s)

docs/adr/0373-service-registry-and-derived-defaults.md

@@ -361,7 +361,7 @@ If a role's migration breaks, the fix is to temporarily re-add the removed defau
   - `repo_intake` converged successfully on `docker-runtime`
   - direct health checks on `http://127.0.0.1:8101/health` returned `{"status":"ok"}`
   - edge verification from the `nginx` guest returned the expected OAuth redirect
-    for `https://repo-intake.lv3.org/`
+    for `https://repo-intake.example.com/`
   - governed restic backup receipts were refreshed at
     `receipts/restic-backups/20260413T105157Z.json`,
     `receipts/restic-backups/20260413T110651Z.json`, and

docs/adr/0410-docker-isolation-testing-and-ioc-completion.md

@@ -295,7 +295,7 @@ step-ca.docker-dev.local → step-ca container (172.30.10.99)
 ```
 
 This enables services to resolve each other by FQDN, matching production
-behavior where all services use `*.lv3.org`.
+behavior where all services use `*.example.com`.
 
 ### Phase 5: Test Scenarios and Timing (P2)
 

docs/adr/0413-sso-redirect-uri-and-service-topology-variable-drift.md

@@ -14,7 +14,7 @@ that together caused 7 of 17 services to be unavailable or broken.
 
 ### Bug Class 1 — SSO Redirect URI Mismatch (LibreChat / serverclaw client)
 
-When a user clicked "Login with Keycloak" on LibreChat (`chat.lv3.org`), Keycloak returned:
+When a user clicked "Login with Keycloak" on LibreChat (`chat.example.com`), Keycloak returned:
 
 ```
 We are sorry... An internal server error has occurred
@@ -53,22 +53,22 @@ play time, causing template rendering to silently fail or produce empty port num
 
 | Service | URL | Symptom | Broken variable |
 |---------|-----|---------|----------------|
-| Directus | data.lv3.org | 502 Bad Gateway | `directus_container_port` |
-| Paperless | paperless.lv3.org | 502 Bad Gateway | `paperless_service_topology` |
-| Coolify | coolify.lv3.org | 502 Bad Gateway | `coolify_dashboard_port` |
-| GlitchTip | errors.lv3.org | TLS + dead code | `glitchtip_internal_port` (dead code) |
+| Directus | data.example.com | 502 Bad Gateway | `directus_container_port` |
+| Paperless | paperless.example.com | 502 Bad Gateway | `paperless_service_topology` |
+| Coolify | coolify.example.com | 502 Bad Gateway | `coolify_dashboard_port` |
+| GlitchTip | errors.example.com | TLS + dead code | `glitchtip_internal_port` (dead code) |
 
 **Services with latent bugs (currently alive from old deployment):**
 
 | Service | URL | Broken variable | Risk |
 |---------|-----|----------------|------|
-| Dify | agents.lv3.org | `dify_port`, `dify_internal_base_url`, `dify_ollama_base_url` | Next converge would break port mapping |
+| Dify | agents.example.com | `dify_port`, `dify_internal_base_url`, `dify_ollama_base_url` | Next converge would break port mapping |
 
 **Services with TLS cert gaps (separate from above):**
 
 The nginx edge certificate `lv3-edge` was missing SANs for five subdomains that were
 added to the service topology after the last cert issuance:
-`grist.lv3.org`, `errors.lv3.org`, `bi.lv3.org`, `paperless.lv3.org`, `scheduler.lv3.org`.
+`grist.example.com`, `errors.example.com`, `bi.example.com`, `paperless.example.com`, `scheduler.example.com`.
 
 This causes hard TLS errors in browsers even when the backend containers are running.
 Fix: run `make converge-nginx-edge env=production` which will invoke certbot DNS-01
@@ -86,7 +86,7 @@ All other references (Keycloak client registration, service registry, tests)
 must match this value. The path `/oauth/openid/callback` is correct.
 
 **Immediate live fix:** Updated the Keycloak `serverclaw` client via the admin API
-on the live platform to register `https://chat.lv3.org/oauth/openid/callback`.
+on the live platform to register `https://chat.example.com/oauth/openid/callback`.
 This fix is reflected in code so the next `make converge-keycloak` is idempotent.
 
 ### 2. Eliminate all `platform_service_topology` references in role defaults
@@ -119,10 +119,10 @@ per ADR 0412).
 | Action | Command | Required for |
 |--------|---------|--------------|
 | Reissue TLS cert | `make converge-nginx-edge env=production` | grist, errors, bi, paperless, scheduler TLS |
-| Redeploy Directus | `make converge-directus env=production` | data.lv3.org 502 fix |
-| Redeploy Paperless | `make converge-paperless env=production` | paperless.lv3.org 502 fix |
-| Redeploy Coolify | `make converge-coolify env=production` | coolify.lv3.org 502 fix |
-| Investigate Superset | SSH to docker-runtime, `docker ps | grep superset` | bi.lv3.org — port chain correct, container may be stopped |
+| Redeploy Directus | `make converge-directus env=production` | data.example.com 502 fix |
+| Redeploy Paperless | `make converge-paperless env=production` | paperless.example.com 502 fix |
+| Redeploy Coolify | `make converge-coolify env=production` | coolify.example.com 502 fix |
+| Investigate Superset | SSH to docker-runtime, `docker ps | grep superset` | bi.example.com — port chain correct, container may be stopped |
 | Re-converge Keycloak | `make converge-keycloak env=production` | Pick up serverclaw redirect_uri fix |
 
 ---
@@ -142,7 +142,7 @@ per ADR 0412).
 - Four services (Directus, Paperless, Coolify, Superset) require a manual re-convergence
   to actually recover from 502. The code fix alone is not sufficient.
 - TLS cert expansion also requires a manual `make converge-nginx-edge` run.
-- Nomad scheduler (`scheduler.lv3.org`) has both a TLS cert gap and a backend timeout
+- Nomad scheduler (`scheduler.example.com`) has both a TLS cert gap and a backend timeout
   and requires separate investigation.
 
 ### Neutral

docs/adr/0416-topology-consistency-enforcement.md

@@ -10,7 +10,7 @@
 
 ### The Incident (2026-04-14)
 
-A user reported `chat.lv3.org` returning "An internal server error has occurred" during
+A user reported `chat.example.com` returning "An internal server error has occurred" during
 Keycloak SSO login. Investigation revealed:
 
 ```
@@ -40,7 +40,7 @@ This is the **third** topology drift incident in 72 hours:
 
 | Date | Incident | Drifted registries |
 |------|----------|--------------------|
-| 2026-04-13 | nginx edge reverting sso.lv3.org to docker-runtime | `lv3_service_topology`, `platform.yml` |
+| 2026-04-13 | nginx edge reverting sso.example.com to docker-runtime | `lv3_service_topology`, `platform.yml` |
 | 2026-04-13 | SSO redirect URI mismatch (ADR 0413) | collection role, standalone role, tests |
 | 2026-04-14 | Keycloak pg_hba.conf blocking runtime-control | `platform_postgres_clients`, `platform_service_registry` |
 

docs/architecture/ioc-value-flow.md

@@ -165,9 +165,9 @@ graph LR
     end
 
     subgraph DEPLOY["Deployed Instance"]
-        D1["identity: lv3.org"]
-        D2["host_vars: 65.108.75.123"]
-        D3["services: *.lv3.org"]
+        D1["identity: example.com"]
+        D2["host_vars: 203.0.113.1"]
+        D3["services: *.example.com"]
     end
 
     PRIVATE -->|"publish_to_serverclaw.py<br/>Tier C: 0 files changed"| PUBLIC

docs/postmortems/2026-04-11-docker-inception-ioc-test.md

@@ -162,7 +162,7 @@ The Ansible extra-vars override mechanism works exactly as designed:
 
 | Variable | Committed | Local Override | Result |
 |----------|-----------|---------------|--------|
-| `platform_domain` | `example.com` | `lv3.org` | Override wins |
+| `platform_domain` | `example.com` | `example.com` | Override wins |
 | `platform_operator_email` | `operator@example.com` | real email | Override wins |
 | `platform_operator_name` | `Platform Operator` | real name | Override wins |
 | `management_ipv4` | not in committed | real IP | Injected |

docs/postmortems/2026-04-12-placeholder-ip-host-lockout.md

@@ -4,13 +4,13 @@
 **Severity:** CRITICAL (P0)
 **Duration:** ~6 hours (approx. 03:00–09:00 UTC)
 **Status:** Resolved
-**Affected system:** Proxmox host `65.108.75.123` (all 14 VMs, all platform services)
+**Affected system:** Proxmox host `203.0.113.1` (all 14 VMs, all platform services)
 
 ---
 
 ## Summary
 
-The Proxmox host became completely unreachable after `/etc/network/interfaces` was written with the RFC 5737 documentation placeholder IP `203.0.113.1/26` instead of the real IP `65.108.75.123/26`. When the network was reloaded (`ifreload -a`) during an Ansible convergence, `vmbr0` received the wrong IP. All inbound traffic to the real IP timed out at the network level — the server appeared offline. No application-level error was produced; the host was simply unreachable.
+The Proxmox host became completely unreachable after `/etc/network/interfaces` was written with the RFC 5737 documentation placeholder IP `203.0.113.1/26` instead of the real IP `203.0.113.1/26`. When the network was reloaded (`ifreload -a`) during an Ansible convergence, `vmbr0` received the wrong IP. All inbound traffic to the real IP timed out at the network level — the server appeared offline. No application-level error was produced; the host was simply unreachable.
 
 Recovery required Hetzner KVM console access and a rescue system boot. All 14 VMs remained running throughout but were inaccessible from the internet.
 
@@ -44,7 +44,7 @@ Recovery required Hetzner KVM console access and a rescue system boot. All 14 VM
 | ~09:00 | Hetzner support ticket filed (#2026041203004207); KVM console access requested |
 | ~09:30 | KVM credentials obtained; console attached |
 | ~09:30 | Root cause identified: `ip addr show vmbr0` reveals `203.0.113.1/26` |
-| ~09:35 | Immediate fix: `ip addr del 203.0.113.1/26 dev vmbr0 && ip addr add 65.108.75.123/26 dev vmbr0 broadcast 65.108.75.127`; routes restored |
+| ~09:35 | Immediate fix: `ip addr del 203.0.113.1/26 dev vmbr0 && ip addr add 203.0.113.1/26 dev vmbr0 broadcast 65.108.75.127`; routes restored |
 | ~09:40 | `/etc/network/interfaces` corrected with real IP values |
 | ~09:45 | SSH connectivity restored; all VMs reachable |
 | ~10:00 | pve-firewall guard fixed (nftables → iptables); placeholder IP safety guard added |
@@ -98,7 +98,7 @@ Replaced the v0.178.122 nftables-based guard with an iptables-based guard target
 Added `ansible_port: "{{ lookup('env', 'LV3_PROXMOX_HOST_PORT') | default(22, true) }}"` to the `proxmox-host` inventory entry, and `proxmox_guest_ssh_jump_port` to the ProxyJump args. This allows convergence to route through the break-glass SSH port (2222) when Tailscale is unavailable:
 
 ```bash
-LV3_PROXMOX_HOST_ADDR=65.108.75.123 LV3_PROXMOX_HOST_PORT=2222 make converge-gitea env=production
+LV3_PROXMOX_HOST_ADDR=203.0.113.1 LV3_PROXMOX_HOST_PORT=2222 make converge-gitea env=production
 ```
 
 ### Fix 4 — `keycloak_local_artifact_dir` missing from `gitea.yml`
@@ -119,9 +119,9 @@ ip addr show vmbr0
 
 # 3. Immediate connectivity fix (without reboot)
 ip addr del 203.0.113.1/26 dev vmbr0
-ip addr add 65.108.75.123/26 broadcast 65.108.75.127 dev vmbr0
+ip addr add 203.0.113.1/26 broadcast 65.108.75.127 dev vmbr0
 ip route del default
-ip route add default via 65.108.75.65 dev vmbr0
+ip route add default via 203.0.113.65 dev vmbr0
 
 # 4. If SSH is not listening
 systemctl start ssh
@@ -131,7 +131,7 @@ iptables -L PVEFW-HOST-IN -n   # check if ACCEPT rules are loaded
 systemctl stop pve-firewall     # emergency: INPUT falls through to ACCEPT
 
 # 6. Fix /etc/network/interfaces permanently (use real values)
-# Real IP: 65.108.75.123/26, gateway: 65.108.75.65
+# Real IP: 203.0.113.1/26, gateway: 203.0.113.65
 # Edit: /etc/network/interfaces
 
 # 7. Reload nftables (guest internet may be broken after recovery)
@@ -215,7 +215,7 @@ The `proxmox_network` role already does this (the `Wait for SSH after network re
 
 If `100.64.0.1:22` (Tailscale jump host) is unreachable, the break-glass path is:
 ```bash
-LV3_PROXMOX_HOST_ADDR=65.108.75.123 LV3_PROXMOX_HOST_PORT=2222 make <target> env=production
+LV3_PROXMOX_HOST_ADDR=203.0.113.1 LV3_PROXMOX_HOST_PORT=2222 make <target> env=production
 ```
 This uses the public IP and the break-glass SSH port which is always open. Document this in your session notes whenever running playbooks while Tailscale is down.