Fleet Controls Matrix · V7

THE CONTROL LAW · GOATs LOVE CONTROLS

Every silo has: 1 ACR + 1 AKV + 2 RGs (resources + lifeline).
Every control exists in all 7 versions. Every silo writes its own chapter. All crews, all GOATs, all editions.

The 2 RG Model: rg-{silo}-resources (compute, containers, AKS, networking) + rg-{silo}-lifeline (backups, fleet-sync, KV restore, DR).

Double lifelines: if resources RG fails, lifeline RG holds the fleet-sync, the keys, the recovery path. The silo breathes again.

GOATs love controls — because a controlled silo is a sovereign silo. No control = no sovereignty.

44

TOTAL RGs (primary+kantai)

3

LIVE FUNCTION APPS

5

KEY VAULTS

6

CONTAINER REGISTRIES

8

BACKUP RGs

12

CONTROL DOMAINS

LIVE FUNCTION APPS — THE CONTROL ENGINE

FUNCTION APP	RESOURCE GROUP	DOMAIN	STATE	V7 ROLE
func-sco-dev	rg-eose-landing-zone-dev	SCO · Security Controls	✅ RUNNING	CSO layer — policy + compliance events
eose-kms-automation-dev	rg-eose-kms-dev	KMS · Key Management	✅ RUNNING	Key rotation + compliance + onboarding
eose-rgm-sandbox-dev	rg-eose-aks-dev	RGM · Resource Group Mgr	✅ RUNNING	2 RG model enforcement + lifecycle

KMS FUNCTIONS (rg-eose-kms-dev)

eose-dev-kms-onboarding-func

New silo key provisioning

eose-dev-kms-rotation-func

Auto key rotation + expiry

eose-dev-kms-compliance-func

Key compliance audit

eose-kms-alerts-dev

Key access alerts

eose-kms-secrets-expiring-dev

Secret expiry watchdog

eose-kms-vault-availability-dev

Vault health monitoring

THE 2 RG MODEL — EVERY SILO · RESOURCES + LIFELINE

Law: Every silo has exactly two resource groups.
rg-{silo}-resources — compute, containers, AKS nodes, networking, APIs
rg-{silo}-lifeline — AKV restore, fleet-sync backup, PITR, DR, recovery scripts

If resources burns → lifeline holds the keys, the config, the recovery path.
The silo breathes again from lifeline alone. Double lifeline = sovereign silo.

12 CONTROL DOMAINS — ALL SILOS · ALL LANGUAGES · V1 TO V7

🔑

KMS · Key Management

Key provisioning, rotation, expiry, compliance. AKV per silo. Auto-rotation via func-kms.

eosedevkmscc948-kv kms-rotation-func

✅ LIVE

🏛️

IAM · Identity + Access

RBAC, managed identities, service principals, PIM. rg-eose-iam-dev dedicated RG.

rg-eose-iam-dev managed-identities

⚡ PARTIAL

📋

RGM · Resource Group Mgr

2 RG model enforcement, lifecycle management, tagging, cost allocation. eose-rgm-sandbox-dev.

eose-rgm-sandbox-dev

✅ LIVE

🛡️

SCO/CSO · Security Ops

Policy, compliance events, security alerts. func-sco-dev. evgt-sco-dev-policy event grid.

func-sco-dev evgt-sco-dev-policy

✅ LIVE

💾

Backup · Lifeline Control

8 backup RGs. eose-dev-rsv (Recovery Services Vault). PITR, geo-redundancy, fleet-sync backup.

eosebackupdev eose-dev-rsv

✅ LIVE

📦

ACR · Container Registry

6 ACRs across 2 subs. eosefleetacrdev, eoseaksacrdev, msi01acr (Standard=anon pull), eoseentry.

eosefleetacrdev msi01acr +4 more

✅ LIVE

🌐

DNS · Zone Control

34 DNS zones in rg-eose-dns-dev. 17 in rg-meek-dns (kantai). All pemos/eose/serlf/deseof domains.

rg-eose-dns-dev (34) rg-meek-dns (17)

✅ LIVE

📊

Observability · Log + Alert

appi-sco-dev (App Insights). Log Analytics. KMS vault alerts (events, latency, access-denied, availability).

appi-sco-dev kms-alerts

⚡ PARTIAL

🔄

Flux · GitOps Control

Flux manages platform-gateway via platform-platform kustomization on bug-sync branch. Reconcile every 10min.

platform-platform bug-sync branch

✅ LIVE

🌊

Secret Rotation Control

eose-dev-entsr-log-processor-id + eose-dev-entsr-secret-rotator-id. Logic app: eosedevlzccfdi-logic.

entsr-secret-rotator eosedevlzccfdi-logic

✅ LIVE

🗄️

CosmosDB · Data Control

lz-dev-5et-cosmos in landing zone RG. Fleet event sourcing, audit trail, sovereign data store.

lz-dev-5et-cosmos

⚡ PARTIAL

⬡

C# · V7 Control Layer

IFleetSovereign interface proves every control. Roslyn validates compliance at compile time. VS Build Tools installing.

eose-core.csproj VS Build Tools ⚙️

⚙️ BUILDING

FULL CONTROLS MATRIX — ALL SILOS × ALL DOMAINS

CONTROL DOMAIN	yONE	forge	msclo	msi01	pcdev	deck	cloud/AKS	CT Enterprise	ACR	AKV	V7 C#
KMS · Key Management	⚡	–	⚡	✅	📋	–	✅	📋	✅	✅	📋
IAM · Identity + Access	⚡	–	⚡	✅	–	–	✅	✅	–	✅	📋
RGM · Resource Group Model	✅	✅	✅	✅	✅	⚡	✅	✅	–	–	📋
SCO/CSO · Security Ops	⚡	–	⚡	✅	–	–	✅	⚡	–	✅	📋
Backup/Lifeline	✅	⚡	⚡	✅	⚡	–	✅	⚡	–	✅	📋
ACR · Container Registry	✅	✅	✅	✅	✅	–	✅	✅	✅	–	📋
DNS · Zone Control	✅	✅	✅	✅	–	–	✅	⚡	–	–	📋
Observability · Logs + Alerts	⚡	–	⚡	✅	–	–	✅	⚡	–	–	📋
GitOps/Flux · Deploy Control	–	–	–	⚡	–	–	✅	–	–	–	📋
Secret Rotation	⚡	–	–	✅	–	–	✅	–	–	✅	📋
CosmosDB · Data Control	–	–	–	⚡	–	–	✅	–	–	–	📋
MDSMS/Breath · Fleet Control	✅	✅	✅	✅	✅	✅	✅	✅	–	–	📋

✅ LIVE ⚡ PARTIAL – NOT YET 📋 PLANNED V7

SILO DRILL — 2 RG MODEL + ALL CONTROLS

FLEET CONTROLS VIZ — RADAR + MESH

CONTROL COVERAGE RADAR

SILO × CONTROL HEAT MAP

V7 VERSIONS — ALL CONTROLS · ALL EDITIONS

V1

FLOOR

WRITTEN

V2

STRUCTURE

RG MODEL

V3

PATTERN

KMS+SCO

V4

CREW

MDSMS+IAM

V5

MATRIX

THIS PAGE

V6

STATION

BUILDING

V7

EVOLUTION

C# PENDING

CONTROL CDs — VOLUMES I THROUGH V

VOL	RANGE	CONTROL THEME	KEY CONTROLS	STATUS
I	ARB-001 to ARB-100	THE FLOOR — Canon controls	γ₁ anchor, H=H† gate, LSOS audit	✅
II	ARB-101 to ARB-300	STRUCTURE — RGM + IAM + KMS	2 RG model, key vaults, identity	✅
III	ARB-301 to ARB-500	PATTERN — CRD + SCO + Flux	GitOps, CRD patterns, security ops	✅
IV	ARB-501 to ARB-600	CREW — MDSMS + Backup + Lifeline	Fleet controls, backup RGs, breath	✅
V	ARB-601 to ARB-645+	EVOLUTION — V7 + C# + Morigami	Spinner test, IFleetSovereign, ARC	⚡ ACTIVE