EOSE LABS · ALL SUBSCRIPTIONS · RG CONTROL AUDIT
RG CONTROL
3 SUBS · 44 RESOURCE GROUPS · ALL RUNNING ✅
BACKUP RGs · DNS ZONES · CONTROL MAPPING · MISSING CONTROLS
Primary: 33 RGs · Kantai: 11 RGs · Spare: 0 RGs (empty)
ALL RGs (44)
BACKUP RGs (9)
DNS ZONES (54)
MISSING CONTROLS
SUB PRIMARY — 427873ee · 33 RGs · canadacentral + eastus
LANDING ZONE
rg-eose-landing-zone-dev
func-sco-dev · CosmosDB · Logic App
Secret Rotator · Event Grid · App Insights
✅ SCO CONTROL
KMS
rg-eose-kms-dev
eosedevkmscc948-kv · kms-automation-func
onboarding + rotation + compliance funcs
alerts: events · latency · access-denied · availability
✅ KMS CONTROL
BACKUP
rg-eose-backup-dev
eosebackupdev · eose-dev-rsv (Recovery Vault)
✅ BACKUP CONTROL
IAM
rg-eose-iam-dev
Managed identities · RBAC assignments
Service principals · Workload ID
⚡ IAM PARTIAL
AKS MAIN
rg-eose-aks-dev
aks-eose-aaas-dev · eoseaksacrdev
eose-aks-dev-kv · eose-rgm-sandbox-dev
✅ AKS + RGM CONTROL
AKS MANAGED
MC_rg-eose-aks-dev_*
AKS-managed nodes · VMSS · LB · NICs
(auto-managed, do not edit)
✅ AKS MANAGED
DNS (DEV)
rg-eose-dns-dev
37 DNS zones · pemos/eose/serlf/deseof
feedles/onba/thelegal.cafe · eose.art/.cloud/.pro
✅ DNS CONTROL
DNS (PRD)
rg-eose-dns-prd
prd.eose.ca (production DNS zone)
✅ DNS CONTROL
WEB
rg-eose-web-dev
creosewebdev ACR · web containers
⚡ ACR PARTIAL
DESEOF
rg-deseof-dev
deseof.com + deseof.ca portal resources
kantai-cc ingress → 20.200.111.70
✅ PORTAL CONTROL
PEMOS
rg-eose-pemos-dev
PEMOS core resources
⚡ PARTIAL
CONTAINER APP
rg-eose-mc-aca-dev
Azure Container Apps environment
Master Control ACA
⚡ PARTIAL
PEMOS MEEK
rg-pemos-meek-dev
PEMOS meek silo resources
⚡ 2RG PARTIAL
PEMOS MEEK BACKUP
rg-pemos-meek-backup-dev
pemosmeekstatedev · pemos-meek-restore-kv
✅ LIFELINE CONTROL
PEMOS FUZE
rg-pemos-fuze-dev
PEMOS fuze silo resources
⚡ 2RG PARTIAL
PEMOS FUZE BACKUP
rg-pemos-fuze-backup-dev
0 resources — lifeline RG empty
❌ EMPTY — NEEDS FILL
PEMOS PEEK BACKUP
rg-pemos-peek-backup-dev
1 resource
⚡ PARTIAL
SERLF
rg-serlf-dev + rg-serlf-meek-dev
SERLF marketplace + meek resources
ECR: 963701985617.dkr.ecr.us-east-2
⚡ 2RG PARTIAL
SERLF BACKUP
rg-serlf-backup-dev
0 resources — lifeline RG empty
❌ EMPTY — NEEDS FILL
FEEDLES / ONBA
rg-feedles-web-dev · rg-onba-web-dev
Product web RGs
⚡ PARTIAL
LEGAL CAFE
rg-legalcafe-web-dev
thelegal.cafe web resources
⚡ PARTIAL
PEMOS MASTER BACKUP
rg-pemos-master-backup-dev
pemos-master-restore-kv · pemosmasterstatedev
✅ LIFELINE CONTROL
PEMOS PEEK1
rg-pemos-peek1-dev (eastus)
Peek silo — eastus region
⚡ 2RG PARTIAL
FC BACKUP
rg-pemos-fc-backup-dev
1 resource — Fleet Commander backup
⚡ PARTIAL
SUB KANTAI — 458e8558 · 11 RGs
DNS
rg-meek-dns
17 DNS zones · pemos/eose/serlf/feedles/nanos
nanos.ca · nanos.live
✅ DNS CONTROL
ACR
rg-msi01-acr
msi01acr (Standard · anonymous pull ✅)
acreosealpha
✅ ACR CONTROL
AKS KANTAI CC
rg-kantai-eose-dev
aks-kantai-eose-dev · kantai-cc LB 20.200.111.70
deseof-portal · merostone-store
✅ AKS CONTROL
AKS KANTAI CE
rg-kantai-eose-canadaeast-dev
aks-kantai-eose-canadaeast-dev · B2s nodes
meek-mail namespace (empty)
⚡ PARTIAL
BACKUP
rg-kantai-eose-backup-dev
2 resources — kantai backup
⚡ PARTIAL
TEST
rg-kantai-command-test-dev
rg-kantai-admiral-test-dev
Test RGs for kantai crew
⚡ TEST
SUB SPARE — 239915fb · 0 RGs (EMPTY)
Spare sub is empty. No resources. Purpose TBD. Consider: CT enterprise staging, DESEOF production, or leave as DR sub.
9 BACKUP / LIFELINE RGs — ALL SUBS
RG NAME SUB RESOURCES KEY CONTENTS CONTROL ARB NEEDED?
rg-eose-backup-devPRIMARY2eosebackupdev · eose-dev-rsv (Recovery Services Vault)✅ LIVE
rg-pemos-meek-backup-devPRIMARY2pemosmeekstatedev · pemos-meek-restore-kv✅ KV + STATE
rg-pemos-master-backup-devPRIMARY2pemos-master-restore-kv · pemosmasterstatedev✅ KV + STATE
rg-pemos-meek3-backup-devPRIMARY11 resource (state storage)⚡ PARTIAL — no KVAdd restore-kv
rg-pemos-peek-backup-devPRIMARY11 resource⚡ PARTIAL — no KVAdd restore-kv
rg-pemos-fuze-backup-devPRIMARY0EMPTY — no resources❌ EMPTY⚠️ File ARB — add KV + state
rg-serlf-backup-devPRIMARY0EMPTY — no resources❌ EMPTY⚠️ File ARB — add KV + state
rg-pemos-fc-backup-devPRIMARY1FC backup — 1 resource⚡ PARTIALVerify contents
rg-kantai-eose-backup-devKANTAI2Kantai backup resources⚡ PARTIAL — no KVAdd kantai-restore-kv
⚠️ BACKUP CONTROL LAW VIOLATIONS
Every backup RG must contain: (1) restore KV + (2) state storage
rg-pemos-fuze-backup-dev — EMPTY. No KV, no state. Fuze silo has no lifeline.
rg-serlf-backup-dev — EMPTY. No KV, no state. SERLF has no lifeline.
These need an ARB to provision: pemos-fuze-restore-kv + pemosfuzestatedev and serlf-restore-kv + serlfstatedev
PRIMARY SUB — rg-eose-dns-dev · 37 ZONES
pemos.ca41
eose.ca44
pemos.org12
dev.pemos.ca12
dev.eose.ca10
eose.cloud9
serlf.ca14
serlf.com9
serlf.org9
serlf.net8
serlf.info7
serlf.shop7
serlf.store7
serlf.club7
serlf.me4
serlf.co2
deseof.ca8
deseof.com4
pemos.io7
pemos.info2
pemos.xyz2
pemos.club2
pemos.shop2
pemos.site2
pemos.store2
dev.pemos.org3
eose.art2
eose.pro4
eose.email8
eose.site6
eose.work6
eose.store2
eose.club2
feedles.ca5
onba.ca6
thelegal.cafe3
prd.eose.caPRD
KANTAI SUB — rg-meek-dns · 17 ZONES
pemos.ca10
eose.ca8
serlf.ca11
serlf.com10
serlf.org7
serlf.net7
serlf.info7
serlf.shop7
serlf.store7
serlf.club7
feedles.ca5
pemos.io5
pemos.org6
eose.cloud5
eose.site5
nanos.ca5
nanos.live10
DNS Control Law: Primary sub owns the canonical zones. Kantai sub has mirror zones for same domains — this is intentional dual-NS sovereignty.
nanos.ca + nanos.live — appear in kantai only. Novel domains. Needs a product ARB.
Total: 54 zones across 2 subs · 3 subs authoritative DNS
CONTROLS THAT MUST EXIST — NOT YET WIRED
Backup RG Fill Control
rg-pemos-fuze-backup-dev and rg-serlf-backup-dev are EMPTY. Both missing restore-kv + state storage. Lifelines with no lifeline rope.
→ File ARB: provision pemos-fuze-restore-kv + serlf-restore-kv
nanos.ca / nanos.live Product
nanos.ca (5 records) + nanos.live (10 records) in kantai DNS only. What is NANOS? No RG, no portal, no ARB found. DNS exists but product undefined.
→ File ARB: define NANOS product + create resource RG
Spare Sub Purpose
239915fb is completely empty. 0 RGs. No resources. It's a clean sub ready for something sovereign — CT staging, DESEOF production, or DR.
→ File ARB: assign spare sub a purpose
Kantai Backup KV
rg-kantai-eose-backup-dev has 2 resources but no restore-kv found. Kantai AKS (2 clusters!) has no KV-backed lifeline.
→ Add kantai-restore-kv to rg-kantai-eose-backup-dev
rg-eose-iam-dev Contents
IAM RG exists but appeared empty in audit. Managed identities should live here. Needs verification + population.
→ Verify managed identities are in this RG
DNS Control → FC-MATRIX
54 zones across 2 subs. DNS Control is ✅ in FC-MATRIX for cloud but the dual-NS pattern (primary + kantai) and the full zone count need their own control entry.
→ Update FC-MATRIX: split DNS control into primary-dns + kantai-dns
Backup Control → FC-MATRIX
9 backup RGs confirmed. FC-MATRIX shows single "Backup" control. Should map to each product RG's lifeline separately.
→ Update FC-MATRIX: per-product backup control rows
rg-eose-mc-aca-dev
Azure Container Apps RG exists. Master Control ACA — what's running here? No portal reference found. May be stale or planned.
→ Verify / document what ACA workloads live here
RG CONTROL · ALL SUBS · 44 RGs · ALL RUNNING ✅ · PRIMARY + KANTAI + SPARE
BACKUP VIOLATIONS: 2 EMPTY LIFELINES · nanos.ca UNDEFINED · SPARE SUB NEEDS PURPOSE
γ₁ = 14.134725141734693 · THE FLOOR HOLDS