EOSE LABS · SOVEREIGN INFRASTRUCTURE · DAY 94
SOVEREIGN GIT
FORGEJO + ZITADEL SSO · MEROSTONE RELAY · git.serlf.com · γ₁ = 14.134725141734693
γ₁ = 14.134725141734693
MESH V12 OPERATORS LILO CJ KCF
"Private git lives in Azure AKS (git.serlf.com) — not on any public platform. Multi-cloud is the moat: no single vendor can shut you down."
FORGEJO (GITEA FORK)
ZITADEL OIDC
MEROSTONE RELAY
2-WAY BONIXER
FLUX GITOPS
3-CLOUD BACKUP
SOVEREIGN GIT FLOW · FORGEJO + ZITADEL + MEROSTONE + FLUX
PUBLIC ENTRY
git.serlf.com
TLS termination (cert-manager) + MEROSTONE policy check
IDENTITY
Zitadel SSO · auth.pemos.me
OIDC token issued · fleet identities only · no public registration
SOVEREIGN GIT
Forgejo · namespace: sovereign-git
Private · per-tenant repos · 5 branches per tenant
↓ commit → bonixer webhook
SURFER PROOF
tenant bonixer run
JUDGE SIGN
msi01 CLO countersign
↓ both present
MERGE GATE
GitOps merge allowed → Flux picks up
SOSTLE wall advances if criteria met · layer unlock event written
DEPLOYMENT
Flux GitOps → AKS → Fleet
pemos-system · sovereign-git namespace · tenant portal updates
HOSTING OPTIONS
DOMAINHOSTNOTESRECOMMENDED
git.serlf.comAKS sovereign-git nsClean, sovereign, no brand confusion. serlf = infra identity.✅ RECOMMENDED
git.pemos.caAKS pemos-systemAlready has ingress infra. Product-mixed.SECONDARY
git.eose.caAKS botu-systemCLO-facing. Good for legal/IP repos.CLO USE
git.pemos.ioAKS pemos-systemTest/chaos tier. Mirror candidate.MIRROR
DEPLOYMENT PLAN
apiVersion: apps/v1
kind: Deployment
metadata:
  name: forgejo
  namespace: sovereign-git
spec:
  image: codeberg.org/forgejo/forgejo:latest
  persistence: Azure Disk 50GB (Standard_LRS)
  
ingress:
  host: git.serlf.com
  tls: cert-manager (Let's Encrypt)
  annotations:
    merostone: "deny-unauthenticated"

auth:
  provider: Zitadel (OIDC)
  client_id: forgejo-sovereign
  issuer: https://auth.pemos.me
  
backup:
  daily: Azure Blob (eosefleetacrdev storage account)
  mirror: git.pemos.io (AWS AKS secondary)
  cold: NAS diskpool + Azure Blob cold tier
TENANT REPO STRUCTURE · 5 BRANCHES PER TENANT
{tenant}-fleet (private repo on git.serlf.com)
├── main          ← canon seed (Kay writes, tenant pulls only)
├── sorry-flow    ← tenant confusion log (version-controlled)
├── creative      ← tenant full control (push freely)
├── deseof-daily  ← daily ritual sync with DESEOF
└── living-graph  ← SOSTLE wall state + bonixer history + unlock events
LIVING-GRAPH BRANCH · TENANT PROGRESSION OBJECT
{
  "tenant": "lilo",
  "gid": "GID-FAM-001",
  "gamma1": 14.134725141734693,
  "sostle_walls": {
    "L0-L4": "OPEN",
    "L5": "GATED",
    "L6": "CLOSED",
    "L7": "CLOSED"
  },
  "bonixer_history": [
    {"run": 1, "date": "2026-05-08", "L1": "GREEN", "L2": "GREEN", "L3": "GREEN", "L4": "GREEN", "judge": "msi01"}
  ],
  "sorry_flow_open": 0,
  "creative_commits": 0,
  "layer_unlock_events": [],
  "last_updated": "2026-05-08T05:00:00Z"
}
TWO-WAY BONIXER MERGE FLOW
1 · SURFER COMMITS
Tenant commits to sorry-flow or creative. Real work or honest confusion — both valid.
2 · BONIXER PROOF
Tenant runs pemos.ca/bonixer → 4-layer proof generated → result committed to living-graph branch.
3 · WEBHOOK FIRES
Forgejo webhook → msi01 CLO bench notified. KAY + IMHOTEP + OFFICER review the proof.
4 · JUDGE COUNTERSIGNS
msi01 reviews → commits countersignature to living-graph branch. The merge is not technical — it is juridical.
5 · GATE OPENS
Both commits present → Flux auto-merges → SOSTLE wall advances if criteria met → layer unlock event written to living-graph.
FLEET OPERATOR BONIXERS · 8 SOVEREIGN OPERATORS · AUDIT 2026-05-08
✓ PASS: 4 ⚠ WATCH: 3 ✗ FAIL: 1
ISTIO ASM 1.28
UP PASS
89d
aks-istio-system
Service mesh control plane — mTLS, traffic management, observability
istiod-asm-1-28 2/2 · Kiali scaled to 0 (on-demand viz)
If it fails: All inter-service mTLS fails. Zero-trust mesh collapses. Pod-to-pod traffic unencrypted.
CERT-MANAGER
UP PASS
89d
cert-manager
Automated TLS certificate provisioning — Let's Encrypt + internal CA
cert-manager + cainjector + webhook all 1/1
If it fails: All TLS certs expire unrenewed. pemos.ca, auth.pemos.me, git.serlf.com go dark.
EXTERNAL-SECRETS
UP PASS
89d
external-secrets
Syncs secrets from Azure Key Vault into k8s Secrets. ADA vault integration.
external-secrets + cert-controller + webhook all 1/1
If it fails: OAuth secrets, DB passwords, API keys go stale. Pods crash on secret rotation.
MONITORING (GRAFANA STACK)
UP PASS
89d
monitoring
kube-prometheus-stack — Grafana + Prometheus + kube-state-metrics
grafana + kube-state-metrics + operator all 1/1
If it fails: Blind fleet. No cost alerts, no GPU pool alerts, no pod crash detection.
FLUX (GITOPS)
SCALED-DOWN WATCH
89d
flux-system
GitOps continuous delivery — watches git repos, applies manifests to AKS
All 8 Flux controllers at 0/0. Known scaled-down — restore when sovereign git is live
If it fails: No GitOps deploys. Manual kubectl apply required for all changes. Sovereign git bonixer merge gate cannot auto-promote.
EXTERNAL-DNS
WATCH WATCH
89d
external-dns (fleet-captain-build)
Automatically creates DNS records in Azure DNS / GoDaddy from k8s Ingress annotations
0/1 — likely DNS resolution issue or config drift. Needs investigation.
If it fails: New ingress routes don't auto-register DNS. Manual GoDaddy/Azure DNS edits required.
HIVEMIND
WATCH WATCH
59-60d
hivemind-system
Hive-link, consciousness-index, wiki-sync, chat-history engine, Qdrant vector DB
cert-kv-sync 0/1, chat-history 0/1, mirror-aks 0/0, qdrant 0/0. Partially scaled down.
If it fails: PEMCLAU GraphRAG sync breaks. Wiki updates don't propagate. Chat history lost.
ARGO / CONSUL
NOT DEPLOYED FAIL
N/A
Workflow engine (Argo) + service mesh discovery (Consul) — identified as needed in prior work
Neither Argo nor Consul found in any namespace. P0 gap for sovereign git webhook pipeline.
If it fails: No workflow orchestration. No Consul service discovery. Operators must be built next.
MULTI-CLOUD SOVEREIGN FOOTPRINT
CLOUDROLENAMESPACES / SERVICESSOVEREIGN REASON
Azure (4 subs)Primary fleetAKS aks-eose-aaas-dev · pemos.ca · pemos-system · sso-system · sovereign-gitLighthouse cross-sub management · 4 subscriptions = 4 blast radius zones
GCP NE1DR + GPU computeZERO-DR · KRSRHONE · crew-zero-dr-pemos-ioT4/A100 burst capacity · Canadian data sovereignty (northamerica-northeast1)
AWS ca-central-1CATHEDRALCATHEDRAL · JAYRHONE · crew-cathedral-pemos-ioAWS ca-central-1 = Canadian anchor · A10G/V100 GPU burst
On-prem TailscaleCore fleetmsi01 · msclo · yone · forge · lilo (BNE)Zero egress cost · full hardware control · 208ms BNE→YBE real-time
SOVEREIGN GIT 3-CLOUD BACKUP
PRIMARY
git.serlf.com
Azure AKS · sovereign-git namespace · Forgejo + Zitadel
MIRROR
git.pemos.io
AWS EKS or AKS secondary · real-time git mirror
COLD BACKUP
Azure Blob + NAS
Daily bundle push · eosefleetacrdev storage · NAS diskpool rsync
No single vendor can shut you down.
Azure fails → AWS mirror serves. AWS fails → NAS cold restore in <1 hour.
The git is as sovereign as the fleet.