<mxfile host="app.diagrams.net" agent="mgh-arch-snapshot" version="24.6.0">
  <diagram id="mgh-workspace-arch" name="MGH Workspace Architecture (2026-06-07)">
    <mxGraphModel dx="2200" dy="2700" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="2400" pageHeight="3600" math="0" shadow="0">
      <root>
        <mxCell id="0" />
        <mxCell id="1" parent="0" />

        <!-- ====================================================================
             TITLE
        ===================================================================== -->
        <mxCell id="title" value="MGH Workspace — Global Architecture (snapshot 2026-06-07)&#10;Two brands (MGH parent + Quantmods subsidiary). Free-tier maximalist split: Cloudflare edge + OCI compute/storage + Google Workspace identity + GitHub CI.&#10;Auth tier split per ADR-0017 + ADR-0018: prod backends on Google OIDC + MGH Org + 24h; every dev.* on Email OTP + 2-email allow-list + 48h." style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fontSize=22;fontStyle=1;" vertex="1" parent="1">
          <mxGeometry x="40" y="30" width="2320" height="90" as="geometry" />
        </mxCell>
        <mxCell id="legend" value="LEGEND&#10;━━ Solid line = traffic flow&#10;┄┄ Dashed line = control/identity flow&#10;━━╋━━ Pages cutover (Phase 3, atomic swap pending)&#10;💤 = Gated / pending first deploy" style="text;html=1;strokeColor=#666;fillColor=#FAFAFA;align=left;verticalAlign=middle;whiteSpace=wrap;rounded=1;fontSize=11;" vertex="1" parent="1">
          <mxGeometry x="2020" y="30" width="340" height="100" as="geometry" />
        </mxCell>

        <!-- ====================================================================
             TIER 1 — USERS / OPERATOR
        ===================================================================== -->
        <mxCell id="tier-1-label" value="TIER 1 — USERS · OPERATORS · AGENTS" style="text;html=1;strokeColor=none;fillColor=none;align=left;verticalAlign=middle;whiteSpace=wrap;rounded=0;fontSize=14;fontStyle=2;fontColor=#4A5568;" vertex="1" parent="1">
          <mxGeometry x="60" y="150" width="500" height="24" as="geometry" />
        </mxCell>
        <mxCell id="user-public" value="🌐 Public Internet Users&#10;(browsers, MTAs)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#E1E5EC;strokeColor=#4A5568;fontSize=11;" vertex="1" parent="1">
          <mxGeometry x="80" y="180" width="260" height="90" as="geometry" />
        </mxCell>
        <mxCell id="user-internal" value="🔐 MGH Operators / Staff&#10;(skander, future staff)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#E1E5EC;strokeColor=#4A5568;fontSize=11;" vertex="1" parent="1">
          <mxGeometry x="380" y="180" width="260" height="90" as="geometry" />
        </mxCell>
        <mxCell id="user-claude" value="🤖 Claude Code (this workspace)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFF1E0;strokeColor=#FF6B00;fontSize=11;" vertex="1" parent="1">
          <mxGeometry x="680" y="180" width="260" height="90" as="geometry" />
        </mxCell>

        <!-- ====================================================================
             TIER 2 — CLOUDFLARE EDGE (TWO ZONES)
        ===================================================================== -->
        <mxCell id="tier-2-label" value="TIER 2 — CLOUDFLARE EDGE  ·  CDN · Workers · Access · WAF · Tunnel · DNS · Email Routing" style="text;html=1;strokeColor=none;fillColor=none;align=left;verticalAlign=middle;whiteSpace=wrap;rounded=0;fontSize=14;fontStyle=2;fontColor=#F38020;" vertex="1" parent="1">
          <mxGeometry x="60" y="310" width="900" height="24" as="geometry" />
        </mxCell>
        <mxCell id="cf-container" value="CLOUDFLARE  —  account caf03872e5c0063df82eb353430b7e78  —  token mgh-iac-account (scoped)" style="swimlane;rounded=1;whiteSpace=wrap;html=1;fillColor=#FFF4E6;strokeColor=#F38020;startSize=28;fontSize=14;fontStyle=1;collapsible=0;" vertex="1" parent="1">
          <mxGeometry x="40" y="340" width="2320" height="720" as="geometry" />
        </mxCell>

        <!-- Zone marnissi-holdings.com -->
        <mxCell id="cf-mh" value="Zone  marnissi-holdings.com  (Primary — MGH parent brand)&#10;Zone ID: 4a6738cc400e9e0cbea94b0f4b2423a0  ·  TLS: Full (strict), HSTS 1y, min TLS 1.2" style="swimlane;rounded=1;whiteSpace=wrap;html=1;fillColor=#FFFAF0;strokeColor=#D97706;startSize=36;fontSize=14;fontStyle=1;collapsible=0;" vertex="1" parent="cf-container">
          <mxGeometry x="20" y="40" width="1140" height="660" as="geometry" />
        </mxCell>

        <mxCell id="cf-mh-dns-prod" value="DNS records — PROD tier&#10;━━━━━━━━━━━━━━━━━&#10;CNAME admin       → tunnel (proxied)&#10;CNAME api         → tunnel (proxied)&#10;CNAME labs        → tunnel (proxied)&#10;Single-Redirect  www → apex (301)&#10;━━━━━━━━━━━━━━━━━&#10;✗ docs.* tunnel CNAME REMOVED 2026-06-06 (ADR-0014 revised)&#10;   docs serves at mgh-docs.pages.dev permanently&#10;━━━━━━━━━━━━━━━━━&#10;MX  smtp.google.com (Workspace)&#10;TXT SPF/DKIM/DMARC (Workspace)&#10;TXT google-site-verification" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFFFFF;strokeColor=#999;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="cf-mh">
          <mxGeometry x="20" y="50" width="340" height="220" as="geometry" />
        </mxCell>

        <mxCell id="cf-mh-dns-dev" value="DNS records — DEV tier (ADR-0013, 2026-06-06)&#10;━━━━━━━━━━━━━━━━━━━━&#10;CNAME admin.dev → tunnel (proxied)&#10;CNAME api.dev   → tunnel (proxied)&#10;CNAME labs.dev  → tunnel (proxied)&#10;CNAME dev (apex) → mgh-website-dev Worker 💤" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#F0F7FF;strokeColor=#4A90E2;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="cf-mh">
          <mxGeometry x="20" y="285" width="340" height="120" as="geometry" />
        </mxCell>

        <mxCell id="cf-mh-worker" value="Workers&#10;━━━━━━━━━━━━━━━━━&#10;✅ mgh-website   (apex bind id 8139df08…)&#10;💤 mgh-website-dev (dev.* bind, pending)&#10;━━━━━━━━━━━━━━━━━&#10;Deployed via Wrangler from CI&#10;Reads OCI Object Storage bucket" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFE8CC;strokeColor=#F38020;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="cf-mh">
          <mxGeometry x="380" y="50" width="320" height="140" as="geometry" />
        </mxCell>

        <mxCell id="cf-mh-pages" value="Pages — mgh-docs ✅ LIVE (ADR-0014)&#10;━━━━━━━━━━━━━━━━━&#10;Project: mgh-docs&#10;Source: GH MARNISSI-GROUP-HOLDINGS/mgh-docs main&#10;Build: pip install -r requirements.txt &amp;&amp; mkdocs build&#10;Output: site/&#10;Preview: *.pages.dev per PR (branch=develop)&#10;━━━━━━━━━━━━━━━━━&#10;✅ Canonical URL: https://mgh-docs.pages.dev&#10;✗ No custom domain (operator decision 2026-06-06)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFE8CC;strokeColor=#F38020;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="cf-mh">
          <mxGeometry x="380" y="205" width="320" height="160" as="geometry" />
        </mxCell>

        <mxCell id="cf-mh-tunnel" value="Tunnel  mgh-dev  (cloudflared)&#10;━━━━━━━━━━━━━━━━━&#10;UUID: 8948305b-10a6-4a59-9011-75b348711a64&#10;Daemon on VPS, 4 HA conns&#10;Ingress map → localhost ports&#10;Phase 3 Apply C: drop docs.* ingress" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFE8CC;strokeColor=#F38020;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="cf-mh">
          <mxGeometry x="720" y="50" width="400" height="140" as="geometry" />
        </mxCell>

        <mxCell id="cf-mh-access" value="Access (Zero Trust) — account-scoped, spans both zones&#10;━━━━━━━━━━━━━━━━━&#10;IdPs (2):&#10;  · Google Workspace OIDC — prod backends&#10;  · Email OTP — every dev.* (ADR-0018)&#10;Groups (2):&#10;  · mgh_org      — email-domain include (Workspace)&#10;  · mgh_org_dev  — explicit 2-email allow-list&#10;Apps (8): admin/api/labs (prod, Google, 24h) +&#10;  admin_dev/api_dev/labs_dev/mgh_website_dev/&#10;  quantmods_website_dev (dev, OTP, 48h)&#10;━━━━━━━━━━━━━━━━━&#10;Public (no Access): apex marnissi-holdings.com,&#10;  apex quantmods.com, mgh-docs.pages.dev" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFE8CC;strokeColor=#F38020;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="cf-mh">
          <mxGeometry x="720" y="205" width="400" height="160" as="geometry" />
        </mxCell>

        <mxCell id="cf-mh-waf" value="WAF&#10;━━━━━━━━━━━━━━━━━&#10;Managed: CF Free Managed Ruleset (log→enforce)&#10;Custom: bad-UA block + host-header smuggling&#10;Rate-limit: 10rpm/IP/PoP on api.* (Free quota: 1)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFE8CC;strokeColor=#F38020;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="cf-mh">
          <mxGeometry x="20" y="425" width="540" height="120" as="geometry" />
        </mxCell>

        <mxCell id="cf-mh-email" value="Email Routing&#10;━━━━━━━━━━━━━━━━━&#10;Catch-all *@marnissi-holdings.com →&#10;forwards to marnissi.investments@gmail.com&#10;Auto-MX: route1/2/3.mx.cloudflare.net (Tofu-locked)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFE8CC;strokeColor=#F38020;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="cf-mh">
          <mxGeometry x="580" y="425" width="540" height="120" as="geometry" />
        </mxCell>

        <!-- Zone quantmods.com -->
        <mxCell id="cf-qm" value="Zone  quantmods.com  (Peer — Quantmods subsidiary, Workspace alias)&#10;Zone ID: d764f545194f0b4ccd8274247f47cf0e  ·  Same TLS hardening as marnissi-holdings (ADR-0012)" style="swimlane;rounded=1;whiteSpace=wrap;html=1;fillColor=#FFFAF0;strokeColor=#D97706;startSize=36;fontSize=14;fontStyle=1;collapsible=0;" vertex="1" parent="cf-container">
          <mxGeometry x="1180" y="40" width="1120" height="660" as="geometry" />
        </mxCell>

        <mxCell id="cf-qm-dns" value="DNS — Workspace alias only (ADR-0012)&#10;━━━━━━━━━━━━━━━━━━━━━&#10;MX 1  aspmx.l.google.com&#10;MX 5  alt1.aspmx.l.google.com&#10;MX 5  alt2.aspmx.l.google.com&#10;MX 10 alt3.aspmx.l.google.com&#10;MX 10 alt4.aspmx.l.google.com&#10;━━━━━━━━━━━━━━━━━━━━━&#10;TXT SPF        v=spf1 include:_spf.google.com ~all&#10;TXT DKIM       google._domainkey (2048-bit, live)&#10;TXT DMARC      p=quarantine pct=25 rua→marnissi-holdings.com&#10;TXT Workspace verification (Google auto-added)&#10;Single-Redirect www → apex" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFFFFF;strokeColor=#999;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="cf-qm">
          <mxGeometry x="20" y="50" width="420" height="240" as="geometry" />
        </mxCell>

        <mxCell id="cf-qm-worker" value="Workers&#10;━━━━━━━━━━━━━━━━━&#10;✅ quantmods-website-dev → dev.quantmods.com (LIVE 2026-06-06)&#10;💤 quantmods-website-prod → quantmods.com apex (gated)&#10;━━━━━━━━━━━━━━━━━&#10;Both bind via Workers Custom Domain&#10;Fetches from OCI bucket quantmods-website-dev (dev tier)&#10;dev gated behind CF Access OTP (ADR-0017 + 0018)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFE8CC;strokeColor=#F38020;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="cf-qm">
          <mxGeometry x="460" y="50" width="640" height="180" as="geometry" />
        </mxCell>

        <mxCell id="cf-qm-norest" value="NOT on this zone (intentional):&#10;━━━━━━━━━━━━━━━━━&#10;✗ No CF Email Routing (Workspace alias handles inbound)&#10;✗ No OCI Email Delivery (transactional stays on no-reply@marnissi-holdings.com)&#10;✗ No CF Tunnel (apex/www are static — Workers only)&#10;✓ CF Access OTP on dev.quantmods.com (ADR-0017+0018)&#10;✗ Apex quantmods.com stays public (no Access — prod frontend)&#10;✗ No WAF custom/ratelimit (Free quota lives on marnissi api.*)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#F5F5F5;strokeColor=#888;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="cf-qm">
          <mxGeometry x="460" y="250" width="640" height="160" as="geometry" />
        </mxCell>

        <mxCell id="cf-qm-zonesettings" value="Zone settings (same as marnissi-holdings)&#10;━━━━━━━━━━━━━━━━━&#10;SSL Full (strict)&#10;Always Use HTTPS&#10;Automatic HTTPS Rewrites&#10;Min TLS 1.2&#10;HSTS 1y include_subdomains preload&#10;Security Level: medium" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFE8CC;strokeColor=#F38020;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="cf-qm">
          <mxGeometry x="20" y="310" width="420" height="160" as="geometry" />
        </mxCell>

        <!-- ====================================================================
             TIER 3 — GitHub Org + Google Workspace
        ===================================================================== -->
        <mxCell id="tier-3-label" value="TIER 3 — GITHUB ORG  ·  GOOGLE WORKSPACE  (identity + CI)" style="text;html=1;strokeColor=none;fillColor=none;align=left;verticalAlign=middle;whiteSpace=wrap;rounded=0;fontSize=14;fontStyle=2;fontColor=#2F353D;" vertex="1" parent="1">
          <mxGeometry x="60" y="1110" width="900" height="24" as="geometry" />
        </mxCell>
        <mxCell id="gh-container" value="GITHUB — Org MARNISSI-GROUP-HOLDINGS — Free plan (private repos, no rulesets / branch protection)" style="swimlane;rounded=1;whiteSpace=wrap;html=1;fillColor=#F4F4F8;strokeColor=#2F353D;startSize=28;fontSize=14;fontStyle=1;collapsible=0;" vertex="1" parent="1">
          <mxGeometry x="40" y="1140" width="1380" height="380" as="geometry" />
        </mxCell>

        <mxCell id="gh-repos" value="9 repos (post-rename 2026-06-06)&#10;━━━━━━━━━━━━━━━━━&#10;• mgh-website          (was 'website')             develop=dev, main=prod&#10;• quantmods-website   (NEW, FSD scaffold)         develop=dev, main=prod&#10;• mgh-admin-ui        (was 'admin-frontend')      develop=dev, main=prod&#10;• mgh-admin-api       (was 'admin-backend')       develop=dev, main=prod&#10;• mgh-docs            (was 'docs')                main-only (Pages PR previews)&#10;• infra               (OpenTofu + Ansible)        main-only&#10;• devops              (reusable workflows)        main-only&#10;• labs                (R&amp;D PoCs)                 main-only&#10;• .github             (org community files)       main-only&#10;━━━━━━━━━━━━━━━━━&#10;GitFlow-lite (ADR-0015): default branch stays main for every repo." style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFFFFF;strokeColor=#666;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="gh-container">
          <mxGeometry x="20" y="40" width="660" height="320" as="geometry" />
        </mxCell>

        <mxCell id="gh-actions" value="GitHub Actions — reusable workflows (ADR-0016)&#10;━━━━━━━━━━━━━━━━━&#10;Hosted in devops/.github/workflows/, consumed by repos via:&#10;  uses: MARNISSI-GROUP-HOLDINGS/devops/.github/workflows/&lt;file&gt;@main&#10;━━━━━━━━━━━━━━━━━&#10;• reusable-node.yml             Node lint/typecheck/build&#10;• reusable-python-uv.yml        uv sync + ruff + mypy + bandit + pytest&#10;• reusable-tofu-validate.yml    fmt -check + validate (no apply)&#10;• reusable-deploy-static-to-oci.yml  aws s3 sync to OCI S3-compat&#10;• reusable-deploy-cloudflare-worker.yml  wrangler deploy&#10;• reusable-deploy-cloudflare-pages.yml   pages deploy (mgh-docs)&#10;━━━━━━━━━━━━━━━━━&#10;Runners: github-hosted (free-tier minutes, ARM A1 self-hosted deferred)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFFFFF;strokeColor=#666;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="gh-container">
          <mxGeometry x="700" y="40" width="660" height="320" as="geometry" />
        </mxCell>

        <!-- Google Workspace -->
        <mxCell id="gws-container" value="GOOGLE WORKSPACE — single tenant, two addressable domains" style="swimlane;rounded=1;whiteSpace=wrap;html=1;fillColor=#E8F0FE;strokeColor=#4285F4;startSize=28;fontSize=14;fontStyle=1;collapsible=0;" vertex="1" parent="1">
          <mxGeometry x="1440" y="1140" width="920" height="380" as="geometry" />
        </mxCell>

        <mxCell id="gws-primary" value="Primary domain: marnissi-holdings.com&#10;━━━━━━━━━━━━━━━━━&#10;• User accounts live here&#10;• CF Email Routing forwards inbound → marnissi.investments@gmail.com&#10;• OCI Email Delivery sends outbound from no-reply@marnissi-holdings.com&#10;• DKIM via OCI selector mgh-v1 (not Workspace)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFFFFF;strokeColor=#4285F4;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="gws-container">
          <mxGeometry x="20" y="40" width="440" height="160" as="geometry" />
        </mxCell>

        <mxCell id="gws-alias" value="Alias domain: quantmods.com (ADR-0012)&#10;━━━━━━━━━━━━━━━━━&#10;• Same Workspace tenant&#10;• Same user accounts receive at @quantmods.com&#10;• Inbound via Google ASPMX MX records (5)&#10;• DKIM 2048-bit, selector 'google' (TXT, ADR-0012 nuance)&#10;• DMARC rua → marnissi-holdings.com (aggregation)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFFFFF;strokeColor=#4285F4;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="gws-container">
          <mxGeometry x="480" y="40" width="420" height="160" as="geometry" />
        </mxCell>

        <mxCell id="gws-oidc" value="OIDC Identity Provider — mgh-cloudflare-access&#10;━━━━━━━━━━━━━━━━━&#10;Client ID: 104508299788-rjndg8hml2mm…&#10;Client Secret: vault.yml google_oidc_client_secret&#10;Apps domain: marnissi-holdings.com&#10;━━━━━━━━━━━━━━━━━&#10;Drives CF Access ONLY for PROD backends:&#10;  admin / api / labs on marnissi-holdings.com (24h session)&#10;Dev tier uses CF-built-in Email OTP (ADR-0018, no Google)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFFFFF;strokeColor=#34A853;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="gws-container">
          <mxGeometry x="20" y="210" width="880" height="100" as="geometry" />
        </mxCell>

        <!-- ====================================================================
             TIER 4 — OCI
        ===================================================================== -->
        <mxCell id="tier-4-label" value="TIER 4 — ORACLE CLOUD INFRASTRUCTURE  (eu-milan-1)  ·  Compute · Object Storage · OCIR · Email · IAM · Network" style="text;html=1;strokeColor=none;fillColor=none;align=left;verticalAlign=middle;whiteSpace=wrap;rounded=0;fontSize=14;fontStyle=2;fontColor=#C74634;" vertex="1" parent="1">
          <mxGeometry x="60" y="1570" width="1400" height="24" as="geometry" />
        </mxCell>
        <mxCell id="oci-container" value="ORACLE CLOUD INFRASTRUCTURE — region eu-milan-1 — tenancy axpblg7pw9kd — 104 resources live (2026-06-07; +16 since 2026-06-06: quantmods-website-dev Worker Custom Domain, 5 dev Access apps, OTP IdP, MGH Org Dev group, 5 dev policies, etc.)" style="swimlane;rounded=1;whiteSpace=wrap;html=1;fillColor=#FFEBEB;strokeColor=#C74634;startSize=28;fontSize=14;fontStyle=1;collapsible=0;" vertex="1" parent="1">
          <mxGeometry x="40" y="1600" width="2320" height="1640" as="geometry" />
        </mxCell>

        <!-- Tenancy-scoped OCIR -->
        <mxCell id="oci-ocir" value="OCIR (tenancy-scoped) — eu-milan-1.ocir.io/axpblg7pw9kd&#10;━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━&#10;5 container repos (renamed 2026-06-06 per ADR-0012):&#10;  · mgh-admin-api      (was mgh-admin-backend)         0 images&#10;  · mgh-admin-ui       (was mgh-admin-frontend)        0 images&#10;  · mgh-website                                        0 images&#10;  · mgh-docs                                           0 images (will be unused once Pages live, ADR-0014)&#10;  · quantmods-website  (NEW)                           0 images&#10;━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━&#10;is_immutable removed (OCI dropped support); lifecycle outside Tofu" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFFFFF;strokeColor=#C74634;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="oci-container">
          <mxGeometry x="20" y="40" width="2260" height="220" as="geometry" />
        </mxCell>

        <!-- Dev Compartment -->
        <mxCell id="oci-dev" value="DEV COMPARTMENT — ocid1.compartment.oc1..aaaaaaaatmdjo4xkoq7…  ·  85% of resources today" style="swimlane;rounded=1;whiteSpace=wrap;html=1;fillColor=#FFF5F5;strokeColor=#E11D48;startSize=28;fontSize=14;fontStyle=1;collapsible=0;" vertex="1" parent="oci-container">
          <mxGeometry x="20" y="280" width="1500" height="1320" as="geometry" />
        </mxCell>

        <mxCell id="oci-dev-net" value="NETWORK — VCN  mgh-dev  10.10.0.0/16&#10;━━━━━━━━━━━━━━━━━━━━━━━━&#10;Public subnet  10.10.1.0/24&#10;Private subnet 10.10.2.0/24&#10;Gateways: IGW + NAT-GW + Service-GW (Object Storage binding)&#10;━━━━━━━━━━━━━━━━━━━━━━━━&#10;NSG  nsg-ops-dev:&#10;  ingress: SSH from operator_ip_cidr (31.34.105.26/32)&#10;  egress:  all&#10;NSG  nsg-app-dev:&#10;  ingress: SSH from nsg-ops-dev (no internet)&#10;  egress:  all&#10;━━━━━━━━━━━━━━━━━━━━━━━━&#10;ZERO public ingress on compute. Egress + operator-IP-SSH only." style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFFFFF;strokeColor=#666;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="oci-dev">
          <mxGeometry x="20" y="40" width="450" height="280" as="geometry" />
        </mxCell>

        <mxCell id="oci-dev-iam" value="IAM (groups + policies + dynamic group)&#10;━━━━━━━━━━━━━━━━━━━&#10;Groups:&#10;  · ci-deployers-dev          (Tofu/CI deploy)&#10;  · developers-dev            (read-only)&#10;  · auditors-dev              (read-only audit)&#10;  · ci-website-deployers-dev          (mgh-website-prod bucket write)&#10;  · ci-website-deployers-quantmods-dev (NEW, ADR-0011/12) ✨&#10;Dynamic group:&#10;  · app-runtime-dev  → VPS instance resource principal&#10;━━━━━━━━━━━━━━━━━━━&#10;Policies (4+ in dev compartment):&#10;  · ci-deployer, app-runtime, developer-readonly, auditor&#10;  · ci-website-deployer, ci-website-deployer-quantmods (write-only on respective buckets)&#10;━━━━━━━━━━━━━━━━━━━&#10;App-runtime uses resource principal — no static keys on VPS" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFFFFF;strokeColor=#666;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="oci-dev">
          <mxGeometry x="490" y="40" width="540" height="320" as="geometry" />
        </mxCell>

        <mxCell id="oci-dev-buckets" value="OBJECT STORAGE buckets&#10;━━━━━━━━━━━━━━━━━━━&#10;In dev compartment:&#10;  · mgh-assets-dev    Standard, versioned&#10;  · mgh-logs-dev      Standard, lifecycle delete&#10;  · quantmods-website-dev  Standard, ObjectReadWithoutList ✨ NEW&#10;━━━━━━━━━━━━━━━━━━━&#10;In prod compartment (durability, ADR-0011):&#10;  · mgh-website-prod  Standard, ObjectReadWithoutList&#10;        (live, serves apex marnissi-holdings.com via Worker)&#10;━━━━━━━━━━━━━━━━━━━&#10;Lifecycle: service-principal grant required (added 2026-05-31)&#10;S3-compat: https://axpblg7pw9kd.compat.objectstorage.eu-milan-1.oraclecloud.com" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFFFFF;strokeColor=#666;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="oci-dev">
          <mxGeometry x="1050" y="40" width="430" height="280" as="geometry" />
        </mxCell>

        <mxCell id="oci-dev-vps" value="COMPUTE — bootstrap VPS&#10;━━━━━━━━━━━━━━━━━━━&#10;mgh-bootstrap-dev  VM.Standard.E2.1.Micro (x86 Always Free)&#10;Public subnet, nsg-ops-dev, 50GB boot, Ubuntu 22.04&#10;Public IP 92.4.171.88  ·  Private 10.10.1.155&#10;━━━━━━━━━━━━━━━━━━━&#10;SSH: ssh mgh-ops@92.4.171.88 (key ~/.ssh/mgh_ops_ed25519)&#10;Roles applied: common ✓ docker ✓ cloudflared ✓ (4 HA conns)&#10;━━━━━━━━━━━━━━━━━━━&#10;Future: ARM A1 fleet for app workloads (deferred to v2)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFFFFF;strokeColor=#666;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="oci-dev">
          <mxGeometry x="20" y="340" width="500" height="220" as="geometry" />
        </mxCell>

        <mxCell id="oci-dev-state" value="OPENTOFU STATE BACKEND (S3-compat in OCI Object Storage)&#10;━━━━━━━━━━━━━━━━━━━&#10;Bucket: mgh-tofu-state&#10;Dev key: envs/dev/terraform.tfstate&#10;Prod key (future): envs/prod/terraform.tfstate&#10;Auth: OCI Customer Secret Keys (AWS_*) — NOT API key pair&#10;━━━━━━━━━━━━━━━━━━━&#10;104 resources in dev state (2026-06-07)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFFFFF;strokeColor=#666;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="oci-dev">
          <mxGeometry x="540" y="380" width="490" height="180" as="geometry" />
        </mxCell>

        <mxCell id="oci-dev-cl" value="VPS WORKLOAD (cloudflared sidecar today; future containers)&#10;━━━━━━━━━━━━━━━━━━━&#10;Systemd: cloudflared.service (local-management)&#10;Config:  /etc/cloudflared/config.yml (Ansible-templated)&#10;Ingress rules → localhost:port mapping:&#10;  admin.marnissi-holdings.com   → http://localhost:3001 (mgh-admin-ui)&#10;  api.marnissi-holdings.com     → http://localhost:8001 (mgh-admin-api)&#10;  labs.marnissi-holdings.com    → http://localhost:9000&#10;  (docs.* removed — never had ingress in cloudflared template)&#10;Future: same hostname/port map duplicated for *.dev.* (ADR-0013)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFFFFF;strokeColor=#666;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="oci-dev">
          <mxGeometry x="1050" y="340" width="430" height="220" as="geometry" />
        </mxCell>

        <mxCell id="oci-dev-apps" value="APP CONTAINERS (planned — not yet deployed)&#10;━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━&#10;Pulled from OCIR by VPS via docker compose:&#10;  · postgres (managed by roles/postgres) — nightly pg_dump → mgh-backups bucket&#10;  · redis    (managed by roles/redis)&#10;  · mgh-admin-api container (built by mgh-admin-api CI, pushed to OCIR)&#10;  · mgh-docs container (REMOVED after ADR-0014 Apply C; Pages takes over)&#10;━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━&#10;Observability (deferred): node_exporter + log shipping" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFFFFF;strokeColor=#999;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="oci-dev">
          <mxGeometry x="20" y="580" width="1010" height="180" as="geometry" />
        </mxCell>

        <mxCell id="oci-dev-tunnel" value="CLOUDFLARE TUNNEL ENDPOINT (sits at OCI/CF boundary)&#10;━━━━━━━━━━━━━━━━━━━&#10;Outbound-only egress to CF edge over QUIC&#10;Zero inbound ports on the VPS — tunnel is the only path&#10;Tunnel ID/secret: see cf-mh-tunnel block in CF section above" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFE8CC;strokeColor=#F38020;align=left;fontSize=11;fontFamily=Courier New;dashed=1;" vertex="1" parent="oci-dev">
          <mxGeometry x="1050" y="580" width="430" height="120" as="geometry" />
        </mxCell>

        <mxCell id="oci-dev-tags" value="✨ NEW 2026-06-07 ✨&#10;━━━━━━━━━━━━━━━━━━━&#10;• 2026-06-06 Phase 1: 3 dev-tier tunnel CNAMEs + quantmods.com zone (15) + OCIR rename + quantmods-website repo&#10;• 2026-06-06 (later): quantmods-website-dev CI bootstrap + Worker Custom Domain → dev.quantmods.com LIVE (PR #18, #19)&#10;• 2026-06-06 ADR-0017: every dev.* behind CF Access (5 new apps + 5 policies)&#10;• 2026-06-07 ADR-0018: dev tier on Email OTP + 2-email allow-list + 48h (PR #20)&#10;• 2026-06-07 CSP fix on Workers (next/inline scripts no longer blocked)&#10;━━━━━━━━━━━━━━━━━━━&#10;Pending: 5 orphan CF Access policies cleanup (dashboard); envs/prod standup (zone migration runbook); quantmods-website-prod" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFFFD0;strokeColor=#D4A30F;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="oci-dev">
          <mxGeometry x="20" y="900" width="1460" height="220" as="geometry" />
        </mxCell>

        <mxCell id="oci-dev-finops" value="FINOPS LEDGER  ·  infra/finops/ledger.md  ·  current monthly cost: $0.00 (all within Always Free + CF Free)&#10;Free-tier headroom: Workers 100k req/day · Pages 500 builds/mo · OCI Always Free unlimited egress within-tenancy" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#F0FFF4;strokeColor=#22C55E;align=left;fontSize=11;fontFamily=Courier New;fontStyle=2;" vertex="1" parent="oci-dev">
          <mxGeometry x="20" y="1140" width="1460" height="90" as="geometry" />
        </mxCell>

        <!-- Prod Compartment -->
        <mxCell id="oci-prod" value="PROD COMPARTMENT — ocid1.compartment.oc1..aaaaaaaakqezz6oi…  ·  durability for cross-env-survivable resources" style="swimlane;rounded=1;whiteSpace=wrap;html=1;fillColor=#FFF5F5;strokeColor=#E11D48;startSize=28;fontSize=14;fontStyle=1;collapsible=0;" vertex="1" parent="oci-container">
          <mxGeometry x="1540" y="260" width="740" height="1180" as="geometry" />
        </mxCell>

        <mxCell id="oci-prod-email" value="OCI EMAIL DELIVERY (ADR-0005)&#10;━━━━━━━━━━━━━━━━━━━━━━&#10;Domain: marnissi-holdings.com&#10;  (placed in PROD compartment for durability)&#10;DKIM key — selector mgh-v1 (immutable post-publish)&#10;Approved sender: no-reply@marnissi-holdings.com&#10;━━━━━━━━━━━━━━━━━━━━━━&#10;Outputs consumed by cloudflare-dns module:&#10;  · DKIM CNAME host + value&#10;  · SPF include eu-milan-1.rp.oracleemaildelivery.com&#10;━━━━━━━━━━━━━━━━━━━━━━&#10;⚠ Domain ownership TXT verification PENDING operator paste from OCI Console" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFFFFF;strokeColor=#C74634;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="oci-prod">
          <mxGeometry x="20" y="40" width="700" height="260" as="geometry" />
        </mxCell>

        <mxCell id="oci-prod-bucket" value="OBJECT STORAGE — origin for live apex&#10;━━━━━━━━━━━━━━━━━━━━━&#10;mgh-website-prod  Standard, ObjectReadWithoutList&#10;  (misnomer — bucket name 'prod' but resource is in PROD compartment;&#10;   the dev env composition currently owns it for durability)&#10;━━━━━━━━━━━━━━━━━━━━━&#10;Quantmods sibling: quantmods-website-prod (Phase 3, prod env not yet applied)&#10;━━━━━━━━━━━━━━━━━━━━━&#10;Anonymous GET on /n/&lt;ns&gt;/b/&lt;bucket&gt;/o/&lt;key&gt; works (no LIST)&#10;Worker fetches from this endpoint per request" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFFFFF;strokeColor=#C74634;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="oci-prod">
          <mxGeometry x="20" y="320" width="700" height="240" as="geometry" />
        </mxCell>

        <mxCell id="oci-prod-iam" value="IAM (prod-scoped) — minimal today&#10;━━━━━━━━━━━━━━━━━━━━━&#10;ci-website-deployer policy attached in prod compartment&#10;  (policies attach in the compartment that contains the resource they govern)&#10;Operator IAM users + Customer Secret Keys created out-of-band&#10;OCIR pull policy granted to dev tenancy users (cross-compartment)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FFFFFF;strokeColor=#C74634;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="oci-prod">
          <mxGeometry x="20" y="580" width="700" height="180" as="geometry" />
        </mxCell>

        <mxCell id="oci-prod-future" value="FUTURE — when envs/prod/ is applied&#10;━━━━━━━━━━━━━━━━━━━━━&#10;• Prod VCN 10.20.0.0/16 (ADR-0003)&#10;• Prod tunnel mgh-prod&#10;• Prod tier OCI compute (ARM A1 fleet)&#10;• Zone ownership migrates from dev → prod composition&#10;  via tofu state mv (future runbook)&#10;• Buckets: mgh-website-prod (already here), quantmods-website-prod (Phase 3)" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#F5F5F5;strokeColor=#888;align=left;fontSize=11;fontFamily=Courier New;fontStyle=2;" vertex="1" parent="oci-prod">
          <mxGeometry x="20" y="780" width="700" height="260" as="geometry" />
        </mxCell>

        <!-- ====================================================================
             EDGES — TRAFFIC FLOWS
        ===================================================================== -->

        <!-- Public users to CF -->
        <mxCell id="e-user-cf-mh" style="endArrow=classic;html=1;rounded=1;edgeStyle=orthogonalEdgeStyle;curved=0;jumpStyle=arc;jumpSize=12;strokeColor=#1E40AF;strokeWidth=2;" edge="1" parent="1" source="user-public" target="cf-mh">
          <mxGeometry relative="1" as="geometry" />
        </mxCell>
        <mxCell id="e-user-cf-qm" style="endArrow=classic;html=1;rounded=1;edgeStyle=orthogonalEdgeStyle;curved=0;jumpStyle=arc;jumpSize=12;strokeColor=#1E40AF;strokeWidth=2;" edge="1" parent="1" source="user-public" target="cf-qm">
          <mxGeometry relative="1" as="geometry">
            <Array as="points">
              <mxPoint x="190" y="240" />
              <mxPoint x="1740" y="240" />
            </Array>
          </mxGeometry>
        </mxCell>

        <!-- Operator to CF Access -->
        <mxCell id="e-operator-cf" style="endArrow=classic;html=1;rounded=1;edgeStyle=orthogonalEdgeStyle;curved=0;jumpStyle=arc;jumpSize=12;strokeColor=#7C3AED;strokeWidth=2;dashed=1;" edge="1" parent="1" source="user-internal" target="cf-mh-access">
          <mxGeometry relative="1" as="geometry" />
        </mxCell>

        <!-- Claude → GitHub & infra -->
        <mxCell id="e-claude-gh" style="endArrow=classic;html=1;rounded=1;edgeStyle=orthogonalEdgeStyle;curved=0;jumpStyle=arc;jumpSize=12;strokeColor=#FF6B00;strokeWidth=1;dashed=1;" edge="1" parent="1" source="user-claude" target="gh-repos">
          <mxGeometry relative="1" as="geometry" />
        </mxCell>

        <!-- CF Access ← Google Workspace OIDC -->
        <mxCell id="e-cfaccess-gws" style="endArrow=classic;html=1;rounded=1;edgeStyle=orthogonalEdgeStyle;curved=0;jumpStyle=arc;jumpSize=12;strokeColor=#34A853;strokeWidth=2;dashed=1;" edge="1" parent="1" source="gws-oidc" target="cf-mh-access">
          <mxGeometry relative="1" as="geometry" />
        </mxCell>

        <!-- CF Worker mgh-website → OCI bucket mgh-website-prod -->
        <mxCell id="e-mh-worker-bucket" style="endArrow=classic;html=1;rounded=1;edgeStyle=orthogonalEdgeStyle;curved=0;jumpStyle=arc;jumpSize=12;strokeColor=#C74634;strokeWidth=2;" edge="1" parent="1" source="cf-mh-worker" target="oci-prod-bucket">
          <mxGeometry relative="1" as="geometry" />
        </mxCell>

        <!-- CF Pages → reads from GH mgh-docs -->
        <mxCell id="e-pages-gh" style="endArrow=classic;html=1;rounded=1;edgeStyle=orthogonalEdgeStyle;curved=0;jumpStyle=arc;jumpSize=12;strokeColor=#F38020;strokeWidth=2;dashed=1;" edge="1" parent="1" source="cf-mh-pages" target="gh-repos">
          <mxGeometry relative="1" as="geometry" />
        </mxCell>

        <!-- CF Tunnel → VPS (cloudflared sidecar) -->
        <mxCell id="e-cf-tunnel-vps" style="endArrow=classic;html=1;rounded=1;edgeStyle=orthogonalEdgeStyle;curved=0;jumpStyle=arc;jumpSize=12;strokeColor=#F38020;strokeWidth=2;" edge="1" parent="1" source="cf-mh-tunnel" target="oci-dev-tunnel">
          <mxGeometry relative="1" as="geometry" />
        </mxCell>
        <mxCell id="e-vps-cl-apps" style="endArrow=classic;html=1;rounded=1;edgeStyle=orthogonalEdgeStyle;curved=0;jumpStyle=arc;jumpSize=12;strokeColor=#666;strokeWidth=1;" edge="1" parent="1" source="oci-dev-tunnel" target="oci-dev-apps">
          <mxGeometry relative="1" as="geometry" />
        </mxCell>

        <!-- CF Quantmods Worker → OCI quantmods bucket (gated) -->
        <mxCell id="e-qm-worker-bucket" style="endArrow=classic;html=1;rounded=1;edgeStyle=orthogonalEdgeStyle;curved=0;jumpStyle=arc;jumpSize=12;strokeColor=#C74634;strokeWidth=2;dashed=1;" edge="1" parent="1" source="cf-qm-worker" target="oci-dev-buckets">
          <mxGeometry relative="1" as="geometry" />
        </mxCell>

        <!-- GitHub Actions → CF (Wrangler deploys) -->
        <mxCell id="e-gh-cf" style="endArrow=classic;html=1;rounded=1;edgeStyle=orthogonalEdgeStyle;curved=0;jumpStyle=arc;jumpSize=12;strokeColor=#666;strokeWidth=1;dashed=1;" edge="1" parent="1" source="gh-actions" target="cf-mh-worker">
          <mxGeometry relative="1" as="geometry" />
        </mxCell>

        <!-- GitHub Actions → OCI buckets -->
        <mxCell id="e-gh-oci" style="endArrow=classic;html=1;rounded=1;edgeStyle=orthogonalEdgeStyle;curved=0;jumpStyle=arc;jumpSize=12;strokeColor=#666;strokeWidth=1;dashed=1;" edge="1" parent="1" source="gh-actions" target="oci-dev-buckets">
          <mxGeometry relative="1" as="geometry" />
        </mxCell>

        <!-- VPS app → OCI Email Delivery (outbound) -->
        <mxCell id="e-vps-email" style="endArrow=classic;html=1;rounded=1;edgeStyle=orthogonalEdgeStyle;curved=0;jumpStyle=arc;jumpSize=12;strokeColor=#22C55E;strokeWidth=2;dashed=1;" edge="1" parent="1" source="oci-dev-apps" target="oci-prod-email">
          <mxGeometry relative="1" as="geometry" />
        </mxCell>

        <!-- OCI Email Delivery → external (outbound) -->
        <mxCell id="e-email-out" style="endArrow=classic;html=1;rounded=1;edgeStyle=orthogonalEdgeStyle;curved=0;jumpStyle=arc;jumpSize=12;strokeColor=#22C55E;strokeWidth=2;dashed=1;" edge="1" parent="1" source="oci-prod-email" target="user-public">
          <mxGeometry relative="1" as="geometry">
            <Array as="points">
              <mxPoint x="2300" y="190" />
            </Array>
          </mxGeometry>
        </mxCell>

        <!-- External → CF Email Routing → operator -->
        <mxCell id="e-emailrouting-operator" style="endArrow=classic;html=1;rounded=1;edgeStyle=orthogonalEdgeStyle;curved=0;jumpStyle=arc;jumpSize=12;strokeColor=#22C55E;strokeWidth=2;dashed=1;" edge="1" parent="1" source="cf-mh-email" target="user-internal">
          <mxGeometry relative="1" as="geometry" />
        </mxCell>

        <!-- CF Quantmods MX → Google Workspace -->
        <mxCell id="e-qm-dns-gws" style="endArrow=classic;html=1;rounded=1;edgeStyle=orthogonalEdgeStyle;curved=0;jumpStyle=arc;jumpSize=12;strokeColor=#34A853;strokeWidth=2;" edge="1" parent="1" source="cf-qm-dns" target="gws-alias">
          <mxGeometry relative="1" as="geometry" />
        </mxCell>

        <!-- OCIR ← VPS (image pull) -->
        <mxCell id="e-vps-ocir" style="endArrow=classic;html=1;rounded=1;edgeStyle=orthogonalEdgeStyle;curved=0;jumpStyle=arc;jumpSize=12;strokeColor=#C74634;strokeWidth=1;dashed=1;" edge="1" parent="1" source="oci-dev-vps" target="oci-ocir">
          <mxGeometry relative="1" as="geometry" />
        </mxCell>
        <!-- OCIR ← GitHub Actions (image push, future) -->
        <mxCell id="e-gh-ocir" style="endArrow=classic;html=1;rounded=1;edgeStyle=orthogonalEdgeStyle;curved=0;jumpStyle=arc;jumpSize=12;strokeColor=#666;strokeWidth=1;dashed=1;" edge="1" parent="1" source="gh-actions" target="oci-ocir">
          <mxGeometry relative="1" as="geometry" />
        </mxCell>

        <!-- OCI VPS state-flow: app-runtime IAM permits bucket access -->
        <mxCell id="e-iam-buckets" style="endArrow=classic;html=1;rounded=1;edgeStyle=orthogonalEdgeStyle;curved=0;jumpStyle=arc;jumpSize=12;strokeColor=#999;strokeWidth=1;dashed=1;startArrow=oval;startFill=1;" edge="1" parent="1" source="oci-dev-iam" target="oci-dev-buckets">
          <mxGeometry relative="1" as="geometry" />
        </mxCell>

        <!-- Tofu state from infra repo -->
        <mxCell id="e-tofu-state" style="endArrow=classic;html=1;rounded=1;edgeStyle=orthogonalEdgeStyle;curved=0;jumpStyle=arc;jumpSize=12;strokeColor=#999;strokeWidth=1;dashed=1;" edge="1" parent="1" source="gh-actions" target="oci-dev-state">
          <mxGeometry relative="1" as="geometry" />
        </mxCell>

        <!-- ====================================================================
             NOTES (annotation strip at bottom)
        ===================================================================== -->
        <mxCell id="notes" value="NOTES — read these before reasoning about traffic&#10;━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━&#10;1. Both CF zones live on the same account+token. Adding new zones = one cloudflare-dns module call per brand (parameterized via 'brand' var).&#10;2. Apex marnissi-holdings.com is served by CF Worker mgh-website binding the OCI bucket origin (ADR-0011). Apex DNS is OWNED by the Workers Custom Domain binding — do NOT add an A/CNAME record there.&#10;3. docs serves at https://mgh-docs.pages.dev (canonical URL — ADR-0014 revised 2026-06-06). docs.marnissi-holdings.com tunnel CNAME was removed; no custom domain binding on the Pages project. The Pages project auto-deploys from mgh-docs main on every push.&#10;4. quantmods.com inbound mail goes DIRECTLY to Google (5 ASPMX MX) — does NOT pass through CF Email Routing. The Workspace alias relationship means addresses @quantmods.com land in the same mailbox as @marnissi-holdings.com.&#10;5. Outbound transactional mail (for both brands) signs as 'no-reply@marnissi-holdings.com' via OCI Email Delivery. There is no OCI Email Delivery setup on the quantmods zone — operator decision for v1.&#10;6. The OCIR rename (2026-06-06) destroyed/recreated mgh-admin-backend/frontend repos cleanly because both had 0 images. Future renames require image evacuation first.&#10;7. GitFlow-lite (ADR-0015): 4 app repos have develop+main; infra/devops/mgh-docs/labs are main-only. Default branch is main for ALL repos. Promotion = PR develop→main.&#10;8. CI is centralized in devops/.github/workflows/ (ADR-0016). App-repo .github/workflows/ files are THIN CALLERS that 'uses:' the reusables. Cross-repo uses: works on GH Free for intra-org private-to-private (verify org Actions policy enabled)." style="rounded=1;whiteSpace=wrap;html=1;fillColor=#FAFAFA;strokeColor=#666;align=left;fontSize=11;fontFamily=Courier New;" vertex="1" parent="1">
          <mxGeometry x="40" y="3320" width="2320" height="260" as="geometry" />
        </mxCell>

      </root>
    </mxGraphModel>
  </diagram>
</mxfile>
