clawdie/layered-soul
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs(matrix): add Vultr provenance row (Forgejo+Vault) + scope DPIA gate correctly

Browse source 
- provenance table: add vultr-svc row (Forgejo + Vaultwarden, verified off-OVH
  but a shared-box SPOF) — the third provider now in the picture.
- DPIA gate: scope to automated decisions about individuals (Art. 35/22); the
  internal agent scheduler (routing to machines) does not trigger it.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Sam & Claude 2026-06-20 10:38:16 +02:00
parent 40f119233b
commit 6f7fed3b50
1 changed files with 9 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
docs/HOST-MATRIX.md
View file

@ -99,12 +99,13 @@ IDs, account numbers, billing addresses, or payment details. If a provider is in
an IP range, mark it `TBD` until the control panel or invoice confirms it. an IP range, mark it `TBD` until the control panel or invoice confirms it.
| Host / candidate | Provider | Plan / SKU | Region | Monthly cost | Billing cycle | Role paid for | Source / proof | Status / notes | | Host / candidate | Provider | Plan / SKU | Region | Monthly cost | Billing cycle | Role paid for | Source / proof | Status / notes |
| ---------------------------------- | ------------------------------------------------------------------ | ----------------------------------------- | ------ | ------------------------------------- | ------------- | -------------------------------------------------------- | ------------------------------------------------------------ | -------------------------------------------------------------------------------------------------- | | ------------------------------------- | ------------------------------------------------------------------ | ----------------------------------------- | --------------- | ------------------------------------- | ------------- | ------------------------------------------------------------------- | ----------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |
| **osa** | TBD (verify; OVHcloud is suspected but not invoice-confirmed here) | TBD | TBD | TBD | TBD | always-on orchestrator + board + Hermes gateway | operator invoice/control panel needed | Existing always-on VPS; do not treat IP range as proof. | | **osa** | TBD (verify; OVHcloud is suspected but not invoice-confirmed here) | TBD | TBD | TBD | TBD | always-on orchestrator + board + Hermes gateway | operator invoice/control panel needed | Existing always-on VPS; do not treat IP range as proof. |
| **domedog** | TBD | TBD | TBD | TBD | TBD | Linux media/compute lane | operator invoice/control panel needed | Existing Linux VM; cost not tracked yet. | | **domedog** | TBD | TBD | TBD | TBD | TBD | Linux media/compute lane | operator invoice/control panel needed | Existing Linux VM; cost not tracked yet. |
| **debby** | self-owned laptop | — | local | utility/power TBD | — | intermittent secondary agent + soul backup | local device + utility rate if needed | Not an always-on hub; power cost only matters when left on. | | **debby** | self-owned laptop | — | local | utility/power TBD | — | intermittent secondary agent + soul backup | local device + utility rate if needed | Not an always-on hub; power cost only matters when left on. |
| **mother-build** (candidate) | proposed OVHcloud | TBD: Public Cloud hourly or Eco/dedicated | TBD | TBD | TBD | FreeBSD build host / poudriere / Rust+zot builds | OVH quote needed before purchase | Prefer on-demand if builds are infrequent; dedicated only if build demand justifies standing cost. | | **mother-build** (candidate) | proposed OVHcloud | TBD: Public Cloud hourly or Eco/dedicated | TBD | TBD | TBD | FreeBSD build host / poudriere / Rust+zot builds | OVH quote needed before purchase | Prefer on-demand if builds are infrequent; dedicated only if build demand justifies standing cost. |
| **ML350p Gen8** (candidate/retire) | self-hosted hardware | owned hardware | local | ~€5363/mo @ 460 W high-load estimate | utility bill | multitenant/build candidate; fallback if TCO beats cloud | GEN-I + URO tariff research; fan/PSU label, not wall-metered | Use as planning band only; measure wall draw before committing tenants. | | **ML350p Gen8** (candidate/retire) | self-hosted hardware | owned hardware | local | ~€5363/mo @ 460 W high-load estimate | utility bill | multitenant/build candidate; fallback if TCO beats cloud | GEN-I + URO tariff research; fan/PSU label, not wall-metered | Use as planning band only; measure wall draw before committing tenants. |
| **vultr-svc** (Forgejo + Vaultwarden) | Vultr | TBD | TBD (verify EU) | TBD | TBD | git mirror (layered-soul + hermes-soul) + Vaultwarden secrets store | DNS code/vault.smilepowered.org → Vultr (verified 2026-06-20); invoice needed | Off-OVH backup target (good) BUT Forgejo + Vault share one box → SPOF for backups AND secrets; needs own off-box backup + EU-region verify + MFA |
Cost discipline mirrors disk discipline: measure before action. For self-hosted hardware, Cost discipline mirrors disk discipline: measure before action. For self-hosted hardware,
calculate monthly power with `watts / 1000 * 24 * 30 * €/kWh` using measured idle/load calculate monthly power with `watts / 1000 * 24 * 30 * €/kWh` using measured idle/load
@ -222,7 +223,7 @@ _See [`../AGENTS.md`](../AGENTS.md) for the canonical agent matrix and operating
These switch on when the hive goes multi-tenant. None block current internal use: These switch on when the hive goes multi-tenant. None block current internal use:
- [ ] GDPR controller docs (privacy notice, legal basis for processing, ROPA) - [ ] GDPR controller docs (privacy notice, legal basis for processing, ROPA)
- [ ] DPIA for AI auto-decisions (Art. 35 — automated agent task assignment) - [ ] DPIA only if agents make automated decisions about _individuals_ with legal/significant effect (GDPR Art. 35/22) — the internal agent task scheduler (routing work to machines) does **not** trigger this
- [ ] Pass OVH terms down to customers (GTS §10.6 — sub-licensing) - [ ] Pass OVH terms down to customers (GTS §10.6 — sub-licensing)
- [ ] Third-party / "AAA" professional indemnity insurance (§10.6) - [ ] Third-party / "AAA" professional indemnity insurance (§10.6)
- [ ] Customer sanctions screening (GTS §14.3 — denied parties / export controls) - [ ] Customer sanctions screening (GTS §14.3 — denied parties / export controls)