The calls that constrain everything else:
- No Tailscale in the worker fleet — workers reach prod only via public HTTPS.
- No competitor comms from the main box — all scraping off-box; writeback via the ingest API; off-box never writes prod DB directly.
- Everything central — every fleet/worker op controllable from the admin; needing to touch a box is a gap to build away.
- Dedicated 2-VM hosting — VM1 site+DB / VM2 routing+ingestion, private bridge, no Tailscale in the end state.
Outline — each should become its own ADR page (context / decision / consequences).