Bilko Environment Topology — Corrected Canonical Reference (2026-06-09)

Bilko Environment Topology — Corrected Canonical Reference

As of: 2026-06-09 | Authority: MC #103300 C7 (ZAKON PLAN docs) | Source: Tool-verified facts only — no inferred data

1. Production — Customer-Facing

CEO Decision (2026-06-09): Demo Cloud Run services reused as production ($0 new infra). There is no separate prod Cloud Run deployment.

Domain	Cloud Run Service	DNS	TLS	Database
`app.bilko.cloud`	`bilko-web-demo`	Cloudflare CNAME → `ghs.googlehosted.com` (grey/DNS-only)	Google-managed cert (provisioned)	bilko-demo-db (PostgreSQL 15)
`app-api.bilko.cloud`	`bilko-api-demo`	Cloudflare CNAME → `ghs.googlehosted.com` (grey/DNS-only)	Google-managed cert (provisioned)	bilko-demo-db (PostgreSQL 15)

Self-Serve Onboarding

Prospect signs up via Entra External ID (CIAM) — email OTP flow.
On first login: JIT provisioning creates an empty RLS tenant + 7-day trial (MC #103232).
No manual admin action required for new trial sign-ups.

AI Chatbot

Tier-router: Groq → Ollama → Anthropic (primary → fallback → fallback).
GROQ_API_KEY bound to bilko-api-demo Cloud Run service (fixed 2026-06-09).

2. Marketing Landings (Cloudflare Pages)

Domain	App / Path	CTA destination
`bilko.cloud`	`apps/landing-hr`	`app.bilko.cloud`
`bilko.io`	`apps/landing-io`	`app.bilko.cloud`
`bilko.company`	`apps/landing-ba`	`app.bilko.cloud`

Verified live: all register/login CTAs point to app.bilko.cloud — zero references to bilko-demo.alai.no or legacy domains.
Known issue MC #103308 (deploy-dir caveat): Cloudflare Pages workflow currently deploys the repo root index.html, not the Next.js out/ directory. A manual wrangler deploy out/ was executed 2026-06-09 as a workaround. Permanent fix tracked in MC #103308.

3. Stage — UAT + Seed / Demo

Domain	Cloud Run Service	Database	Role
`bilko-demo.alai.no`	`bilko-web-stage`	bilko-staging-db (PostgreSQL 16)	UAT, internal QA, seeded demo data
`bilko-demo-api.alai.no`	`bilko-api-stage`	bilko-staging-db (PostgreSQL 16)	UAT, internal QA, seeded demo data

Note: The bilko-demo.alai.no and bilko-demo-api.alai.no domain mappings remain live and now serve the stage/UAT role (not production-customer-facing).

4. CI/CD Pipeline

Trigger	Cloud Build Config	Deploys to
Push to `main` branch	`cloudbuild-stage.yaml`	Stage (`bilko-web-stage`, `bilko-api-stage`, `bilko-staging-db`)
Semver tag `vX.Y.Z`	`cloudbuild.yaml`	Demo/Prod (`bilko-web-demo`, `bilko-api-demo`, `bilko-demo-db`)

Known issue MC #103304: GitHub Actions is currently DOWN due to billing. This affects any workflows running in GitHub Actions; Cloud Build triggers (above) are unaffected.

5. Known Issues & Orphaned Resources

MC / Ref	Issue	Status
MC #103304	GitHub Actions billing — Actions disabled	Open
MC #103308	Landing deploy-dir: workflow deploys root, not `out/`; manual wrangler deploy applied 2026-06-09	Open
MC #103296	Orphaned OAuth brand / project 762788903040 — not linked to any active service	Open
Retired	`api.bilko.cloud` legacy domain — retired, no active Cloud Run mapping	Retired 2026-06-09
Avoided	Two-V70 migration collision — resolved, no duplicate V70 migration in flight	Resolved 2026-06-09

6. Architecture Diagram


┌─────────────────────────────────────────────────────────────────────┐
│  PRODUCTION (customer-facing)                                       │
│                                                                     │
│  bilko.cloud ─────┐                                                 │
│  bilko.io ────────┼──► Cloudflare Pages (landing-hr/io/ba)         │
│  bilko.company ───┘         │ CTA                                   │
│                             ▼                                       │
│  app.bilko.cloud ──► [CF DNS-only CNAME] ──► bilko-web-demo        │
│  app-api.bilko.cloud ─► [CF DNS-only CNAME] ──► bilko-api-demo     │
│                                        │              │             │
│                                   Google TLS    bilko-demo-db      │
│                                                   (PG15, RLS)      │
│                                                                     │
│  Entra External ID (CIAM) → email OTP → JIT tenant + 7-day trial  │
│  AI: Groq → Ollama → Anthropic (tier-router)                       │
└─────────────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────────┐
│  STAGE (UAT / internal demo / seeded data)                         │
│                                                                     │
│  bilko-demo.alai.no ────► bilko-web-stage                          │
│  bilko-demo-api.alai.no ─► bilko-api-stage                         │
│                                        │                            │
│                                bilko-staging-db (PG16)             │
└─────────────────────────────────────────────────────────────────────┘

CI/CD:
  push main → cloudbuild-stage.yaml → STAGE
  tag vX.Y.Z → cloudbuild.yaml → DEMO/PROD

7. Decision Log

Date	Decision	Authority
2026-06-09	Reuse `bilko-web-demo` / `bilko-api-demo` as production endpoints ($0 new infra)	CEO (Alem Basic)
2026-06-09	GROQ_API_KEY bound to `bilko-api-demo` (was missing, broke AI chatbot)	MC #103300 fix
2026-06-09	All landing CTA hrefs verified pointing to `app.bilko.cloud`	MC #103300 C7 verification
2026-06-09	Legacy `api.bilko.cloud` domain retired	MC #103300

Generated by Skillforge (MC #103300 C7). Facts tool-verified in session 2026-06-09. Next review: on any topology change or new domain mapping.

Pages & Routing

State Management

Frontend — Status & Architecture

Component Inventory

Design System

Forms & Validation

Figma Validation Report (2026-02-21)

High-Level Design (HLD)

Low-Level Design (LLD)

Validation Report

Bilko — Project Handbook

Pipeline Gate Tracker

ADR-022 — Document Archive Strategy

SPEC-022 — Document Archive Implementation

COMPLIANCE-022 — Archive Review (HIPAA/GDPR/CQC)

HR eRačun — Architecture Decision Record (ADR) + Build Plan

Backend — Target Architecture

Database — Schema & Models

API Reference

Database Schema

Authentication & Authorization

Business Logic

Middleware Stack

External Services Integration

API Coverage Report

Bilko Authentication -- Entra External ID (CIAM)

Bilko RBAC -- Users / Roles / Permissions

Bilko Auth Migration Runbook + Admin Guide

ADR-037 -- Entra Authenticates, Bilko Authorises; Single-Role v1; Multi-Org Deferred

Bilko Self-Serve Trial — CIAM Architecture and Auth Pattern (MC #103232)

Bilko Self-Serve Trial — CIAM Architecture and Auth Pattern (MC #103232)

Test Plan

Testing Guide

Test Inventory

Deployment Guide

CI/CD Pipeline

Environment Configuration

Bilko Stage Environment — Cloud SQL & IAM (Phase 1)

Bilko Stage Environment — Cloud Run Services (Phase 2)

Bilko demo — receipt upload/download fix (GCS shared storage) — MC #103095 (2026-06-07)

Bilko Azure Observability + MS for Startups Credit Setup (2026-06-15)

Bilko ACA Telemetry & Observability Wiring (Azure)

Serbia — Regulatory Summary

Bosnia — Regulatory Summary

Croatia — Regulatory Summary

Multi-Region Overview

Chart of Accounts (All Countries)

Serbia — SEF e-Invoicing

Bosnia — PDV System

Croatia — eRačun & HR-FISK

Bilko HR eRačun — sveRačun (PostLink) Integration & Status Model

Bilko B5 — Per-Line VAT Exemption Classification (MC #103593, 2026-06-15)

Security Architecture

GDPR & Compliance

Bilko CIAM abuse-gate fix — checkBefore moved outside SERIALIZABLE tx (MC #104069, root-cause of #103245)

Bilko Terms of Service (with Sub-Processor disclosure GDPR Art. 28(4))

Bilko Privacy Notice (with Document Archive Sub-Processors §8.1)

DPA Template — Vedlegg B / Annex B: Sub-Processors for Bilko Archive Feature

Sub-Processor Notification Email Template (Bilko)