flowchart TB
    subgraph TAILSCALE["🛡️ Tailscale Overlay — Tailscale Inc. (Admin/Management)"]
        direction TB
        TSCOORD["Tailscale Coordination Server<br/>(proprietary SaaS)"]
        TSART["🤖 Artemis (AI Foreman)<br/>100.100.97.18"]
        TSM44["🔧 Mark44 (Ollama)<br/>100.75.26.83"]
        TSM5["📚 Mark5 (Research)<br/>100.118.67.105"]
        TSM7["⚡ MK7 Swarm Manager<br/>100.66.70.51"]
    end

    subgraph NETBIRD["🕊️ NetBird Overlay — WireTrustee SA (User-facing)"]
        direction TB
        NBCOORD["NetBird Coordination Server<br/>(cloud or self-hosted)"]
        NBNEO["🖥️ Neo (Nebuchadnezzar)<br/>100.92.224.74"]
        NBNC["☁️ Nextcloud AIO"]
        NBVW["🔐 Vaultwarden"]
        NBDOCK["🐳 Dockhand"]
        NBTRIL["📝 Trilium Notes"]
    end

    subgraph LAN["🏠 LAN Backbone — Beryl Router (OpenWrt)"]
        direction TB
        BERYL["🌐 Beryl 7<br/>Gateway + DHCP<br/>192.168.0.0/18"]
        MK7LAN["⚡ MK7<br/>Traefik | Technitium | Prometheus<br/>Beszel Hub | Portainer CE | Dozzle | Homepage<br/>192.168.7.7"]
        WORKERS["🔩 MK33 / MK34 / MK39 / MK42<br/>Swarm Workers (G9 nodes)<br/>192.168.0.x"]
    end

    %% Tailscale connections
    TSCOORD ---|"admin mesh<br/>WireGuard tunnel"| TSART
    TSCOORD ---|"admin mesh"| TSM44
    TSCOORD ---|"admin mesh"| TSM5
    TSCOORD ---|"admin mesh"| TSM7

    %% NetBird connections
    NBCOORD ---|"user mesh<br/>WireGuard tunnel"| NBNEO
    NBNEO ---|"Docker Compose"| NBNC
    NBNEO ---|"Docker Compose"| NBVW
    NBNEO ---|"Docker Compose"| NBDOCK
    NBNEO ---|"Docker Compose"| NBTRIL

    %% LAN connections
    BERYL -.->|"DHCP lease"| MK7LAN
    BERYL -.->|"DHCP lease"| WORKERS
    MK7LAN ---|"swarm overlay"| WORKERS

    %% Cross-plane: management SSH from Tailscale to LAN
    TSM7 --"SSH mgmt"--> MK7LAN
    TSART --"SSH mgmt"--> MK7LAN

    %% Isolation boundaries
    NBNEO -.-x|"🔒 ISOLATED<br/>no route"| LAN
    TSART -.-x|"🔒 ISOLATED<br/>no route"| NBNEO
    TSM7 -.-x|"🔒 ISOLATED<br/>no route"| NBNEO