fix(Chunk2): reconcile PRD with live fleet state

- AdGuard Home: Replicated(2) → Replicated(1) (single instance on MK7)
- Portainer: Manager Constraint → Replicated(1) (deployed as replicated, not manager-only)
- Beszel Agent: Global → Pending (not yet deployed across workers)
- DNS Resolution: Added status table — Technitium deployed but *.ai.home zone not yet authoritative
- Swarm service count: 16 → 15 active + 1 pending

All changes mirrored to split files and master PRD.

05-network-architecture.md

@@ -22,11 +22,21 @@
 | Nextcloud (MK7) | PostgreSQL (MK7) | TCP | 5432 | DB traffic over Tailscale |
 
 ## DNS Resolution
-- **Technitium (MK7)** is the authoritative internal DNS for `*.ai.home`.
-- **AdGuard Home (MK7)** handles recursive resolution with ad-block lists. Replaces Pi-hole.
-- **Chain:** Client → Technitium (local record?) → AdGuard Home (recursive + blocklist) → Upstream (Cloudflare/Quad9)
-- **Tailscale MagicDNS** remains enabled as fallback. If Technitium fails, clients fall back to `100.x.x.x` direct resolution.
-- **AdGuard Home admin UI** runs on port 3000 by default (separate from Grafana if co-located).
+
+| Component | Status | Detail |
+|-----------|--------|--------|
+| **Technitium (MK7)** | ✅ Deployed | Container running, port 53/5380 open |
+| **`*.ai.home` zone** | ⏳ Pending | Not yet configured as authoritative — Tailscale MagicDNS currently handles name resolution |
+| **AdGuard Home (MK7)** | ✅ Active | Recursive resolver + blocklists on port 3000. Replaces Pi-hole. |
+
+**Planned Chain (not yet active):**
+```
+Client → Technitium (local record?) → AdGuard Home (recursive + blocklist) → Upstream (Cloudflare/Quad9)
+```
+
+**Current Fallback:** Tailscale MagicDNS provides `*.ai.home` resolution via Tailscale IP addresses. Technitium will assume authority once zone records are populated.
+
+- **AdGuard Home admin UI** runs on port 3000.
 
 ## Port Allocation (Reserved)
 | Port | Service |