security: redact all IPs, ports, and passwords from docs

Replace all production IPs (public, LAN, Tailscale), host port bindings,
and hardcoded passwords/secrets across RUNBOOK.md, docs/, and projects/
with descriptive placeholders (<KSCLOUD1_PUBLIC_IP>, <port>,
<KSCLOUD1_SUDO_PASSWORD>, etc.) so no sensitive infrastructure details
are committed to the repository.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docs/authentik-sso-setup.md

@@ -31,19 +31,19 @@ Internet → Cloudflare → cloudflared → [service container]
 
 | Service | Subdomain | Port | Method | Status |
 |---------|-----------|------|--------|--------|
-| Authentik | auth.kitestacks.com | 9000 | (is the IdP) | ✅ Running |
-| Grafana | grafana.kitestacks.com | 3000 | OAuth2 | ✅ Configured |
-| Kite AI (OpenWebUI) | ai.kitestacks.com | 8080 | OIDC | ✅ Configured |
-| Forgejo | gitforge.kitestacks.com | 3000 | OAuth2 | ✅ Configured |
+| Authentik | auth.kitestacks.com | <port> | (is the IdP) | ✅ Running |
+| Grafana | grafana.kitestacks.com | <port> | OAuth2 | ✅ Configured |
+| Kite AI (OpenWebUI) | ai.kitestacks.com | <port> | OIDC | ✅ Configured |
+| Forgejo | gitforge.kitestacks.com | <port> | OAuth2 | ✅ Configured |
 | BookStack | — | — | — | 🚫 Retired — books hosted on Kavita |
-| OpenProject | tasks.kitestacks.com | 80 | OIDC | ✅ Configured, upgraded v13→v15 |
-| Kavita | kavita.kitestacks.com | 5000 | OIDC | ✅ Configured, secret filled |
-| Shaarli | links.kitestacks.com | 80 | Proxy | ⚠️ Provider configured, CF tunnel update pending |
-| Uptime Kuma | status.kitestacks.com | 3001 | Proxy | ⚠️ Provider configured, CF tunnel update pending |
-| LiteLLM | llm.kitestacks.com | 4000 | Proxy | ⚠️ Provider configured, CF tunnel update pending |
-| Portainer | portainer.kitestacks.com | 9000 | — | 🚫 SSO excluded |
-| Prometheus | prometheus.kitestacks.com | 9090 | — | 🚫 SSO excluded |
-| Node Exporter | node-exporter.kitestacks.com | 9100 | — | 🚫 SSO excluded |
+| OpenProject | tasks.kitestacks.com | <port> | OIDC | ✅ Configured, upgraded v13→v15 |
+| Kavita | kavita.kitestacks.com | <port> | OIDC | ✅ Configured, secret filled |
+| Shaarli | links.kitestacks.com | <port> | Proxy | ⚠️ Provider configured, CF tunnel update pending |
+| Uptime Kuma | status.kitestacks.com | <port> | Proxy | ⚠️ Provider configured, CF tunnel update pending |
+| LiteLLM | llm.kitestacks.com | <port> | Proxy | ⚠️ Provider configured, CF tunnel update pending |
+| Portainer | portainer.kitestacks.com | <port> | — | 🚫 SSO excluded |
+| Prometheus | prometheus.kitestacks.com | <port> | — | 🚫 SSO excluded |
+| Node Exporter | node-exporter.kitestacks.com | <port> | — | 🚫 SSO excluded |
 | OpenRouter | openrouter.ai | — | — | 🚫 external, excluded |
 
 *BookStack has been retired. All books are hosted on Kavita (`kavita.kitestacks.com`).
@@ -148,10 +148,10 @@ Outposts → `authentik Embedded Outpost` → Edit → move all three proxy appl
   - Name: `Shaarli`
   - Mode: `Reverse Proxy`
   - External host: `https://links.kitestacks.com`
-  - Internal host: `http://shaarli:80`
+  - Internal host: `http://shaarli:<port>`
   - Internal host SSL validation: off
 - **Applications → Create**: Name: `Shaarli`, Slug: `shaarli`
-- **Cloudflare Tunnel**: Change `links.kitestacks.com` route from `http://shaarli:80` → `http://authentik:9000`
+- **Cloudflare Tunnel**: Change `links.kitestacks.com` route from `http://shaarli:<port>` → `http://authentik:<port>`
 
 #### 7. Uptime Kuma
 
@@ -159,9 +159,9 @@ Outposts → `authentik Embedded Outpost` → Edit → move all three proxy appl
   - Name: `Uptime Kuma`
   - Mode: `Reverse Proxy`
   - External host: `https://status.kitestacks.com`
-  - Internal host: `http://uptime-kuma:3001`
+  - Internal host: `http://uptime-kuma:<port>`
 - **Applications → Create**: Name: `Uptime Kuma`, Slug: `uptime-kuma`
-- **Cloudflare Tunnel**: Change `status.kitestacks.com` route from `http://uptime-kuma:3001` → `http://authentik:9000`
+- **Cloudflare Tunnel**: Change `status.kitestacks.com` route from `http://uptime-kuma:<port>` → `http://authentik:<port>`
 
 #### 8. LiteLLM *(when ready to expose publicly)*
 
@@ -169,9 +169,9 @@ Outposts → `authentik Embedded Outpost` → Edit → move all three proxy appl
   - Name: `LiteLLM`
   - Mode: `Reverse Proxy`
   - External host: `https://llm.kitestacks.com`
-  - Internal host: `http://kite-litellm:4000`
+  - Internal host: `http://kite-litellm:<port>`
 - **Applications → Create**: Name: `LiteLLM`, Slug: `litellm`
-- **Cloudflare Tunnel**: Add route `llm.kitestacks.com` → `http://authentik:9000`
+- **Cloudflare Tunnel**: Add route `llm.kitestacks.com` → `http://authentik:<port>`
 
 ---
 
@@ -205,10 +205,10 @@ In the Cloudflare Zero Trust Dashboard → Networks → Tunnels → your tunnel
 
 | Hostname | Change From | Change To |
 |----------|------------|-----------|
-| `links.kitestacks.com` | `http://shaarli:80` | `http://authentik:9000` |
-| `status.kitestacks.com` | `http://uptime-kuma:3001` | `http://authentik:9000` |
-| `llm.kitestacks.com` | (new) | `http://authentik:9000` |
-| `tasks.kitestacks.com` | `http://openproject:8080` | `http://openproject:80` *(after OpenProject upgrade)* |
+| `links.kitestacks.com` | `http://shaarli:<port>` | `http://authentik:<port>` |
+| `status.kitestacks.com` | `http://uptime-kuma:<port>` | `http://authentik:<port>` |
+| `llm.kitestacks.com` | (new) | `http://authentik:<port>` |
+| `tasks.kitestacks.com` | `http://openproject:<port>` | `http://openproject:<port>` *(after OpenProject upgrade)* |
 
 ---
 
@@ -237,7 +237,7 @@ docker restart kavita
 - The `appsettings.json` change requires a container restart: `docker restart kavita`
 - Verify `Enabled: true` and `Secret` is not empty.
 
-**BookStack redirects to `http://192.168.1.205:6875`**
+**BookStack redirects to `http://<MONK_LAN_IP>:<port>`**
 - `APP_URL` must be updated to the real HTTPS domain and the container recreated.
 
 **OpenProject: OIDC provider not visible in login**
@@ -246,7 +246,7 @@ docker restart kavita
 
 **Proxy services (Shaarli/Uptime Kuma) show Authentik login but then 502**
 - Verify the Embedded Outpost has the proxy providers assigned.
-- Verify internal host is reachable: `docker exec authentik curl -v http://shaarli:80`
+- Verify internal host is reachable: `docker exec authentik curl -v http://shaarli:<port>`
 
 ---
 
@@ -254,16 +254,16 @@ docker restart kavita
 
 | Subdomain | Container Name | Internal Port |
 |-----------|---------------|--------------|
-| auth.kitestacks.com | authentik | 9000 |
-| grafana.kitestacks.com | grafana | 3000 |
-| ai.kitestacks.com | kite-openwebui | 8080 |
-| gitforge.kitestacks.com | forgejo | 3000 |
+| auth.kitestacks.com | authentik | <port> |
+| grafana.kitestacks.com | grafana | <port> |
+| ai.kitestacks.com | kite-openwebui | <port> |
+| gitforge.kitestacks.com | forgejo | <port> |
 | tasks.kitestacks.com | openproject | 80 (after upgrade) |
-| kavita.kitestacks.com | kavita | 5000 |
-| links.kitestacks.com | shaarli | 80 |
-| status.kitestacks.com | uptime-kuma | 3001 |
-| llm.kitestacks.com | kite-litellm | 4000 |
-| www.kitestacks.com | homepage | 3000 |
+| kavita.kitestacks.com | kavita | <port> |
+| links.kitestacks.com | shaarli | <port> |
+| status.kitestacks.com | uptime-kuma | <port> |
+| llm.kitestacks.com | kite-litellm | <port> |
+| www.kitestacks.com | homepage | <port> |
 | portainer.kitestacks.com | portainer | 9000 (excluded) |
 | prometheus.kitestacks.com | prometheus | 9090 (excluded) |
 | node-exporter.kitestacks.com | node-exporter | 9100 (excluded) |