Air-Lock
The live-fire range and the practice forks are sealed off — no direct line reaches them. The Air-Lock is the one way in: a single controlled gateway through which a person can open an interactive session against an isolated target, and nothing else can. It’s a gate, not a product — a posture assembled from three pieces that each sit at their own depth in Software and only re-cohere as “the gate” here.
Traefik routes the request to the boundary; Authentik stands in front as a forward-auth wall, proving who you are before anything opens; and Guacamole brokers the remote session itself, so an operator reaches the target through the gate rather than across a direct connection. Remove any one of the three and the path either closes or stops being safe. The network route it rides is in Wire › Mesh; the isolation it exists to protect is in Ground › Zones.