chore: updated ip allocation according to current state

.github/skills/network/SKILL.md

@@ -133,19 +133,19 @@ The network module automatically derives a PE pool from all subnets whose name s
 - **Explicit `pe_subnet_key` in tenant config** (`var.tenants[key].pe_subnet_key`) — **ALWAYS set**, validated at plan time
 - Resolution is strict: invalid/missing key in the shared PE pool fails at plan time (no silent fallback)
 
-Each tenant creates up to 5 PEs (Key Vault, AI Search, Cosmos DB, Document Intelligence, Speech Services). All PEs for a tenant land on the **same** subnet ("tenant affinity"). Storage Account has no PE (public access in Landing Zone).
+Each tenant creates up to 5 PEs but 6 IPs total (Cosmos DB PE = 2 IPs: sql global + canadacentral regional endpoint). All PEs for a tenant land on the **same** subnet ("tenant affinity"). Storage Account has no PE (public access in Landing Zone).
 
-Shared stack PEs (AI Foundry Hub, Language Service, Hub Key Vault) always use the primary `privateendpoints-subnet` (~4-5 PEs).
+Shared stack PEs always use the primary `privateendpoints-subnet` — consuming exactly **5 IPs**: AI Foundry Hub PE (3 IPs: cognitiveservices, openai, services.ai sub-resources), Language Service PE (1 IP), Hub Key Vault PE (1 IP).
 
 ### PE Subnet Assignment Strategy
 
 **Principle: assign-on-first-deploy, sticky forever.** Changing `pe_subnet_key` after deployment destroys and recreates **all 5 tenant PEs** (service disruption + DNS re-propagation).
 
 **Capacity math:**
 - Each `/24` PE subnet holds ~251 usable IPs (Azure reserves 5)
-- Each tenant consumes up to 5 PE IPs → ~50 tenants per `/24` subnet
-- Shared stack consumes ~5 PEs on primary subnet (reducing tenant capacity to ~49 on primary)
-- Prod has 3 PE subnets → theoretical max ~148 tenants
+- Each tenant consumes up to 6 PE IPs (Cosmos DB = 2) → ~41 tenants per `/24` subnet
+- Shared stack consumes exactly 5 IPs on primary subnet: Foundry Hub 3 IPs (AIServices kind exposes cognitiveservices + openai + services.ai) + Language Service 1 IP + Hub KV 1 IP → reduces tenant capacity to ~41 on primary (246 ÷ 6)
+- Prod has 3 PE subnets → theoretical max ~123 tenants
 
 **Assignment rules for new tenants:**
 1. Check current PE count per subnet (Azure Portal → subnet → Connected devices, or `az network vnet subnet show`)

docs/_pages/diagrams.html

@@ -402,7 +402,7 @@ <h4>What's Included / Not</h4>
         </div>
         <div class="diagram-card-info">
             <h4>IP Budget Breakdown</h4>
-            <p>Detailed IP allocation: base infrastructure, per-tenant consumption, 50 IP calculation</p>
+            <p>Detailed IP allocation: base infrastructure, per-tenant consumption (~6 IPs each), capacity math (~41 tenants per /24 PE subnet)</p>
         </div>
     </div>
 </div>
@@ -424,7 +424,7 @@ <h4>Networking Architecture (Detailed)</h4>
         </div>
         <div class="diagram-card-info">
             <h4>Network Environments</h4>
-            <p>All 4 VNets (prod, test, dev, tools) with subnet allocations and NSG rules</p>
+            <p>3 VNets (prod, test, dev) with subnet allocations and NSG rules</p>
         </div>
     </div>
     <div class="diagram-card" onclick="loadDiagram('network-arch', this)">
@@ -646,7 +646,7 @@ <h3 style="margin-top: 0;">Network Architecture</h3>
         <h3 style="margin-top: 0;">Network Environments</h3>
         <p>Complete environment layout:</p>
         <ul style="margin-bottom: 0;">
-            <li>All 4 VNets (da4cf6-prod/test/dev/tools)</li>
+            <li>3 VNets (da4cf6-prod/test/dev) — tools VNet is a separate peered spoke (CI/CD only, not in this allocation)</li>
             <li>Subnet allocations per environment</li>
             <li>Canada Central (prod) vs Canada East (non-prod)</li>
             <li>Client connectivity via App Gateway + APIM</li>