diff --git a/.gitignore b/.gitignore
index bc74216..ce5ef9f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -52,3 +52,6 @@
 *.bak
 *.tmp
 .DS_Store
+
+# generated at test runtime by tests/phase-00-maas-standup/make_fixtures.py
+tests/phase-00-maas-standup/fix/
diff --git a/docs/D-057-REVIEW-ITEMS.md b/docs/D-057-REVIEW-ITEMS.md
index c11ecd8..51ec889 100644
--- a/docs/D-057-REVIEW-ITEMS.md
+++ b/docs/D-057-REVIEW-ITEMS.md
@@ -27,7 +27,7 @@
     - INTERIM GATE for the D-057 change: scripts/d057-bundle-check.py (focused, fail-
       closed, proven FAIL-on-pre / PASS-on-post). It checks only the D-057 invariants.
     - RECONCILE: either bring review-bundle.py forward to D-052/053/D-057 (rewrite
-      PHANTOM check, VIP check to triple + provider-vip 10.12.24, octets 50-60), or
+      PHANTOM check, VIP check to triple + provider-vip 10.12.8, octets 50-60), or
       restore/commit the newer verify_bundle.py and retire review-bundle.py.
 
 --------------------------------------------------------------------------------
diff --git a/docs/design-decisions.md b/docs/design-decisions.md
index 6f87323..77f69bf 100644
--- a/docs/design-decisions.md
+++ b/docs/design-decisions.md
@@ -816,3 +816,43 @@
 **Note on this log:** the D-052 entry above is left intact and still reads `fabric-data` --
 that is the historical record of the original decision; this entry records the later rename
 (append-only discipline).
+
+## D-057: provider-vip plane -- separate tagged, routed plane for public API VIPs (2026-06-29)
+
+**Status:** DECIDED. Full record + D-003B amendment: `docs/D-057-DECIDED-append.md`.
+
+Root cause of the phase-06 FIP-unreachability blocker: API LXD containers bind `public`
+to provider-public (untagged enp1s0); Juju bridges enp1s0 into a Linux bridge, starving
+OVS `br-ex` so OVN's gateway ARP responder is dead. Fix: move the public API VIPs onto a
+new tagged, routed plane `provider-vip` (VID 104 on the provider fabric), freeing untagged
+enp1s0 for `br-ex`. FIPs stay on provider-public. This AMENDS D-003B (which co-located API
+VIPs and FIPs on one L2): tenant->API is preserved via L3 routing, and it improves the
+commercial hard-isolation posture (API VIPs out of the FIP broadcast domain). The durable
+decision is the framework (a separate tagged/routed VIP plane); the specific subnet is set
+by D-058 below.
+
+## D-058: full plane renumber -- clean fabric-grouped /22 scheme (2026-06-29)
+
+**Status:** DECIDED (operator). Full map, jumphost ordering trap, NetBox-apex note, and
+the committed-foundation cascade: `docs/D-058-renumber.md`. Supersedes the D-057 minimal-
+delta placement of provider-vip at 10.12.24.0/22; resolves R4 (oob).
+
+Cloud-wide re-IP for Roosevelt addressing fidelity (contiguous /22 blocks grouped by
+fabric), executed as a teardown/redeploy (no in-place re-CIDR, no transient overlap).
+Rotate: 8->12, 12->16, 16->20, 24->8, 64->60; 4/32/36 fixed. Result:
+
+| plane | CIDR | VLAN / fabric | gateway |
+|---|---|---|---|
+| provider-public | 10.12.4.0/22 | untagged / provider | 10.12.4.1 |
+| provider-vip | 10.12.8.0/22 | VID 104 / provider | 10.12.8.1 |
+| metal-admin | 10.12.12.0/22 | untagged / metal (PXE) | 10.12.12.1 |
+| metal-internal | 10.12.16.0/22 | VID 103 / metal | none |
+| data-tenant | 10.12.20.0/22 | untagged / data | none |
+| storage | 10.12.32.0/22 | untagged / storage | none |
+| replication | 10.12.36.0/22 | untagged / replication | none |
+| oob | 10.12.60.0/22 | f_oob | 10.12.60.1 |
+
+VIP triple = provider-vip .8.5x / metal-admin .12.5x / metal-internal .16.5x (octets 50-60).
+lib-net.sh + bundle.yaml carry D-058; the foundation scripts/runbooks are swept as each
+phase is executed (living-draft discipline). NetBox apex (netbox/ipv4-prefixes-import.py) is
+stale pre-D-052 and must be de-staled to D-052/053 before it can carry D-058.