diff --git a/SCRATCH/hardcoded-ips-agent.md b/SCRATCH/hardcoded-ips-agent.md
new file mode 100644
index 0000000..bcf1d06
--- /dev/null
+++ b/SCRATCH/hardcoded-ips-agent.md
@@ -0,0 +1,30 @@
+# Hardcoded IPs in zlh-agent — Need to Fix
+
+## Artifact server IP (10.60.0.251:8080) — ACTION REQUIRED
+
+| File | Type | Fix |
+|------|------|-----|
+| internal/update/update.go:23 | **Compiled constant** | Code change + recompile required |
+| internal/provision/common.go:35 | Fallback | Set ZLH_ARTIFACT_BASE_URL env var |
+| internal/provcommon/common.go:59 | Fallback | Set ZLH_ARTIFACT_BASE_URL env var |
+| scripts/devcontainer/lib/common.sh:16 | Default | Set ZLH_ARTIFACT_BASE_URL env var |
+| scripts/devcontainer/dotnet/install.sh:10 | Default | Set ZLH_ARTIFACT_BASE_URL env var |
+| scripts/addons/codeserver/install.sh:10 | Default | Set ZLH_ARTIFACT_BASE_URL env var |
+
+## Action items
+
+1. **Fix update.go:23** — change the hardcoded constant to read from an env var or config file
+   - This requires a code change and recompile
+   - New binary needs to be pushed to zlh-artifacts before deploying to containers
+
+2. **Set ZLH_ARTIFACT_BASE_URL** — all other references will follow this env var
+   - Set to new artifacts IP once DHCP is locked down
+
+## Localhost entries (safe — no changes needed)
+- 127.0.0.1 in readiness.go, agent.go, update.go — internal health checks, fine
+- 0.0.0.0 in codeserver install.sh + verify.go — bind address, fine
+
+## Notes
+- Until update.go is fixed, agent self-updates will try to reach old artifacts IP
+- All new container provisioning uses ZLH_ARTIFACT_BASE_URL so that's fine once env is set
+- Prioritize the update.go fix before deploying agent to production containers on new host