From 5957e49a5784cb91021c07ea66b8f1fd56ae8c8a Mon Sep 17 00:00:00 2001
From: jester <admin@zerolaghub.com>
Date: Sun, 28 Dec 2025 00:32:50 +0000
Subject: [PATCH] Add backend/infrastructure threads before frontend work

---
 OPEN_THREADS.md | 56 +++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 52 insertions(+), 4 deletions(-)

diff --git a/OPEN_THREADS.md b/OPEN_THREADS.md
index 95ad029..0a0ee5b 100644
--- a/OPEN_THREADS.md
+++ b/OPEN_THREADS.md
@@ -1,18 +1,66 @@
-# Open Threads – ZLH Frontend
+# Open Threads – zlh-grind
 
-## Active
+This file tracks items that are unresolved, under investigation, or explicitly deferred.
+
+---
+
+## Backend/Infrastructure Threads
+
+### Bastion public SSH access (BLOCKER)
+- **Status:** ACTIVE - blocking external user access
+- Public SSH to `zlh-bastion.zerolaghub.dev` fails with `kex_exchange_identification: Connection closed`
+- TCP connection succeeds but SSH handshake never proceeds
+- Internal SSH works perfectly; issue is specific to WAN→bastion path
+- Action required:
+  - tcpdump on bastion during external connection
+  - OPNsense live log during attempt
+  - Verify NAT reaching bastion sshd vs upstream termination
+  - Check for ISP/modem interference
+
+### zlh-cli bastion mode fixes
+- **Status:** OPEN - built and deployed, but has bugs
+- When running ON bastion, CLI incorrectly tries to jump via public hostname
+- Should use localhost/direct connection when already on bastion
+- User/host targeting logic needs correction (was targeting bastion instead of dev container)
+- Goal: clean UX like `zlh ssh 6038` instead of full jump command
+
+### Agent SSH provisioning automation
+- **Status:** OPEN - manual workaround confirmed, needs agent integration
+- Requirements:
+  - Install and enable sshd in new containers
+  - Generate SSH host keys if missing (add to bootstrap/common.sh)
+  - Create `devuser` with sudo access
+  - Configure authorized_keys for key-based auth (if applicable)
+- Currently working internally via manual setup; needs to be automatic
+
+### Devcontainer runtime provisioning
+- **Status:** RESOLVED (design-level), agent patch pending
+- Root cause: agent not concatenating scripts or exporting env vars
+- Fix: concatenate `common.sh` + runtime installer into single bash invocation
+- Deferred to agent implementation
+
+### Version-aware markers for devcontainer runtimes
+- **Status:** DEFERRED
+- Current marker logic does not distinguish between installed runtime versions
+- Consider writing version metadata to marker file for clean upgrades
+
+---
+
+## Frontend Threads
+
+### Active
 - UI refinement: remove gimmick effects, simplify styling
 - New logo direction: Celtic-tech / sigil-based ZLH mark
 - Terminal scaffolding (frontend only)
 - WebSocket contract definition (pending backend)
 
-## Pending
+### Pending
 - systemd service for frontend
 - Auth flow finalization
 - Public vs dashboard styling split
 - Final decision on Z vs ZLH mark usage
 
-## Explicitly Closed
+### Explicitly Closed
 - PM2 usage
 - React Router
 - HUD/scanline UI experiments