docs: close DDoS investigation, document GTHost decision, update infra notes

OPEN_THREADS.md

@@ -105,8 +105,6 @@ feature for power users who want local VS Code or terminal access.
 
 The browser IDE remains the zero-install story for all developers.
 
-See `knowledge-base/network/cf-tunnel-ssh.md` for full detail.
-
 Current state:
 - ✅ CF Tunnel created and connected to bastion VM
 - ✅ Cloudflare Zero Trust free plan active
@@ -169,7 +167,33 @@ Outstanding:
 
 - **Game server world backup / restore** — player world data backup separate from PBS infrastructure backup. Trust-critical — players losing world data will kill retention.
 - **Game server subdomain** — how do players connect? Verify IP vs subdomain (e.g. `mc.zerolaghub.com` style)
-- **DDoS protection** — verify network-level coverage is in place for game server traffic
+
+---
+
+## Infrastructure
+
+### Hosting — GTHost (Decision: Stay, Most Cost-Effective)
+
+GTHost Detroit is the primary host. Decision made to stay on GTHost long-term:
+- Bare metal, instant Proxmox install without workarounds
+- Unmetered bandwidth
+- Competitive pricing — most cost-effective option evaluated
+- Digital Ocean: too expensive, no bare metal/Proxmox
+- OVH: more expensive, overkill for current scale
+- Hetzner: Proxmox install was painful historically
+
+### DDoS Protection (Resolved — Accepted Risk at Launch)
+
+Investigation complete:
+- GTHost Detroit page: no DDoS mention
+- GTHost Chicago page: vague mention, no specs
+- Cloudflare Spectrum: ~$30k/year, not viable
+- Path.net: enterprise-focused, requires consult, not on our radar yet
+- OPNsense provides basic rate limiting and firewall protection
+- Cloudflare DNS (non-proxied) hides real IP from casual attackers
+- Minecraft Java uses TCP — harder to volumetric flood than UDP games
+
+**Decision:** Accept DDoS risk at launch. Low threat profile for Minecraft-only soft launch with small user base. Revisit when revenue supports it or if an attack occurs.
 
 ---
 
@@ -182,16 +206,13 @@ Outstanding before launch:
 - **User onboarding flow** — guided first-server creation after register
 - **Password reset flow** — verify wired up
 - **Usage limits / quota enforcement** — per account
-- **DDoS protection** — verify network-level coverage
 - **Game server subdomain** — verify player connection method
 - **Email notifications** — crashed, billing, provisioning
 - **Upload testing** — test file upload flow end-to-end in dev containers
 - **Billing endpoints** — add back to API
 - **Stress testing** — k6 IDE session load test + Minecraft bot test
-  - See `knowledge-base/operations/stress-testing.md`
 - **OPNsense audit** — both routers need systematic validation
-  - See `knowledge-base/network/opnsense-checklist.md`
-- **Dedicated host migration** — evaluate GTHost upgrade (Gold 6152, Detroit)
+- **Dedicated host upgrade** — evaluate GTHost Gold 6152, Detroit
   - Trial period: $5/day up to 10 days, PBS restore approach
 - Remove `testdameon` binary from zpack-portal repo root
 
@@ -208,6 +229,7 @@ Future work:
 - **Admin panel** — manage users/servers as operator
 - **Referral / dev pipeline reward system** — revenue sharing for developers
 - **Uptime history** — visible to users per server
+- **DDoS mitigation** — revisit Path.net or similar when revenue supports it
 
 ---
 
@@ -231,3 +253,5 @@ Future work:
 - ✅ Browser IDE fully loading at dev-<vmid>.zerolaghub.dev
 - ✅ CF Tunnel created and connected to bastion VM
 - ✅ Portal copy rewrite — landing, features, FAQ, about, pricing
+- ✅ DDoS investigation — accepted risk at launch, revisit post-launch
+- ✅ Hosting provider decision — GTHost Detroit, most cost-effective option