From afb976c6fff75fdedbbf270878727c472acb3482 Mon Sep 17 00:00:00 2001
From: jester <admin@zerolaghub.com>
Date: Wed, 25 Mar 2026 21:11:24 +0000
Subject: [PATCH] =?UTF-8?q?Update=20CF=20Tunnel=20state=20=E2=80=94=20conn?=
 =?UTF-8?q?ected=20to=20bastion,=20remaining=20steps=20tracked?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 OPEN_THREADS.md | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/OPEN_THREADS.md b/OPEN_THREADS.md
index e947994..82b4f29 100644
--- a/OPEN_THREADS.md
+++ b/OPEN_THREADS.md
@@ -75,6 +75,7 @@ Completed:
 2. Dev container `provisioningComplete` state in `/status`
 3. Graceful shutdown verification (SIGTERM + wait for Minecraft)
 4. Process reattachment on agent restart
+5. SSH server install in dev container provisioning pipeline
 
 ---
 
@@ -95,23 +96,25 @@ with workspace mounted, extensions panel visible, AI chat panel active.
 - reduce legacy `/__ide/:id` compatibility paths once portal button confirmed
 - simplify and harden `devProxy` — remove stale path-based assumptions
 
-### Local Dev Access — SSH via CF Tunnel (Next Step)
+### Local Dev Access — SSH via CF Tunnel (In Progress)
 
-Decision: Cloudflare Tunnel on bastion VM. Free tier covers up to 50 users.
-Same hostname as browser IDE — different protocols routed separately.
+See `knowledge-base/network/cf-tunnel-ssh.md` for full detail.
 
-Developer one-time SSH config:
+Current state:
+- ✅ CF Tunnel created and connected to bastion VM
+- ✅ Cloudflare Zero Trust free plan active
+- ⏳ Tunnel SSH hostname mapping not yet configured in Zero Trust dashboard
+- ⏳ Bastion SSH proxy jump config not yet done
+- ⏳ Dev container SSH server not yet verified
+- ⏳ Portal SSH config snippet not yet built
+
+Developer one-time SSH config (once complete):
 ```
 Host *.zerolaghub.dev
     ProxyCommand cloudflared access ssh --hostname %h
+    User dev
 ```
 
-Outstanding:
-- Install `cloudflared` on bastion VM
-- Create CF Tunnel pointed at bastion SSH port
-- Map `*.zerolaghub.dev` SSH through tunnel
-- Portal SSH config snippet UI
-
 ---
 
 ## API (zpack-api)
@@ -174,8 +177,7 @@ Outstanding before launch:
 
 Future work:
 
-- CF Tunnel SSH access (see Local Dev Access above)
-- Tailscale dev access (alternative/complement to CF Tunnel)
+- CF Tunnel SSH access completion (see Local Dev Access above)
 - artifact version promotion
 - runtime rollback support
 - Cloudflare R2 for large artifact/mod file delivery at scale
@@ -200,3 +202,4 @@ Future work:
 - ✅ Per-container dev IDE edge publish/unpublish removed from API
 - ✅ Wildcard TLS cert `*.zerolaghub.dev` via Let's Encrypt + Cloudflare DNS-01
 - ✅ Browser IDE fully loading at dev-<vmid>.zerolaghub.dev
+- ✅ CF Tunnel created and connected to bastion VM