diff --git a/OPEN_THREADS.md b/OPEN_THREADS.md
index 4381451..9439e6b 100644
--- a/OPEN_THREADS.md
+++ b/OPEN_THREADS.md
@@ -113,16 +113,42 @@ Verified flow:
 - `passHostHeader: true` preserves original hostname through to API
 - no Caddy, no `:8081`, no per-container DNS/Traefik side effects from API
 
-### Local Dev Access (Headscale/Tailscale — Future)
+### Local Dev Access — SSH via CF Tunnel (Next Step)
+
+Decision: Cloudflare Tunnel on bastion VM for SSH access. Free tier covers up to 50 users.
+
+Planned architecture:
+
+```
+Developer laptop
+  ↓ ssh dev-6070.zerolaghub.dev
+Cloudflare edge
+  ↓ CF Tunnel (persistent, runs on bastion)
+Bastion VM (internal)
+  ↓ SSH proxy jump
+Dev container (10.100.x.x)
+```
+
+Same hostname as browser IDE — different protocol. Cloudflare routes HTTPS to
+Traefik and SSH to CF Tunnel separately.
+
+Developer one-time SSH config:
+
+```
+Host *.zerolaghub.dev
+    ProxyCommand cloudflared access ssh --hostname %h
+```
+
+After that `ssh dev-6070.zerolaghub.dev` just works. Portal can surface this
+config snippet as a copyable block.
 
 Outstanding:
 
-- confirm `zlh-ctl` Headscale server status
-- implement Tailscale addon install in agent
-- API auth key generation
-- portal setup instructions
-
-Constraints: `magic_dns: false`, no exit nodes, no DNS takeover
+- Install `cloudflared` on bastion VM
+- Create CF Tunnel pointed at bastion SSH port
+- Map `*.zerolaghub.dev` SSH through tunnel
+- Portal SSH config snippet UI
+- Agent: surface SSH hostname in `/status` or via API
 
 ---
 
@@ -163,17 +189,33 @@ Completed:
 Outstanding:
 
 - confirm "Open IDE" button fully uses hosted URL flow
+- SSH config snippet for local VS Code / terminal access
 - Headscale setup instructions
 
 ---
 
+## Pre-Launch Checklist
+
+Outstanding before launch:
+
+- **Upload testing** — test file upload flow end-to-end in dev containers
+- **Portal copy/wording** — site needs rewriting for public audience
+- **Dedicated host migration** — evaluate GTHost upgrade (Gold 6152, Detroit)
+  - Trial period approach: $5/day up to 10 days
+  - PBS restore for safe migration validation
+  - Two-host split (core vs game/dev) is longer term option
+
+---
+
 ## Platform
 
 Future work:
 
-- Tailscale dev access
+- CF Tunnel SSH access (see Local Dev Access above)
+- Tailscale dev access (alternative/complement to CF Tunnel)
 - artifact version promotion
 - runtime rollback support
+- Cloudflare R2 for large artifact/mod file delivery at scale
 
 ---