From b7b386901420ec1860af11a140687faaa6cd2dc3 Mon Sep 17 00:00:00 2001
From: root <root@srv1491630.hstgr.cloud>
Date: Tue, 31 Mar 2026 06:47:39 +0000
Subject: [PATCH] docs(architecture): keep monitoring stacks internal on VM

---
 docs/devops/vercel/CODEX_PROMPTS_TRACK_A_AZURE_VM.md | 6 ++++++
 docs/devops/vercel/TRACK_A_HANDOFF_2026-03-29.md     | 1 +
 2 files changed, 7 insertions(+)

diff --git a/docs/devops/vercel/CODEX_PROMPTS_TRACK_A_AZURE_VM.md b/docs/devops/vercel/CODEX_PROMPTS_TRACK_A_AZURE_VM.md
index f16b27ec..40376978 100644
--- a/docs/devops/vercel/CODEX_PROMPTS_TRACK_A_AZURE_VM.md
+++ b/docs/devops/vercel/CODEX_PROMPTS_TRACK_A_AZURE_VM.md
@@ -245,12 +245,18 @@ TASK: Keep admin-web and tracker-web on the Azure VM as Docker-hosted internal d
 CONTEXT:
 - Internal/admin/operator-facing web apps should stay on the VM
 - admin-web and tracker-web are Next.js frontends from learning_ai_common_plat under dashboards/
+- Monitoring and observability tools should also stay on the VM:
+  - Grafana
+  - Loki
+  - Prometheus / Alertmanager if added
+  - other internal ops dashboards
 - Their hostnames should be:
   - https://admin.bytelyst.com
   - https://tracker.bytelyst.com
 - Those domains should point to the VM, not Vercel
 - Browser/API configuration should use the VM backend entrypoint at https://api.bytelyst.com
 - These dashboards are internal surfaces and should not be treated as public sites
+- Monitoring stacks must also remain internal-only and should not expose raw ports publicly
 
 TASK LIST:
 - [ ] 1. Audit both dashboards for browser-visible backend URLs and ensure they use https://api.bytelyst.com where appropriate
diff --git a/docs/devops/vercel/TRACK_A_HANDOFF_2026-03-29.md b/docs/devops/vercel/TRACK_A_HANDOFF_2026-03-29.md
index f5026d32..1e4be56b 100644
--- a/docs/devops/vercel/TRACK_A_HANDOFF_2026-03-29.md
+++ b/docs/devops/vercel/TRACK_A_HANDOFF_2026-03-29.md
@@ -6,6 +6,7 @@ Architecture decision after this handoff:
 
 - The VM should host self-hosted infrastructure, backend APIs, and internal web tools in Docker
 - `api.bytelyst.com`, `gitea.bytelyst.com`, `admin.bytelyst.com`, and `tracker.bytelyst.com` should point to the VM
+- Monitoring and observability stacks such as Grafana and Loki should stay on the VM as internal-only tools
 - Only clearly public-facing sites should be considered for Vercel later
 
 ## What Was Completed