docs(gateway): record live bytelyst HTTPS cutover

docs/devops/single_azure_vm/docker/Caddyfile.bytelyst.example

@@ -85,3 +85,23 @@ api.bytelyst.com {
 
   respond 404
 }
+
+gitea.bytelyst.com {
+  encode gzip
+  reverse_proxy gitea-npm-registry:3000
+}
+
+admin.bytelyst.com {
+  encode gzip
+  reverse_proxy admin-web:3001
+}
+
+tracker.bytelyst.com {
+  encode gzip
+  reverse_proxy tracker-web:3003
+}
+
+llmlab.bytelyst.com {
+  encode gzip
+  reverse_proxy llmlab-dashboard:3075
+}

docs/devops/vercel/GODADDY_DNS_SETUP_BYTELYST.md

@@ -65,19 +65,24 @@ pnpm dns:godaddy:bytelyst -- --ip <Azure VM public IP> --validate
 
 ## Current Status
 
-Status as of `2026-03-31 09:23:20 UTC`:
+Status as of `2026-03-31 09:41:09 UTC`:
 
 - GoDaddy `A` records were updated for `api`, `gitea`, `admin`, `tracker`, and `llmlab`
-- `api`, `gitea`, `admin`, and `tracker` resolve publicly to `187.124.159.82`
-- `llmlab` is present in the GoDaddy API and on the authoritative nameservers with `187.124.159.82`
-- public resolver visibility for `llmlab` may lag briefly behind the authoritative update
-- public HTTP on port `80` responded, but returned `404 Not Found`
-- public HTTPS on port `443` timed out for all four hostnames
+- all five hostnames resolve publicly to `187.124.159.82`
+- the VM now serves `80` and `443` through the `caddy` container
+- Let's Encrypt certificates were issued successfully for all five hostnames
+- live HTTPS verification from inside the VM-level Caddy path returned:
+  - `api.bytelyst.com` -> `HTTP/1.1 200 OK`
+  - `gitea.bytelyst.com` -> `HTTP/1.1 200 OK`
+  - `admin.bytelyst.com` -> `HTTP/1.1 200 OK`
+  - `tracker.bytelyst.com` -> `HTTP/1.1 200 OK`
+  - `llmlab.bytelyst.com` -> `HTTP/1.1 200 OK`
 
 Interpretation:
 
 - DNS cutover is complete
-- the remaining work is on the VM-side gateway and/or Azure network path, not in GoDaddy DNS
+- the VM-side HTTPS gateway issue is fixed
+- remaining work, if any, is app-specific hardening rather than DNS or TLS bring-up
 
 ## Preconditions
 
@@ -310,15 +315,20 @@ docker logs caddy --tail 100
 
 Likely root causes for the current state:
 
-- the live `/opt/bytelyst/Caddyfile` only includes `api.bytelyst.com`
-- `gitea`, `admin`, `tracker`, and `llmlab` host blocks were never added on the VM
-- Azure NSG is allowing `80` but not `443`
-- Caddy is not healthy or is failing certificate issuance / bind on `443`
+- the live `/opt/bytelyst/Caddyfile` only included `api.bytelyst.com`
+- `gitea`, `admin`, `tracker`, and `llmlab` host blocks had not been added on the VM
+- the legacy Traefik `gateway` container was still holding port `80`
+- the `caddy` container was defined in compose but not running, so nothing was bound to `443`
 
 ## Change Log
 
 Use this section to record real DNS cutovers:
 
+| Date         | Operator | Change                                                                                                                         | Result         |
+| ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------ | -------------- |
+| `2026-03-31` | Codex    | Created GoDaddy-specific DNS runbook for `bytelyst.com`                                                                        | Document added |
+| `2026-03-31` | Codex    | Switched live VM ingress from legacy gateway to Caddy and validated HTTPS for `api`, `gitea`, `admin`, `tracker`, and `llmlab` | HTTPS fixed    |
+
 | Date         | Operator | Change                                                                                               | Result               |
 | ------------ | -------- | ---------------------------------------------------------------------------------------------------- | -------------------- |
 | `2026-03-31` | Codex    | Created GoDaddy-specific DNS runbook for `bytelyst.com`                                              | Document added       |