docs(devops): add llmlab dns handoff

docs/devops/vercel/GODADDY_DNS_SETUP_BYTELYST.md

@@ -18,6 +18,7 @@ For the current internal-on-VM setup, these hostnames should point to the Azure
 | `gitea.bytelyst.com`   | `A`  | `<Azure VM public IP>` | Gitea and private npm registry through Caddy |
 | `admin.bytelyst.com`   | `A`  | `<Azure VM public IP>` | Internal admin dashboard                     |
 | `tracker.bytelyst.com` | `A`  | `<Azure VM public IP>` | Internal tracker dashboard                   |
+| `llmlab.bytelyst.com`  | `A`  | `<Azure VM public IP>` | LLM Lab Mission Control dashboard on the VM  |
 
 Recommended temporary TTL during cutover:
 
@@ -25,8 +26,8 @@ Recommended temporary TTL during cutover:
 
 Notes:
 
-- `llmlab-dashboard` is internal VM tooling and does not need a public DNS record
 - `localmemgpt-web` is intended to be hosted on Vercel, so it is not part of this VM DNS runbook
+- `llmlab-dashboard` runs on VM port `3075`; if you expose it publicly, route it through Caddy instead of exposing `3075` directly
 
 ## Automated Option
 
@@ -54,6 +55,7 @@ The script manages these `A` records by default:
 - `gitea`
 - `admin`
 - `tracker`
+- `llmlab`
 
 Root shortcut:
 
@@ -65,10 +67,10 @@ pnpm dns:godaddy:bytelyst -- --ip <Azure VM public IP> --validate
 
 Status as of `2026-03-31 09:23:20 UTC`:
 
-- GoDaddy `A` records were updated for `api`, `gitea`, `admin`, and `tracker`
-- all four names now resolve to `187.124.159.82`
-- authoritative GoDaddy nameservers returned the expected IP for all four names
-- public `dig` checks also returned `187.124.159.82`
+- GoDaddy `A` records were updated for `api`, `gitea`, `admin`, `tracker`, and `llmlab`
+- `api`, `gitea`, `admin`, and `tracker` resolve publicly to `187.124.159.82`
+- `llmlab` is present in the GoDaddy API and on the authoritative nameservers with `187.124.159.82`
+- public resolver visibility for `llmlab` may lag briefly behind the authoritative update
 - public HTTP on port `80` responded, but returned `404 Not Found`
 - public HTTPS on port `443` timed out for all four hostnames
 
@@ -98,6 +100,7 @@ Interpretation:
 | `gitea`   | `A`  | `<Azure VM public IP>` | `600` |
 | `admin`   | `A`  | `<Azure VM public IP>` | `600` |
 | `tracker` | `A`  | `<Azure VM public IP>` | `600` |
+| `llmlab`  | `A`  | `<Azure VM public IP>` | `600` |
 
 6. Save each record.
 7. Remove or correct any conflicting `A`, `CNAME`, or forwarding records for the same names.
@@ -111,12 +114,13 @@ dig +short api.bytelyst.com
 dig +short gitea.bytelyst.com
 dig +short admin.bytelyst.com
 dig +short tracker.bytelyst.com
+dig +short llmlab.bytelyst.com
 curl -sf https://api.ipify.org && echo
 ```
 
 Expected result:
 
-- all four hostnames resolve to the same Azure VM public IP
+- all five hostnames resolve to the same Azure VM public IP
 - the resolved IP matches the output from `https://api.ipify.org`
 
 After DNS resolves correctly, validate HTTPS:
@@ -126,6 +130,7 @@ curl -sI https://api.bytelyst.com/platform/health | head -5
 curl -sI https://gitea.bytelyst.com | head -5
 curl -sI https://admin.bytelyst.com | head -5
 curl -sI https://tracker.bytelyst.com | head -5
+curl -sI https://llmlab.bytelyst.com | head -5
 ```
 
 Expected result:
@@ -140,8 +145,8 @@ Delegate the remaining work to the Codex session running inside the Azure VM. Th
 
 Recommended handoff summary:
 
-- DNS is already correct for `api.bytelyst.com`, `gitea.bytelyst.com`, `admin.bytelyst.com`, and `tracker.bytelyst.com`
-- all four names point to `187.124.159.82`
+- DNS is already correct for `api.bytelyst.com`, `gitea.bytelyst.com`, `admin.bytelyst.com`, `tracker.bytelyst.com`, and `llmlab.bytelyst.com`
+- all five names point to `187.124.159.82`
 - do not spend time redoing GoDaddy changes unless records drift
 - focus on `/opt/bytelyst/Caddyfile`, the `caddy` container, and Azure NSG rules for `443`
 
@@ -159,6 +164,7 @@ curl -sI http://localhost:3001 | head -5
 curl -sI http://localhost:3003 | head -5
 curl -sI http://localhost:3300 | head -5
 curl -sI http://localhost:4003/health | head -5
+curl -sI http://localhost:3075 | head -5
 ```
 
 Check the live Caddy config:
@@ -173,6 +179,7 @@ The live Caddy config should cover at least these hostnames:
 - `gitea.bytelyst.com`
 - `admin.bytelyst.com`
 - `tracker.bytelyst.com`
+- `llmlab.bytelyst.com`
 
 Expected proxy targets:
 
@@ -183,6 +190,7 @@ Expected proxy targets:
 - `gitea.bytelyst.com` -> host or container endpoint for Gitea on port `3300`
 - `admin.bytelyst.com` -> `admin-web:3001`
 - `tracker.bytelyst.com` -> `tracker-web:3003`
+- `llmlab.bytelyst.com` -> `llmlab-dashboard:3075`
 
 If the file is missing host blocks, update it and reload Caddy:
 
@@ -204,6 +212,7 @@ curl -vk https://api.bytelyst.com/platform/health
 curl -vk https://gitea.bytelyst.com
 curl -vk https://admin.bytelyst.com
 curl -vk https://tracker.bytelyst.com
+curl -vk https://llmlab.bytelyst.com
 ```
 
 Ready-to-paste prompt for the Codex session running inside the VM:
@@ -216,6 +225,7 @@ Known-good DNS state as of 2026-03-31:
 - gitea.bytelyst.com -> 187.124.159.82
 - admin.bytelyst.com -> 187.124.159.82
 - tracker.bytelyst.com -> 187.124.159.82
+- llmlab.bytelyst.com -> 187.124.159.82
 
 Known current failure:
 - HTTP on port 80 responds, but returns 404
@@ -231,6 +241,7 @@ Your task:
    - gitea.bytelyst.com
    - admin.bytelyst.com
    - tracker.bytelyst.com
+   - llmlab.bytelyst.com
 6. Ensure proxy targets are correct:
    - api.bytelyst.com:
      - /platform/* -> platform-service:4003
@@ -239,12 +250,14 @@ Your task:
    - gitea.bytelyst.com -> Gitea on port 3300
    - admin.bytelyst.com -> admin-web:3001
    - tracker.bytelyst.com -> tracker-web:3003
+   - llmlab.bytelyst.com -> llmlab-dashboard:3075
 7. Reload Caddy
 8. Verify:
    - curl -vk https://api.bytelyst.com/platform/health
    - curl -vk https://gitea.bytelyst.com
    - curl -vk https://admin.bytelyst.com
    - curl -vk https://tracker.bytelyst.com
+   - curl -vk https://llmlab.bytelyst.com
 
 Run these first:
 
@@ -258,6 +271,7 @@ curl -sI http://localhost:3001 | head -5
 curl -sI http://localhost:3003 | head -5
 curl -sI http://localhost:3300 | head -5
 curl -sI http://localhost:4003/health | head -5
+curl -sI http://localhost:3075 | head -5
 
 If /opt/bytelyst/Caddyfile is missing host blocks, fix it there and reload:
 
@@ -273,6 +287,7 @@ When done, report:
 - what was wrong
 - what file(s) you changed
 - exact verification results for all four public hostnames
+- exact verification results for all five public hostnames
 ```
 
 ## Troubleshooting
@@ -281,6 +296,7 @@ If records do not resolve as expected:
 
 - verify that GoDaddy is the authoritative DNS provider for `bytelyst.com`
 - check for duplicate records for `api`, `gitea`, `admin`, or `tracker`
+- check for duplicate records for `api`, `gitea`, `admin`, `tracker`, or `llmlab`
 - wait for propagation and retry with low TTL still in place
 - confirm Azure NSG allows inbound `80` and `443`
 - confirm Caddy is running and reachable on the VM
@@ -295,7 +311,7 @@ docker logs caddy --tail 100
 Likely root causes for the current state:
 
 - the live `/opt/bytelyst/Caddyfile` only includes `api.bytelyst.com`
-- `gitea`, `admin`, and `tracker` host blocks were never added on the VM
+- `gitea`, `admin`, `tracker`, and `llmlab` host blocks were never added on the VM
 - Azure NSG is allowing `80` but not `443`
 - Caddy is not healthy or is failing certificate issuance / bind on `443`
 
@@ -303,8 +319,8 @@ Likely root causes for the current state:
 
 Use this section to record real DNS cutovers:
 
-| Date         | Operator | Change                                                                                     | Result               |
-| ------------ | -------- | ------------------------------------------------------------------------------------------ | -------------------- |
-| `2026-03-31` | Codex    | Created GoDaddy-specific DNS runbook for `bytelyst.com`                                    | Document added       |
-| `2026-03-31` | Codex    | Updated GoDaddy `A` records for `api`, `gitea`, `admin`, and `tracker` to `187.124.159.82` | DNS cutover complete |
-| `2026-03-31` | Codex    | Verified DNS propagation and recorded VM-side HTTPS follow-up steps                        | VM action pending    |
+| Date         | Operator | Change                                                                                               | Result               |
+| ------------ | -------- | ---------------------------------------------------------------------------------------------------- | -------------------- |
+| `2026-03-31` | Codex    | Created GoDaddy-specific DNS runbook for `bytelyst.com`                                              | Document added       |
+| `2026-03-31` | Codex    | Updated GoDaddy `A` records for `api`, `gitea`, `admin`, `tracker`, and `llmlab` to `187.124.159.82` | DNS cutover complete |
+| `2026-03-31` | Codex    | Verified DNS propagation and recorded VM-side HTTPS follow-up steps                                  | VM action pending    |

scripts/godaddy-sync-bytelyst-dns.sh

@@ -7,7 +7,7 @@ TARGET_IP="${GODADDY_DNS_TARGET_IP:-}"
 AUTO_IP=false
 DRY_RUN=false
 VALIDATE=false
-HOSTS=("api" "gitea" "admin" "tracker")
+HOSTS=("api" "gitea" "admin" "tracker" "llmlab")
 
 CONFIG_FILE="${XDG_CONFIG_HOME:-$HOME/.config}/godaddypy/credentials.yaml"
 
@@ -23,7 +23,7 @@ Options:
   --auto-ip              Detect the current public IP with api.ipify.org
   --domain <domain>      GoDaddy zone to update (default: bytelyst.com)
   --ttl <seconds>        TTL for the managed A records (default: 600)
-  --hosts <csv>          Hostnames to manage (default: api,gitea,admin,tracker)
+  --hosts <csv>          Hostnames to manage (default: api,gitea,admin,tracker,llmlab)
   --validate             Run dig validation after changes
   --dry-run              Print the API operations without applying them
   -h, --help             Show help