#615 chat-duo-web 9704 to lezama: move off whey-initiated -R (VPN-dependent) to lezama-initiated -L over public route

#615 · llmmsg-srv · child of #531

chat-duo-web 9704 to lezama: move off whey-initiated -R (VPN-dependent) to lezama-initiated -L over public route

Ref: #615 (#615)
Project: llmmsg-srv
Parent: backlog #531 Transport reliability + observability program (whey/venus/lezama)
Status: backlog
Priority: normal
Type: task
Assigned: coder-llmmsgsrv-cc coder
Created by: —
Created: 2026-06-02T04:55:34.771Z
Updated: 2026-06-15T08:39:09.266Z

Sub-items

No sub-items.

+ Add sub-item

Questions

No questions.

Event log

2026-06-02T04:55:34.771Z · created

wi cli; parent=#531
2026-06-02T04:55:44.176Z · Robust fix for the recurring single-path fragility (project_lezama_pmtu_blackhole / sibling of #606): 9704 chat-duo-web reverse forward currently rides a WHEY-initiated -R over the whey->lezama ssh, which traverses the GCABA FortiVPN (10.78.42.168). When that VPN drops, 9704-to-lezama dies even though lezama's PUBLIC-DNS route to the whey hub still works (same asymmetry that keeps the hub up while the tunnel is down). Redesign: LEZAMA-initiated -L 9704:localhost:9704 to whey over lezama's working public route (mirrors how lezama reaches the 9703 hub), bypassing the VPN entirely. Owner hub-llmmsgsrv-cc to DRAFT design. GATES: (1) lezama-side unit = GCABA-restricted -> Elazar must install/run it; (2) cannot wire until lezama is back from the ~10:30 reboot (host currently total-dark since 21:03 UTC 2026-06-01). Design can be authored now; execution post-reboot + Elazar GO. NOTE: hub-llmmsgsrv-cc initially mis-read a stale roster row (cc-context-monitor-lezama last_seen 8h old) as 'lezama online' - same false-present class as the #604 fleet-health false-green; a roster staleness guard belongs in the #531 observability program.
2026-06-02T05:00:03.173Z · Premise corrected (hub source-read of lezama-watchdog.sh + llmmsg-lezama-tunnel.service, PM-confirmed): lezama has NO public egress (GCABA blocks ZeroTier + direct public); BOTH 9703 and 9704 are whey-INITIATED ssh -R over the single 10.78 FortiVPN. A lezama-initiated -L would ride the SAME VPN - it does NOT bypass anything. Its only gain = drop the whey->lezama ssh-INITIATION dependency, surviving the ASYMMETRIC failure (whey->lezama new-ssh fails while VPN + lezama userland still alive, e.g. the PMTU banner-hang). Does NOTHING for total host-dark (reboot-only) or zombie (lezama userland hung -> can't initiate -L either). The main asymmetric case (PMTU banner-hang) already has a cheaper fix: MSS clamp on whey ppp0 (project_lezama_pmtu_blackhole). RE-SCOPE: value prop = invert 9703+9704 to lezama-initiated forwards to survive whey-side-ssh-init/asymmetric drops, STILL VPN-bound (not a bypass). PARKED at low priority pending Elazar deciding that narrow case is worth a GCABA-side unit change. STRUCTURAL TRUTH: lezama is permanently single-path by GCABA policy - no path diversity is achievable.
2026-06-15T08:39:04.388Z · assigned · wi-cli-whey

coder-llmmsgsrv-cc / coder
2026-06-15T08:39:09.266Z · assigned · wi-cli-whey

coder-llmmsgsrv-cc / coder