2026-06-15: secure Uptime Kuma Authentik proxy app

project-kitestacks-migration.md

@@ -405,6 +405,25 @@ Verified current live state on monk before making changes:
 - `authentik` is healthy; `authentik-worker` currently shows unhealthy in
   `docker ps` even though it has been running for ~35h. Check logs/health
   before relying on new Authentik-side automation.
+- Existing Authentik objects were found for Uptime Kuma:
+  - Application slug `uptime-kuma`, name `Uptime Kuma`, provider id `7`.
+  - ProxyProvider `Uptime Kuma`, external host `https://status.kitestacks.com`,
+    internal host `http://uptime-kuma:3001`, mode `proxy`.
+  - Embedded proxy outpost already includes providers `Karakeep`,
+    `Uptime Kuma`, and `LiteLLM`.
+- `https://status.kitestacks.com` still routes directly to Kuma as of
+  2026-06-15: public curl gets Kuma's `/dashboard` redirect and 200 response,
+  not an Authentik authorization flow. Cloudflare tunnel route still needs to
+  be changed from direct Kuma to the Authentik embedded outpost/server.
+- Security fix applied 2026-06-15: created PolicyBinding
+  `6f2ac876-2f47-473d-986d-d7c5d2a3214e` from the Uptime Kuma application to
+  Authentik group `homelab-admin`, enabled, order 0. This matches the Portainer
+  restriction pattern.
+- Cloudflared is remote-managed: container command is `tunnel --no-autoupdate
+  run`, no local ingress config exists, and the compose file stores a
+  `TUNNEL_TOKEN`. Do not print that token; treat it as sensitive. Routing
+  changes must be made through Cloudflare's tunnel API/dashboard unless a
+  suitable Cloudflare API token is available locally.
 
 Important security hygiene: local git remote for `~/claude-memory` contains an
 HTTP token in the URL; do not print it in summaries. Prefer redacted URLs in