2026-06-15: document Uptime Kuma tunnel route blocker

project-kitestacks-migration.md

@@ -424,6 +424,15 @@ Verified current live state on monk before making changes:
   `TUNNEL_TOKEN`. Do not print that token; treat it as sensitive. Routing
   changes must be made through Cloudflare's tunnel API/dashboard unless a
   suitable Cloudflare API token is available locally.
+- Local validation after the Authentik binding: `curl -I -H 'Host:
+  status.kitestacks.com' http://localhost:9001` returns `302` to
+  `https://status.kitestacks.com/outpost.goauthentik.io/start?...`, proving
+  the embedded outpost/proxy provider works when traffic reaches Authentik.
+- No suitable Cloudflare API token was found during the local search; only the
+  cloudflared connector tunnel token is present. Remaining blocker is changing
+  the Cloudflare Tunnel public hostname for `status.kitestacks.com` from
+  `http://uptime-kuma:3001` to `http://authentik:9000` (or equivalent
+  Authentik service target in the Tunnel UI).
 
 Important security hygiene: local git remote for `~/claude-memory` contains an
 HTTP token in the URL; do not print it in summaries. Prefer redacted URLs in